Privacy Policy

Patch Notes is a developer utility operated by GameSHLF LLC that connects to GitHub repositories, retrieves commit history, and generates formatted release notes for iOS App Store, Google Play, and web/markdown distribution. We take privacy seriously and have designed the Service with a minimal data footprint in mind.

This policy applies to all information collected through our website at https://usepatchnotes.com, our web application, and any related services. It does not apply to third-party services we integrate with (GitHub, OpenAI, Stripe), which have their own privacy policies.

By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please discontinue use of the Service.

Account Information

When you register for an account, we collect:

• —Email address (used for authentication and transactional communications)
• —Password (stored as a salted hash — we never store your plaintext password)
• —Account creation timestamp and last login metadata

Repository & Commit Data

When you use the Service to generate release notes, we temporarily access and process:

• —Repository metadata (name, owner, default branch, available tags and branches)
• —Commit messages and pull request titles within your selected range
• —Commit SHAs and associated timestamps

This data is used solely to generate your release notes and is not retained beyond what is necessary to populate your release history. We do not index, analyze, or build profiles from your repository content.

Generated Release Notes

Release notes you generate are stored in your account history so you can access, view, and delete them. If you enable the public changelog feature, the generated notes become publicly accessible at your designated URL.

Usage & Technical Data

We collect limited technical data to operate and improve the Service:

• —Release credit usage counts (number of generations performed)
• —Subscription tier and billing status (managed via Stripe)
• —Browser type, operating system, and general geographic region (country-level) via server logs
• —Feature interaction events (e.g., which tabs are used most) collected in anonymized, aggregated form

We do not use third-party behavioral tracking scripts (e.g., full-session recording tools) on the Service dashboard.

We use the information we collect for the following purposes:

• —Providing, maintaining, and improving the Service — including authenticating you, processing API requests, and rendering your release notes
• —Billing and subscription management — processing payments, tracking credits, and communicating billing events via Stripe
• —Transactional communications — sending account confirmation emails, password resets, and billing receipts
• —Service notifications — informing you of material changes to pricing, terms, or the product via email
• —Security and fraud prevention — detecting abuse, enforcing rate limits, and protecting the integrity of the Service
• —Aggregate analytics — understanding usage patterns at a macro level to prioritize product improvements (no individual profiling)
• —Legal compliance — meeting our obligations under applicable law, court orders, or regulatory requests

We do not use your data for advertising purposes. We do not sell, rent, or broker your personal information to data brokers, advertisers, or marketing platforms.

Your GitHub Personal Access Token is the most sensitive piece of data you share with us. Here is exactly how we handle it:

• —Storage: Your PAT is encrypted using AES-256-GCM before being written to our database. The encryption key is stored separately from the encrypted data.
• —Access: The token is only decrypted in server memory at the moment a GitHub API call is made on your behalf. It is never written to logs, never included in error messages, and never exposed to the client-side application.
• —Scope: We recommend — and the UI instructs — that your PAT be granted only the minimum permissions required (read access to repository contents and metadata).
• —Deletion: You can delete your stored PAT at any time from your dashboard. Upon deletion, the encrypted record is permanently removed from our database within 24 hours.
• —No third-party sharing: Your PAT is never shared with, transmitted to, or accessible by any third party other than GitHub's own API endpoints.

Repository content (commit messages, PR titles) accessed via your PAT is used only to generate your requested release notes. We do not store raw commit data beyond the content of the release notes themselves.

Patch Notes is an independent tool and is not affiliated with, endorsed by, or sponsored by GitHub, Inc. Your use of the GitHub API through our Service remains subject to GitHub's own Terms of Service and Acceptable Use Policy.

When you click the Generate button, commit messages and pull request titles from your selected range are transmitted to OpenAI's API for summarization and formatting. This is necessary to produce human-readable, platform-appropriate release notes.

Regarding this data transfer to OpenAI:

• —Only the commit messages and PR titles you select are sent — not your PAT, account credentials, or any other personal information
• —We use OpenAI's API under a usage agreement that prohibits OpenAI from using API-submitted data to train their models
• —Data transmitted to OpenAI is subject to OpenAI's own Privacy Policy (openai.com/privacy)
• —We do not retain OpenAI's raw API responses beyond the time needed to render and store your release notes
• —If you are working with a repository that contains sensitive commit messages (e.g., internal security patches), you should be aware that those messages will be transmitted to OpenAI

By using the Generate feature, you consent to the transfer of commit data to OpenAI as described above. If you do not consent, you should not use the Generate feature.

