Privacy Policy
Last updated: March 26, 2026
Vershun ("we", "us", "our") operates the vershun.io website and the Vershun changelog service (the "Service"). This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service.
1. Data controller
Vershun is operated by VOTRE_NOM.
Contact: [email protected]
Address: VOTRE_ADRESSE
2. Data we collect
2.1 Account data (Vershun users)
When you create an account, we collect:
- Email address (required, used for authentication and communication)
- Display name (optional)
We do NOT collect passwords. Authentication is handled via passwordless magic links sent to your email.
2.2 Billing data
When you subscribe to a paid plan, payment is processed by Stripe (stripe.com). We store:
- Stripe Customer ID (an opaque identifier)
- Your current plan (free, starter, pro, business)
We do NOT store credit card numbers, CVVs, or bank details. All payment data is handled exclusively by Stripe. See Stripe's privacy policy.
2.3 Subscriber data (your visitors)
When visitors subscribe to your changelog, we collect:
- Email address (with double opt-in confirmation)
Subscriber emails are stored solely to send changelog update notifications on behalf of you (the project owner). We do not use subscriber emails for any other purpose.
2.4 Analytics data
We collect anonymous, aggregated analytics:
- Page views (count only, no visitor identification)
- Widget opens (count only)
- Referrer domain (extracted from the URL, query parameters stripped)
We do NOT collect IP addresses, user agents, device fingerprints, or any personally identifiable information in our analytics.
2.5 Reaction data
When visitors react to a changelog post, we store:
- Reaction type (like, celebrate, meh)
- An anonymous visitor hash (derived from non-identifying browser characteristics: screen size, timezone). This hash cannot be reversed to identify an individual.
2.6 Cookies
We use a single strictly necessary cookie:
- vershun_refresh: An HTTP-only, secure cookie used to maintain your login session on the Vershun dashboard. This cookie is not used for tracking, advertising, or analytics.
We do NOT use any tracking cookies, third-party cookies, or advertising cookies. No consent banner is required under RGPD/ePrivacy for strictly necessary cookies.
The public changelog pages and the embeddable widget do NOT set any cookies.
3. How we use your data
| Data | Purpose | Legal basis (RGPD) |
|---|---|---|
| Email (account) | Authentication, service communication | Contract performance (Art. 6(1)(b)) |
| Display name | Personalization | Contract performance |
| Stripe Customer ID | Billing management | Contract performance |
| Subscriber emails | Sending changelog notifications on your behalf | Legitimate interest (Art. 6(1)(f)) + subscriber consent (double opt-in) |
| Analytics (anonymous) | Providing usage statistics to project owners | Legitimate interest |
| Reaction hash | Preventing duplicate reactions | Legitimate interest |
| Refresh cookie | Maintaining login session | Contract performance |
4. Data sharing
We share data with the following third-party processors, all of which are RGPD-compliant:
| Processor | Purpose | Location | DPA |
|---|---|---|---|
| OVHcloud | Server hosting | France (EU) | Link |
| Cloudflare Inc. | CDN, DNS, DDoS protection | Global (EU data processing) | Link |
| Resend Inc. | Transactional email delivery | USA (EU SCCs) | Link |
| Stripe Inc. | Payment processing | USA (EU SCCs) | Link |
We do NOT sell, rent, or trade your personal data to any third party. We do NOT use your data for advertising or profiling.
5. Data retention
| Data | Retention |
|---|---|
| Account data | Until you delete your account |
| Projects, posts, settings | Until you delete the project or your account |
| Subscriber emails | Until the subscriber unsubscribes or you delete the project |
| Analytics events | 24 months, then automatically purged |
| Expired magic link tokens | Deleted within 1 hour of expiration |
| Reaction data | Until the post is deleted |
6. Your rights
Under RGPD (Articles 15-22), you have the right to:
- Access: Export all your data via Settings > Profile > Export my data
- Rectification: Edit your profile information at any time
- Erasure: Delete your account via Settings > Profile > Delete account. This permanently removes all your data, projects, posts, subscribers, and analytics.
- Portability: Your data export is provided in JSON format
- Restriction: Contact us at [email protected]
- Objection: Contact us at [email protected]
- Withdraw consent: Subscribers can unsubscribe at any time via the link in every notification email
To exercise any of these rights, use the in-app features or contact us at [email protected]. We will respond within 30 days.
7. Data security
- All data is encrypted in transit (TLS/HTTPS)
- Data at rest is stored on encrypted volumes (OVHcloud)
- Authentication uses passwordless magic links (no passwords stored)
- Session tokens are stored in HTTP-only, secure cookies
- Access tokens are short-lived (15 minutes) and stored in memory only
- HTML content is sanitized to prevent XSS attacks
- API endpoints are rate-limited to prevent abuse
- Database backups are encrypted and stored in Cloudflare R2 (EU)
8. International transfers
Our primary infrastructure is hosted in the European Union (OVHcloud, France). Some processors (Stripe, Resend, Cloudflare) may process data outside the EU under Standard Contractual Clauses (SCCs) approved by the European Commission.
9. Children
Our Service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us.
10. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on our website or sending you an email. The "Last updated" date at the top indicates the latest revision.
11. Contact
For any questions about this Privacy Policy or our data practices:
- Email: [email protected]
- Address: VOTRE_ADRESSE
If you are not satisfied with our response, you have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertes): https://www.cnil.fr/