Privacy Policy

Effective date: May 15, 2026 · Last updated: May 15, 2026

This Privacy Policy explains how Releaseo (“Releaseo,” “we,” “us,” or “our”) collects, uses, shares, and protects information when you visit https://releaseo.io, create an account, use the Releaseo dashboard, install or interact with the Releaseo SDK or widget, subscribe to a plan, contact support, or otherwise use our services.

Releaseo is a B2B SaaS product for release communication. It helps teams publish changelogs, announcements, roadmap updates, feature requests, feedback boards, and in-app update widgets.

0. Controller / business

The data controller (or “business,” depending on jurisdiction) responsible for processing personal information described in this Policy is the Releaseo operator. For corporate identification, current place of establishment, or registered address, contact [email protected].

• General contact: [email protected]
• Privacy requests: [email protected]
• Security incidents: [email protected]

When Releaseo processes end-user data submitted by a customer through the dashboard, SDK, widget, API, feedback boards, feature requests, roadmap pages, changelog pages, or similar product surfaces, Releaseo acts as a processor / service provider on behalf of that customer. The customer is the controller / business for that data.

1. Scope

This Privacy Policy applies to Releaseo’s website, dashboard, hosted product pages, documentation, SDK, widget, APIs, email communications, billing flows, support channels, and related services (together, the “Service”).

If you use Releaseo on behalf of an organization, your organization decides what customer, user, and product data it submits to Releaseo and is responsible for giving any required privacy notices to its own users. If you interact with a Releaseo widget or board installed by one of our customers, that customer is generally the controller/business for your information, and we process that information on the customer’s behalf.

2. Our role

For account, billing, website, security, support, and direct communications data, Releaseo acts as the controller / business that determines how and why that information is processed.

For end-user data that a customer submits to Releaseo through the dashboard, SDK, widget, API, feedback boards, feature requests, roadmap pages, changelog pages, or similar product surfaces, Releaseo acts as a processor / service provider under the customer’s instructions, in accordance with the customer agreement, our Data Processing Agreement, and applicable law.

3. Information we collect

The categories of information we may collect include:

• Account information — name, business email, password-related authentication data, organization or workspace name, role, permissions, account status, login metadata.
• Contact and support information — messages you send us, support content, attachments you choose to provide, contact preferences, related correspondence.
• Billing and subscription information — plan, billing status, checkout details, invoice records, tax details, transaction references, payment-provider customer identifiers, subscription history. We do not store full payment card numbers; that data is handled by Paddle (our Merchant of Record).
• Product usage information — dashboard activity, page views, feature usage, changelog and announcement activity, roadmap interactions, feature request actions, feedback board activity, widget opens, unread counts, timestamps, diagnostic events, and similar operational data.
• SDK and widget information — publish keys, project identifiers, widget configuration, language, theme, browser and device details, technical identifiers, end-user identifiers supplied by the customer, optional traits or metadata the customer chooses to send through the SDK.
• Customer content — changelog posts, announcements, roadmap items, feedback, comments, votes, labels, internal notes, widget copy, configuration, and other content submitted by customers or their authorized users.
• Technical and security information — IP address, browser type, operating system, device information, approximate location derived from IP address, server logs, error logs, authentication events, audit events, security signals.
• Website interaction information — pages visited, referring URLs, form submissions, cookie or local-storage identifiers, performance and diagnostics data.

3.1 Sensitive personal data

We do not ask for and request that you do not submit sensitive or special-category personal data unless we have agreed in writing that the Service may be used for it. This includes (without limitation):

• racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership (GDPR Art. 9);
• genetic data, biometric data for unique identification, health data, data concerning a person’s sex life or sexual orientation (GDPR Art. 9);
• regulated health data (HIPAA PHI), payment card data (PCI-DSS scope), government identification numbers (SSN, passport, national ID), financial account credentials;
• precise geolocation; children’s personal data.

If you accidentally submit such data, contact [email protected] so we can help remove it.

4. Information from customers and end users

Releaseo customers may use the SDK, widget, API, or dashboard to submit information about their own users. Depending on the customer’s configuration, this may include a user ID, email address, name, organization, role, locale, segment traits, feedback, votes, comments, and product-event metadata.

