Privacy Policy

This Privacy Policy explains how ZenCore Digital LLC ("we", "us") collects, uses, and protects your personal information when you use Bumplog (the "Service"). We keep this short and concrete — if anything here is unclear, email us at privacy@bumplog.com.

1. Information We Collect

Account information. When you sign in with GitHub, we receive your GitHub username, display name, email address, avatar URL, and a GitHub OAuth access token (used to read repository commits and pull requests on your behalf when you request a release note generation).

Content you create. Project metadata, changelog entries, branding settings, widget configuration, and any other data you enter into the Service.

Repository data. When you click "Generate with AI", we fetch recent commits and merged pull requests from the GitHub repository you connected, using your OAuth token. This data is stored alongside the resulting draft entry so you can review the source material.

Usage data. Basic analytics about how you use the Service, including page views, feature usage, and error logs. Our widget and public changelog pages may record anonymous visitor fingerprints (a hash of IP + user-agent) for deduplication of reactions — we do not store raw IPs or personally identifiable visitor data.

Payment data. When you subscribe to a paid plan, our merchant-of-record payment processor collects and stores your payment details directly. We receive transaction metadata (plan, amount, status) but never see or store your full card number.

2. How We Use Information

We use your information to:

• Provide, operate, and maintain the Service.
• Generate AI-assisted release note drafts from your repository data.
• Process subscriptions and send transactional emails (receipts, account notices, published-entry notifications).
• Respond to support requests and communicate with you about the Service.
• Detect, prevent, and address fraud, abuse, and security issues.
• Comply with legal obligations.

We do not sell your personal information. We do not use your content or repository data to train AI models.

3. Third-Party Service Providers

We use the following providers to operate the Service. Each processes data only on our behalf and under a data-processing agreement:

• Cloudflare — hosting, edge delivery, Workers AI inference, and DNS.
• Supabase — database, authentication, and session storage.
• GitHub — OAuth sign-in and repository data fetching (with your authorization).
• Paddle and/or Polar — merchant-of-record payment processing.
• Resend — transactional and notification email delivery.

4. Data Retention

We retain your account information and content for as long as your account is active. If you delete your account, we delete your projects, entries, and personal information within 30 days, except where we are required to retain it longer for legal, tax, or fraud-prevention purposes (typically up to 7 years for payment records).

5. Your Rights (GDPR)

If you are in the European Economic Area, United Kingdom, or Switzerland, you have the following rights regarding your personal information:

• Access — request a copy of the data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — ask us to delete your data ("right to be forgotten").
• Restriction — ask us to stop processing your data in certain circumstances.
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email us at privacy@bumplog.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

6. Your Rights (CCPA / California)

If you are a California resident, the California Consumer Privacy Act (CCPA) gives you the right to:

• Know what personal information we collect and how we use it.
• Delete your personal information (with some exceptions).
• Opt out of sale of your personal information — we do not sell personal information, so this right does not currently apply, but you have it.
• Non-discrimination — we will not discriminate against you for exercising these rights.

To exercise these rights, email us at privacy@bumplog.com.

7. International Transfers

ZenCore Digital LLC is located in the United States. Our service providers may process your data in the United States, European Union, and other jurisdictions. Where personal data is transferred out of the EEA or UK, we rely on standard contractual clauses or equivalent safeguards as required by applicable law.

8. Security

We use reasonable technical and organizational measures to protect your personal information, including encryption in transit (TLS), encryption at rest, access controls, and regular review of our infrastructure. No system is perfectly secure, so we cannot guarantee absolute security, but we take the protection of your data seriously and will notify you of any data breach as required by law.

9. Cookies

We use strictly necessary cookies to keep you signed in and to remember your session. We do not use advertising or cross-site tracking cookies. The public changelog pages and embedded widget may use localStorage to track which entries a visitor has already seen; this data stays on the visitor's device.

10. Children's Privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date. Material changes will be communicated by email or through the Service.

12. Contact

Questions about this Privacy Policy or how we handle your data? Email us at privacy@bumplog.com or write to: