Privacy Policy
Last updated: March 26, 2026
Vershun ("we", "us", "our") operates the vershun.io website and the Vershun product communication suite (the "Service"). This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service.
1. Data controller
Vershun is operated by Vershun, based in France.
Contact: [email protected]
2. Data we collect
2.1 Account data (Vershun users)
When you create an account, we collect:
- Email address (required, used for authentication and communication)
- Display name (optional)
We do NOT collect passwords. Authentication is handled via passwordless magic links sent to your email.
2.2 Billing data
When you subscribe to a paid plan, payment is processed by Stripe (stripe.com). We store:
- Stripe Customer ID (an opaque identifier)
- Your current plan (free, starter, pro, business)
We do NOT store credit card numbers, CVVs, or bank details. All payment data is handled exclusively by Stripe. See Stripe's privacy policy.
2.3 Subscriber data (your visitors)
When visitors subscribe to your changelog, we collect:
- Email address (with double opt-in confirmation)
Subscriber emails are stored solely to send changelog update notifications on behalf of you (the project owner). We do not use subscriber emails for any other purpose.
2.4 Analytics data
We collect anonymous, aggregated analytics:
- Page views (count only, no visitor identification)
- Widget opens (count only)
- Referrer domain (extracted from the URL, query parameters stripped)
We do NOT collect IP addresses, user agents, device fingerprints, or any personally identifiable information in our analytics.
2.5 Reaction data
When visitors react to a changelog post, we store:
- Reaction type (like, celebrate, meh)
- An anonymous visitor hash (derived from non-identifying browser characteristics: screen size, timezone). This hash cannot be reversed to identify an individual.
2.6 Monitoring data
When you configure uptime monitoring, we collect:
- URLs configured for monitoring
- HTTP response times and status codes
- Uptime/downtime timestamps
Monitoring data is technical in nature and does not constitute personal data. It is used solely to provide the status page and uptime monitoring features.
2.7 Feedback data
When visitors submit feedback or vote on your roadmap, we collect:
- Feedback title and description
- Author name (optional)
- Author email (optional, for status notifications)
- Anonymous visitor hash (same as reactions)
- Vote records (linked to visitor hash)
2.8 Cookies
We use a single strictly necessary cookie:
- vershun_refresh: An HTTP-only, secure cookie used to maintain your login session on the Vershun dashboard. This cookie is not used for tracking, advertising, or analytics.
We do NOT use any tracking cookies, third-party cookies, or advertising cookies. No consent banner is required under RGPD/ePrivacy for strictly necessary cookies.
The public changelog pages and the embeddable widget do NOT set any cookies.
The Vershun widget uses localStorage (browser-local storage) to store functional data required for the service to operate correctly: read post IDs (to display unread badges), voted item IDs (to prevent duplicate votes), subscription status (to show confirmed state), and widget display preferences. This storage is classified as 'strictly necessary' under the ePrivacy Directive and CNIL/EDPB guidelines, as it is essential for the service to function as requested by the user (vote integrity, notification preferences). It therefore does not require prior consent. This data stays in the visitor's browser and is never transmitted to our servers.
3. How we use your data
| Data | Purpose | Legal basis (RGPD) |
|---|---|---|
| Email (account) | Authentication, service communication | Contract performance (Art. 6(1)(b)) |
| Display name | Personalization | Contract performance |
| Stripe Customer ID | Billing management | Contract performance |
| Subscriber emails | Sending changelog notifications on your behalf | Legitimate interest (Art. 6(1)(f)) + subscriber consent (double opt-in) |
| Analytics (anonymous) | Providing usage statistics to project owners | Legitimate interest |
| Reaction hash | Preventing duplicate reactions | Legitimate interest |
| Feedback data | Feedback board, roadmap voting | Legitimate interest + consent (optional email) |
| Monitoring data (not personal data) | Status page, uptime monitoring | Contract performance |
| Refresh cookie | Maintaining login session | Contract performance |
4. Data sharing
We share data with the following third-party processors, all of which are RGPD-compliant:
| Processor | Purpose | Location | DPA |
|---|---|---|---|
| OVHcloud | Server hosting | France (EU) | Link |
| Cloudflare Inc. | CDN, DNS, DDoS protection | Global (EU data processing) | Link |
| Resend Inc. | Transactional email delivery | USA (EU SCCs) | Link |
| Stripe Inc. | Payment processing | USA (EU SCCs) | Link |
| OpenAI Inc. | AI text generation (opt-in). Data sent via API is not used for model training (OpenAI API data usage policy). | USA (EU DPF) | Link |
We do NOT sell, rent, or trade your personal data to any third party. We do NOT use your data for advertising or profiling.
5. Data retention
| Data | Retention |
|---|---|
| Account data | Until you delete your account |
| Projects, posts, settings | Until you delete the project or your account |
| Subscriber emails | Until the subscriber unsubscribes or you delete the project |
| Analytics events | 24 months, then automatically purged |
| Expired magic link tokens | Deleted within 1 hour of expiration |
| Reaction data | Until the post is deleted |
| Monitoring data | 90 days (rolling), then automatically purged |
6. Your rights
Under RGPD (Articles 15-22), you have the right to:
- Access: Export all your data via Settings > Profile > Export my data
- Rectification: Edit your profile information at any time
- Erasure: Delete your account via Settings > Profile > Delete account. This permanently removes all your data, projects, posts, subscribers, and analytics.
- Portability: Your data export is provided in JSON format
- Restriction: Contact us at [email protected]
- Objection: Contact us at [email protected]
- Withdraw consent: Subscribers can unsubscribe at any time via the link in every notification email
To exercise any of these rights, use the in-app features or contact us at [email protected]. We will respond within 30 days.
6.2 Rights of end-users (visitors and voters)
If you are a visitor who submitted feedback, voted, or commented on a Vershun-powered changelog, roadmap, or feedback board:
- Your data is controlled by the project owner (our customer), not by Vershun directly.
- To exercise your rights (access, rectification, erasure), please contact the project owner first.
- If you cannot reach the project owner, contact us at [email protected] and we will assist in forwarding your request.
- Vershun will assist project owners in fulfilling data subject requests in accordance with our DPA.
7. Data security
- All data is encrypted in transit (TLS/HTTPS)
- Data at rest is stored on encrypted volumes (OVHcloud)
- Authentication uses passwordless magic links (no passwords stored)
- Session tokens are stored in HTTP-only, secure cookies
- Access tokens are short-lived (15 minutes) and stored in memory only
- HTML content is sanitized to prevent XSS attacks
- API endpoints are rate-limited to prevent abuse
- Database backups are encrypted and stored in Cloudflare R2 (EU)
8. International transfers
Our primary infrastructure is hosted in the European Union (OVHcloud, France). Some processors (Stripe, Resend, Cloudflare) may process data outside the EU under Standard Contractual Clauses (SCCs) approved by the European Commission.
9. Children
Our Service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us.
10. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on our website or sending you an email. The "Last updated" date at the top indicates the latest revision.
11. Contact
For any questions about this Privacy Policy or our data practices:
- Email: [email protected]
If you are not satisfied with our response, you have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertes): https://www.cnil.fr/