Customers decide what information to send to Releaseo. Customers are responsible for:

• giving their users any required privacy notices;
• obtaining any required permissions or consents;
• ensuring the information they submit is lawful, accurate, and appropriate for Releaseo;
• configuring the SDK and widget in a way that matches their own privacy obligations.

If you are an end user of a Releaseo customer and want to exercise privacy rights over information controlled by that customer, contact that customer directly. We will support our customers in responding to valid requests as required by our agreements and applicable law, typically within 30 days of receipt.

5. Billing and payments

Payments are processed by Paddle.com, our Merchant of Record. Paddle may collect and process payment details, billing address, tax information, transaction data, fraud-prevention information, and payment-method details under its own terms and privacy notice (see https://www.paddle.com/legal/privacy).

Releaseo receives the subset of billing and subscription information needed to manage your account, confirm payment status, provide invoices/receipts, handle support, comply with tax and accounting obligations, and enforce our Terms of Service.

6. Cookies, local storage, and similar technologies

We use cookies, local storage, SDK storage, and similar technologies to:

• keep users signed in (strictly necessary);
• remember preferences such as locale or interface state (functional);
• operate the Releaseo widget and unread update indicators (strictly necessary for widget functions);
• route traffic, prevent abuse, and protect accounts (strictly necessary / legitimate interests);
• understand aggregate website and product usage (analytics — consent required in EU/UK);
• measure performance and diagnose errors (functional / legitimate interests);
• support checkout, billing, and customer support (strictly necessary).

In jurisdictions that require it (EU, UK, Switzerland, and similar), we ask for prior consent before setting non-essential cookies through a consent banner. You can change your preferences any time via the in-page “Cookie preferences” link in the footer (where available) or your browser settings. Disabling necessary cookies may prevent parts of the Service from working.

7. How we use information and legal bases

We use information for the purposes below. For users in regions that require a legal basis (EEA, UK, Switzerland, Brazil, Quebec, etc.), the basis is shown next to each purpose.

You may withdraw consent or object to processing based on legitimate interests at any time by contacting [email protected] (see Section 14).

7.1 No AI / ML training on customer data

Releaseo does not train, fine-tune, or improve any AI or machine-learning model (whether ours or any third party’s) using Customer Content, end-user data submitted through the SDK/widget/API, or other customer-identifiable information. We may use aggregated and de-identified service metrics for product analytics and capacity planning, but never for model training on identifiable data.

8. How we share information

We share information with:

• Service providers and subprocessors — that host, secure, monitor, support, bill, email, analyze, or operate Releaseo. We require subprocessors to maintain confidentiality and protection at least equivalent to ours. A current list is available on request at [email protected]. We will give reasonable advance notice of new subprocessors to customers who have subscribed to receive it.
• Payment and billing providers — Paddle (Merchant of Record) and any backup provider shown at checkout.
• Customer administrators — who manage an organization, workspace, project, or account in Releaseo.
• Third-party integrations — that you or your organization choose to enable (you control these).
• Professional advisers — lawyers, accountants, auditors, insurers, consultants, bound by confidentiality.
• Authorities, courts, regulators, or law enforcement — when required by law, court order, or valid legal process, or when disclosure is necessary to protect rights, safety, security, or prevent abuse. We push back on overbroad requests and inform affected customers where legally permitted.
• Successors in a business transaction — such as a merger, acquisition, financing, reorganization, or sale of assets, subject to confidentiality protections and an obligation on the successor to honor this Privacy Policy or provide reasonable notice of changes.

We do not sell personal information for money. We do not knowingly share personal information for cross-context behavioral advertising or targeted advertising. If our practices change in a way that requires an opt-out right under applicable law, we will update this Policy and provide the required controls.

9. Customer data

Customers retain control over customer content and customer-controlled end-user data submitted to Releaseo. We use customer data to provide the Service, including to host and publish updates, display widget content, collect feedback, count votes, maintain product boards, route notifications, provide support, prevent abuse, and maintain security.

We may use aggregated or de-identified data derived from Service usage to understand product performance, improve Releaseo, and report general trends, provided that the data does not identify a customer, account, end user, or individual.

10. Data retention

We retain information for as long as reasonably necessary to provide the Service, comply with legal obligations, resolve disputes, enforce agreements, prevent abuse, and maintain backups. Specific retention periods are listed below (subject to longer retention where required by law or where data is anonymized):

You may request deletion of certain account information by contacting [email protected]. If your information is controlled by a Releaseo customer, we may direct your request to that customer.

11. Security

We use reasonable administrative, technical, and organizational measures designed to protect information from unauthorized access, loss, misuse, alteration, disclosure, or destruction. These include access controls, MFA where supported, role-based permissions, logging and monitoring, encryption in transit (TLS) and at rest where applicable, least-privilege access, vendor due diligence, secure software-development practices, and incident-response procedures.

11.1 Data breach notification

If we become aware of a personal data breach (as defined under GDPR Art. 4(12) or equivalent law) that is likely to result in a risk to affected individuals, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with applicable law. We will notify affected customers without undue delay so they can fulfill their own notification obligations to end users.

No online service can guarantee complete security. You are responsible for protecting your credentials and configuring access for your organization responsibly.

12. International transfers and regional data infrastructure

Releaseo is a global service. We operate regional data infrastructure where practical so that data can be processed closer to the originating region; the active regions and routing details can be confirmed on request at [email protected].

Releaseo and our service providers may process information in countries other than where you are located, including the United States and other jurisdictions where our providers operate. Those countries may have data-protection laws that differ from your jurisdiction.

Where required, we rely on appropriate safeguards for international transfers, including:

• EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for transfers from the European Economic Area;
• UK International Data Transfer Addendum / IDTA (and the UK Addendum to the EU SCCs) for transfers from the United Kingdom;
• Swiss FDPIC-approved Standard Contractual Clauses for transfers from Switzerland;
• the EU–US Data Privacy Framework, the UK Extension to the DPF, and the Swiss–US Data Privacy Framework where applicable;
• other transfer mechanisms approved by applicable law (such as binding corporate rules, derogations under Art. 49, or adequacy decisions).

Copies of relevant safeguards are available on request at [email protected].

13. Automated decision-making and profiling

Releaseo does not make decisions about you based solely on automated processing (including profiling) that produce legal or similarly significant effects, within the meaning of GDPR Art. 22, UK GDPR Art. 22, LGPD Art. 20, or Quebec Law 25.

We may use automated tools for abuse detection, rate limiting, and security; these tools support human review and do not produce legal-effect decisions on individuals.

14. Privacy rights

Depending on where you live and subject to applicable law, you may have rights to:

• access personal information we hold about you;
• correct inaccurate or incomplete personal information;
• delete certain personal information (“right to be forgotten”);
• restrict or object to certain processing (including processing based on legitimate interests);
• request a portable copy in a structured, machine-readable format;
• withdraw consent where processing is based on consent (without affecting prior lawful processing);
• opt out of sale, sharing, targeted advertising, automated decision-making, or profiling (where applicable);
• appeal a decision about a privacy request (where applicable, e.g., in some U.S. states);
• lodge a complaint with the relevant supervisory authority or regulator.

To exercise a right, email [email protected]. We may need to verify your identity, authority, account relationship, or organization membership before responding. We will respond within timeframes required by applicable law (typically 30 days, extendable in complex cases). We will not discriminate against you for exercising privacy rights.

If you are an end user of a Releaseo customer, please contact that customer first. We may forward your request to the customer or assist the customer in responding, depending on our role and applicable law.

15. U.S. state privacy disclosures (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, FDBR, OCPA, and similar)

Some U.S. state privacy laws (including California, Virginia, Colorado, Connecticut, Utah, Florida, Oregon, and others) require additional disclosures. The categories of personal information we collect are described in Section 3. Purposes are in Section 7. Recipients are in Section 8. Retention criteria are in Section 10. Rights are in Section 14.