Service Providers

We share data with a limited set of service providers who help us operate the Service. Each provider receives only the data necessary for their specific function:

• —Supabase — database storage, authentication, and file storage (SOC 2 Type II certified infrastructure)
• —Stripe, Inc. — payment processing and subscription management (PCI-DSS compliant)
• —OpenAI — AI summarization of commit data (see Section 5)
• —Vercel — hosting and edge delivery of the web application

Legal Requirements

We may disclose your information if we believe in good faith that doing so is required to:

• —Comply with a valid legal obligation, court order, or government request
• —Enforce our Terms of Service or protect the rights, property, or safety of GameSHLF LLC, our users, or the public
• —Detect, prevent, or address fraud, security, or technical issues

Business Transfers

If GameSHLF LLC is involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

No Sale of Data

We do not sell, rent, trade, or otherwise transfer your personal information to third parties for their own commercial or marketing purposes. This applies without exception.

Your data is stored on Supabase's infrastructure, which is hosted on AWS in the United States. Supabase maintains SOC 2 Type II compliance and implements industry-standard security controls including encryption in transit (TLS 1.2+) and encryption at rest.

Additional security measures we employ:

• —GitHub PATs are encrypted with AES-256-GCM before database storage
• —All Service communications are transmitted over HTTPS/TLS
• —Database access is restricted via row-level security (RLS) policies — you can only read your own data
• —Authentication is handled through Supabase Auth with industry-standard session management
• —We do not store full payment card numbers — Stripe handles all payment data
• —Administrative access to production systems is limited to authorized personnel only

No method of transmission over the internet or electronic storage is 100% secure. While we implement commercially reasonable safeguards, we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at support@gameshlf.com.

We retain your data for as long as your account is active or as needed to provide the Service. Specific retention periods:

• —Account data (email, preferences): retained until account deletion
• —Generated release notes: retained until you delete them individually or delete your account
• —GitHub PAT: retained until you delete it from your dashboard or delete your account
• —Billing records: retained for 7 years as required by financial record-keeping regulations
• —Server access logs: retained for 90 days, then automatically purged
• —Anonymized aggregate usage statistics: retained indefinitely (no personal information)

When you delete your account, we will permanently delete or anonymize your personal information within 30 days, except where retention is required by law (e.g., billing records).

Depending on your location, you may have the following rights with respect to your personal information:

• —Access — Request a copy of the personal information we hold about you
• —Correction — Request correction of inaccurate or incomplete personal information
• —Deletion — Request deletion of your personal information (subject to legal retention obligations)
• —Portability — Request a machine-readable export of your data in a common format
• —Objection — Object to or restrict our processing of your personal information in certain circumstances
• —Withdrawal of consent — Where processing is based on consent, withdraw that consent at any time without affecting prior processing

To exercise any of these rights, contact us at support@gameshlf.com with the subject line "Privacy Request" and include the email address associated with your account. We will respond within 30 days.

California Residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect, the right to delete your personal information, and the right to opt out of the sale of personal information. We do not sell personal information. To submit a verifiable consumer request, contact us at the email above.

EEA / UK Residents (GDPR)

If you are located in the European Economic Area or the United Kingdom, our legal basis for processing your personal information is: (a) performance of a contract when providing the Service to you; (b) compliance with a legal obligation; (c) your consent where explicitly requested; and (d) our legitimate interests in operating and improving the Service, where those interests are not overridden by your rights.

You also have the right to lodge a complaint with your local data protection supervisory authority.

We use a minimal set of cookies necessary to operate the Service:

• —Session cookies — Used by Supabase Auth to maintain your authenticated session. These are strictly necessary and cannot be disabled without breaking authentication.
• —Preference cookies — Used to remember UI preferences (e.g., theme selection) across sessions.

We do not use third-party advertising cookies, cross-site tracking pixels, or behavioral analytics cookies (e.g., Google Analytics, Facebook Pixel). There is no cookie consent banner because we only use strictly necessary and functional cookies.

You can control cookies through your browser settings. Note that disabling session cookies will prevent you from logging in to the Service.

The Service is intended for use by developers and is not directed at children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children under these ages.

If you believe we have inadvertently collected personal information from a child under the applicable age, please contact us immediately at support@gameshlf.com and we will take steps to delete that information promptly.

GameSHLF LLC is based in the United States, and your data is stored on infrastructure located primarily in the United States. If you are accessing the Service from outside the United States, your information will be transferred to and processed in the United States, which may have different data protection laws than your country of residence.

For users in the EEA or UK, such transfers are carried out under appropriate safeguards, including Standard Contractual Clauses (SCCs) where applicable, as implemented by our sub-processors (including Supabase and OpenAI) in accordance with GDPR Chapter V requirements.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by:

• —Updating the 'Last updated' date at the top of this page
• —Sending an email notification to the address associated with your account
• —Displaying a notice within the Service dashboard

We encourage you to review this policy periodically. Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy. If you do not agree to the updated policy, you must stop using the Service and may request account deletion.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For account deletion or data removal requests, email the above address with the subject line "Account Deletion Request" and include the email address associated with your account. We will process your request within 30 days.

For privacy-specific inquiries (e.g., data access requests, GDPR/CCPA rights), use the subject line "Privacy Request" so we can route your message appropriately.