Introduction
This Privacy Policy (“Policy”) describes how Daniel Benner (“Provider,” “we,” “us,” or “our”), operating from Kameterstraße 52, 85579 Neubbiberg, Germany, collects, uses, stores, and protects information obtained from users (“Users,” “you,” “your”) of the Announcable service (“Service”). This Policy applies to all data collected through our website, widget, API, and associated services.
For the purposes of the General Data Protection Regulation (GDPR) and other applicable data protection laws, the Provider acts as the data controller for personal data collected through the Service. The Provider can be contacted regarding data protection matters at support@announcable.me .
In this Policy, “personal data” refers to any information relating to an identified or identifiable natural person. “Processing” means any operation performed on personal data, whether or not by automated means, including collection, storage, modification, use, transmission, or deletion.
The Provider is committed to protecting User privacy and handling personal data in a transparent and lawful manner. This Policy outlines the types of data collected, the purposes for which it is processed, the legal bases for processing, and the rights Users have regarding their personal data.
The Provider reserves the right to modify this Policy at any time. Users will be notified of any material changes via email and/or through the Service interface. Continued use of the Service following such notification constitutes acceptance of the modified Policy. If Users do not agree with the modifications, they must discontinue use of the Service.
This Policy is available in both English and German languages. In the event of any discrepancy between the two versions, the English version shall prevail. The Provider encourages Users to review this Policy periodically to stay informed about how their personal data is being protected and used.
Data Collection and Processing
The Provider collects and processes various types of data necessary for the operation and improvement of the Service. Account information collected includes company names and email addresses provided during registration or subsequent account management. This information is essential for account authentication, service provision, and communication regarding service updates or account-related matters.
Payment information is processed through Stripe, our third-party payment processor. The Provider does not directly collect, store, or process complete payment details such as credit card numbers. Users submitting payment information are subject to Stripe’s privacy policy and terms of service, with the Provider receiving only limited transaction-related information necessary for subscription management.
The Service collects and stores release notes content, including text, images, and associated metadata, as provided by Users. This content is processed and stored to enable the core functionality of the Service, including display through the widget and standalone changelog pages. Media uploads are limited to 5MB per file and are stored securely on servers located in Germany.
Widget usage data is collected through local storage mechanisms, including information about which release notes have been viewed or liked by end users. When Users choose to implement optional tracking features, the Service processes and stores unique identifiers and segment information for end users as provided by the implementing User. This information is used solely for tracking release note impressions and providing analytics to Users.
Technical information automatically collected includes browser type, device information, IP addresses, and other standard web logging data. This information is processed to ensure proper service functionality, maintain security, and improve the Service. The Provider uses Plausible Analytics for website analytics, which processes anonymized usage data in compliance with privacy regulations.
The Provider processes all collected data in accordance with applicable data protection laws, including the GDPR. Each category of data processing is conducted under one or more legal bases as defined by Article 6 of the GDPR, including contractual necessity, legal obligation, legitimate interests, or User consent where required.
The Provider maintains records of processing activities as required by Article 30 of the GDPR and implements appropriate technical and organizational measures to ensure data security. Users may request detailed information about specific data processing activities by contacting the Provider’s support service.
Cookies and Local Storage
The Provider employs cookies and local storage mechanisms to facilitate essential Service functionality and enhance User experience. Authentication cookies are strictly necessary for maintaining User sessions and securing access to the Service. These cookies contain encrypted session identifiers and are automatically removed upon User logout or session expiration.
User preferences, including interface settings such as dark mode selection, are stored using cookies. These preferences persist across sessions to maintain consistent User experience but can be cleared through browser settings at any time. No personal information is stored within these preference entries.
Third-party cookies are limited to those essential for Service operation. Specifically, Plausible Analytics employs privacy-focused analytics that do not use cookies or collect personal information. Payment processing through Stripe may involve additional cookies subject to Stripe’s own cookie policy.
Users maintain control over cookie settings through their browser preferences. While Users may disable non-essential cookies, certain Service features may become unavailable or function improperly without required cookies. The Provider does not use cookies for advertising purposes or track Users across third-party websites.