Releaseo does not “sell” personal information for monetary consideration and does not “share” personal information for cross-context behavioral advertising as those terms are defined under California law. We do not knowingly collect, sell, or share personal information of consumers under 16.

15.1 Global Privacy Control (GPC) and opt-out signals

We honor recognized opt-out preference signals (such as the Global Privacy Control) where required by applicable law as a valid request to opt out of sale/sharing in the contexts where such opt-outs apply to Releaseo.

15.2 California “Shine the Light”

California residents may request a list of the categories of personal information disclosed to third parties for those third parties’ direct marketing purposes during the prior calendar year. To request, email [email protected].

16. EEA, UK, Swiss, and similar-region disclosures

For individuals in the European Economic Area, United Kingdom, Switzerland, and similar jurisdictions, this Policy provides the information required under GDPR Articles 13–14, UK GDPR, and the Swiss FADP about our identity, contact details, categories of data, purposes, legal bases, recipients, retention, international transfers, and your rights.

Representatives under Art. 27 GDPR / Art. 27 UK GDPR. Releaseo is not currently established in the European Union or the United Kingdom. Where our processing activities trigger the requirement to appoint a Representative under Art. 27 GDPR or Art. 27 UK GDPR (for example, regular and large-scale offering of goods or services to, or monitoring of, data subjects in those regions), we will appoint a Representative and update this Policy. In the meantime, EU and UK data subjects may contact us directly at [email protected] to exercise their rights.

Data Protection Officer. A formal Data Protection Officer is not currently appointed. For all data-protection inquiries, contact [email protected].

You may also complain to your local data-protection authority (for example, your national DPA, the UK ICO, the Swiss FDPIC, or, in the EU, the authority of the member state where you live or work or where the alleged infringement occurred).

When we process customer-controlled end-user data as a processor, the Releaseo customer is generally responsible for determining the legal basis and responding to end-user rights requests; we will assist where required by law and our DPA.

17. Brazil (LGPD), Canada (PIPEDA / Quebec Law 25), and other regional disclosures

• Brazil (LGPD) — You may request access, correction, anonymization, blocking, deletion, portability, information about sharing, and revocation of consent. Email [email protected]. A formal LGPD representative will be appointed if and when our processing activities require one; in the meantime, contact us directly.
• Canada (PIPEDA & Quebec Law 25) — You may request access, correction, and information about processing of your personal information. Quebec residents may also exercise rights to data portability and may object to automated decision-making. Email [email protected].
• Australia, New Zealand, Japan, South Korea, and other regions — We comply with applicable local privacy laws. Contact [email protected] for any regional rights request.

18. Children

The Service is intended for business use and is not directed to children under 16 (or the age set by your local law, including 13 under the U.S. Children’s Online Privacy Protection Act). We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, contact [email protected] so we can take appropriate action.

19. Marketing communications

We may send service, security, and product-update notices to business contacts in our customer accounts. These are necessary for the operation of the Service and cannot be opted out of while you maintain an account.

Promotional emails (e.g., newsletters) always include an unsubscribe link and you can also email [email protected] to opt out. Unsubscribing from marketing emails does not stop transactional or account-related emails.

20. Subprocessors

We use subprocessors to operate the Service (hosting, email, analytics, payment processing, customer support tools, monitoring, error tracking, etc.). A current list of subprocessors, including their location and category, is available on request from [email protected].

Customers under a signed DPA may subscribe to advance notice of new subprocessors and may object on reasonable data-protection grounds in accordance with the DPA.

21. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If a change is material, we will provide reasonable advance notice — typically at least 30 days — by posting an updated version with a new “Last updated” date, by email to the account administrator, or by in-product notice. Non-material changes (typos, formatting, clarifications) take effect when posted.

We keep a list of historical versions available on request.

22. Contact

For questions about this Privacy Policy, privacy requests, data-protection matters, or security incidents:

Releaseo

• General contact: [email protected]
• Website: https://releaseo.io

Corporate identification and registered address are available on request via [email protected]. An EU/UK Representative will be appointed and listed here if and when our processing activities trigger the requirement under Art. 27 GDPR / UK GDPR.