Cookie data retention periods vary by purpose. Authentication cookies expire upon session end or logout, preference data persists until explicitly cleared by Users, and widget interaction data remains until the implementing User requests deletion or modifies their tracking configuration.
The Provider regularly reviews its use of cookies and local storage mechanisms to ensure compliance with privacy regulations and minimize data collection. Users may request detailed information about specific cookies and storage mechanisms by contacting the Provider’s support service.
Data Usage and Purpose
The Provider processes collected data for specific, documented purposes in accordance with Article 5(1)(b) of the GDPR. Primary service provision requires processing of account information, Content, and technical data to maintain User accounts, deliver widget functionality, and ensure proper operation of the Service. This processing is necessary for the performance of the contract between the Provider and Users.
Communication with Users occurs through email for essential service notifications, security alerts, and account-related matters. Such communications include notice of Terms or Policy updates, subscription status changes, and service maintenance announcements. Users may not opt out of essential service communications but maintain control over additional communication preferences through their account settings.
Service improvement efforts involve analysis of anonymized usage patterns, performance metrics, and technical data. This processing is conducted under the Provider’s legitimate interest in maintaining and enhancing Service quality. Analytics data processed through Plausible Analytics adheres to privacy-by-design principles, avoiding personal data collection while providing necessary insights for Service optimization.
The Provider processes certain data to comply with legal obligations, including tax regulations, data protection laws, and law enforcement requests. Such processing is limited to what is necessary for compliance and is conducted with appropriate safeguards for User privacy. Users are notified of legal data processing unless prohibited by law.
Marketing communications, if any, are sent only with explicit User consent and include clear unsubscribe mechanisms. The Provider does not sell, rent, or trade User data for marketing purposes. Usage data may inform product development and feature prioritization but is processed in aggregate, anonymous form.
All data processing activities are documented in the Provider’s records of processing activities. Each processing purpose has defined retention periods, processing methods, and legal bases. Users may request information about specific processing activities or object to processing based on legitimate interests where applicable under data protection law.
The Provider regularly reviews processing purposes to ensure continued relevance and necessity. Changes to processing purposes are communicated to Users through Policy updates, with new consent obtained where required by applicable law.
Data Storage and Security
The Provider stores all User data on servers located in Germany, operated by Hetzner Cloud Services. This infrastructure choice ensures data remains within the European Union, subject to comprehensive data protection regulations. The physical and network security of these facilities is maintained according to industry standards, with regular security audits and updates.
The Provider implements appropriate technical and organizational measures to protect User data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to, encryption of data in transit and at rest, secure authentication protocols, regular security assessments, and access controls limiting data access to authorized personnel on a need-to-know basis.
Data retention periods are defined based on the type of data and its purpose. Account information and Content are retained for the duration of the User relationship and the specified grace period following account termination. Technical logs and backup data are retained for reasonable periods necessary for security, troubleshooting, and system reliability purposes, not exceeding the duration necessary for their intended purpose.
Daily backups of User data are performed to ensure system reliability and enable disaster recovery. Backup data is encrypted and stored securely within the European Union. While backups provide additional data security, the Provider makes no guarantee regarding data restoration capabilities and recommends Users maintain their own backups of critical Content.
Security incident response procedures are maintained and regularly updated to ensure prompt detection, investigation, and notification of any data breaches. In the event of a security incident affecting User data, the Provider will notify affected Users and relevant supervisory authorities as required by applicable law, providing appropriate information and recommendations.
The Provider regularly reviews and updates its security measures to address evolving threats and comply with security best practices. Staff members receive regular training on data protection and security procedures. Third-party security assessments are conducted periodically to validate security controls and identify potential improvements.
Access to User data by Provider personnel is strictly controlled, logged, and limited to legitimate business purposes. All staff members with data access are bound by confidentiality obligations and must comply with the Provider’s data protection policies and procedures.
Data Sharing and Third Parties
The Provider limits data sharing to what is strictly necessary for Service operation and legal compliance. Third-party service providers engaged by the Provider are carefully selected based on their data protection practices and ability to comply with applicable privacy regulations. These service providers act as data processors under written agreements that ensure appropriate data protection safeguards.
Payment processing is conducted exclusively through Stripe, which receives necessary transaction data directly from Users. The Provider receives limited payment confirmation data but does not access, store, or process complete payment information. Users engaging with Stripe’s payment services are subject to Stripe’s privacy policy and terms of service, which are independent of this Policy.
Analytics services are provided by Plausible Analytics, operating under a data processing agreement that ensures privacy-focused analytics without personal data collection. Analytics data is processed in an anonymous form, providing aggregate insights about Service usage patterns while maintaining User privacy. No personal information is shared with Plausible Analytics.
The Provider may be required to disclose User data to comply with legal obligations, court orders, or valid law enforcement requests. Such disclosures are limited to what is legally required and are conducted with appropriate confidentiality measures. Users are notified of legal disclosures unless prohibited by law or court order.
In the event of a business transfer, merger, acquisition, or similar corporate event, User data may be transferred as part of the transaction. Any successor entity will be bound by this Policy and must respect existing privacy commitments to Users. Users will be notified of any such transfer and provided with options regarding their data.
The Provider does not sell, rent, or trade User data to third parties for marketing or other commercial purposes. Any data sharing with third parties is conducted under appropriate data processing agreements that ensure continued protection of User data in accordance with this Policy and applicable law.
Service providers and third parties are regularly evaluated to ensure continued compliance with data protection requirements. The Provider maintains records of all data sharing arrangements and conducts periodic reviews to validate the necessity and appropriateness of existing data sharing practices.
User Rights Under GDPR
Users located in the European Economic Area (EEA) or otherwise protected by the GDPR enjoy specific rights regarding their personal data. The Provider fully acknowledges and facilitates the exercise of these rights in accordance with Articles 15-22 of the GDPR. Users may exercise their rights by contacting support@announcable.me with their specific request.
The right to access enables Users to obtain confirmation whether their personal data is being processed and receive a copy of their personal data in a structured, commonly used format. The Provider will respond to access requests within one month of receipt, providing comprehensive information about the processing of personal data, including processing purposes, data categories, and recipients.
Users maintain the right to rectification, allowing them to correct inaccurate personal data or complete incomplete data. Account information can be updated directly through the Service interface, while other corrections may be requested through the Provider’s support service. The Provider will process valid rectification requests without undue delay.
The right to erasure (“right to be forgotten”) permits Users to request deletion of their personal data when it is no longer necessary for the original processing purpose, when consent is withdrawn, or when other specific conditions apply. Upon receiving a valid erasure request, the Provider will delete the relevant personal data within seven days, subject to legal retention requirements.
Data portability rights enable Users to receive their personal data in a machine-readable format and transmit this data to another controller. The Provider facilitates data portability by offering export functionality for User Content and account data. Technical limitations may affect the format and completeness of exported data.
Users may object to processing based on legitimate interests, including profiling. Upon receiving an objection, the Provider will cease processing the personal data unless compelling legitimate grounds exist that override the User’s interests or the processing is necessary for legal claims.
Where processing is based on consent, Users have the right to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. The Provider ensures that consent withdrawal is as straightforward as giving consent.
The Provider responds to all rights requests without undue delay and at the latest within one month, with the possibility of extension by two further months where necessary due to request complexity. Users are informed of any extension within the initial one-month period, along with the reasons for delay.
International Data Transfers
The Provider primarily processes and stores all User data within the European Union, specifically on servers located in Germany. This approach ensures compliance with GDPR requirements regarding international data transfers and maintains a high standard of data protection. No routine transfers of personal data occur to locations outside the European Economic Area (EEA).
In the event that any data transfer outside the EEA becomes necessary for Service operation or improvement, such transfers will only be conducted under appropriate safeguards as required by Chapter V of the GDPR. These safeguards may include adequacy decisions by the European Commission, Standard Contractual Clauses (SCCs), or other legally approved transfer mechanisms.
The Provider maintains transparency regarding the geographic location of data processing activities and any international transfers. Users will be explicitly informed of any changes to data transfer practices that affect their personal data. Where required by law, specific consent will be obtained before initiating new international data transfers.
For data transfers to third-party service providers outside the EEA, the Provider implements Standard Contractual Clauses or ensures the recipient operates under an adequacy decision. These legal mechanisms establish binding obligations to protect User data at a level consistent with European data protection standards.
The Provider regularly assesses the data protection landscape in recipient countries to ensure continued adequacy of protection for transferred data. Where necessary safeguards cannot be ensured, or where legal requirements change, the Provider will modify its data transfer practices accordingly and notify affected Users.
Technical measures complement legal safeguards for international transfers, including encryption of data in transit and at rest, access controls, and secure transmission protocols. These measures ensure data security regardless of geographic location and protect against unauthorized access during any necessary transfers.
Users may request information about specific data transfers affecting their personal data, including the safeguards in place and copies of relevant documentation. The Provider maintains records of all international data transfers as part of its Article 30 GDPR documentation obligations.
Children’s Privacy
The Service is not directed at or intended for use by individuals under the age of 16 (“Children”). The Provider does not knowingly collect or process personal data from Children. Users must be at least 16 years of age to create an account and use the Service. This age restriction reflects the Provider’s commitment to protecting Children’s privacy and complying with applicable data protection regulations.
In the event the Provider becomes aware that personal data has been inadvertently collected from a Child, such data will be promptly deleted. The Provider implements reasonable measures to verify User age during account creation, though these measures necessarily rely on User honesty in providing accurate information.
Users implementing the Service’s widget on websites or applications directed at Children must ensure their use complies with applicable children’s privacy laws, including the Children’s Online Privacy Protection Act (COPPA) where applicable. The Provider accepts no responsibility for Users’ implementation of the Service in violation of children’s privacy regulations.
The Provider does not engage in targeted marketing or advertising to Children through the Service. While the widget may display release notes on third-party websites accessed by Children, no personal data collection features should be enabled by Users in contexts where Children constitute the primary audience.
Parents or guardians who believe the Provider may have inadvertently collected personal data from a Child are encouraged to contact support@announcable.me immediately. The Provider will cooperate with parents to identify and remove any inappropriately collected data, providing transparency about any processing that may have occurred.
The Provider regularly reviews its practices to ensure continued compliance with children’s privacy requirements. This includes monitoring changes in applicable regulations and updating policies and procedures as necessary to maintain appropriate protections for Children’s personal data.
Users found to be under the age restriction will have their accounts terminated immediately upon discovery, with appropriate measures taken to delete associated personal data, subject to legal requirements and the Provider’s routine backup procedures.
Contact Information
For all matters concerning data protection, privacy inquiries, or the exercise of User rights under this Policy, the Provider can be reached at support@announcable.me . The Provider commits to responding to all privacy-related communications within twenty-four (24) hours during regular business days, though complex inquiries may require additional processing time.
Written correspondence regarding privacy matters may be directed to:
Daniel Benner Kameterstraße 52, 85579 Neubiberg Germany
Users exercising their data protection rights should clearly indicate the nature of their request in the communication subject line. To facilitate prompt and accurate response, Users should include their account email address and any relevant details supporting their request. The Provider may require reasonable identity verification before processing certain requests to protect User privacy and prevent unauthorized access.
For urgent privacy concerns or suspected data breaches, Users should mark their communications as urgent in the subject line. The Provider maintains escalation procedures for privacy-related emergencies and will respond accordingly. In the event of a confirmed data breach affecting User personal data, the Provider will notify affected Users and relevant supervisory authorities as required by law.
Questions regarding this Privacy Policy, its interpretation, or its application to specific situations should be directed to the Provider’s support service. While the Provider strives to make this Policy comprehensive and clear, additional clarification may be provided upon request.
Users have the right to lodge complaints with relevant data protection supervisory authorities if they believe their privacy rights have been violated. For Users in the European Union, this typically means the supervisory authority in their country of residence. The Provider will cooperate fully with any official investigation while maintaining User privacy and confidentiality to the extent permitted by law.
The Provider regularly reviews and updates contact procedures to ensure efficient handling of privacy-related communications. Users will be notified of any significant changes to these contact methods through appropriate channels, including email notifications and Service announcements.