Privacy Policy

    Last updated March 29, 2026

    1. Overview

    This Privacy Policy explains how CTRLED Labs Ltd ("Change Layer", "we", "us", or "our") collects, uses, stores, and shares personal data when you use https://changelayer.app, our hosted application, public pages, widgets, APIs, and related services (together, the "Services").

    CTRLED Labs Ltd is the controller of the personal data described in this policy.

    If you have questions about this policy or want to exercise your privacy rights, contact us at support@changelayer.app.

    2. Data We Collect

    We collect the following categories of data depending on how you use the Services.

    Account and identity data

    When you create or use an account, we may collect:

    • your name
    • your email address
    • profile image information
    • the identity provider you use to sign in, such as Google or GitHub
    • provider account identifiers and related account metadata
    • account session data, including session identifiers, IP address, and user agent

    Workspace and content data

    When you use the product, we may collect and store data needed to provide the Services, including:

    • teams, products, changelogs, release notes, roadmaps, versions, and related metadata
    • published and draft content you create or upload
    • uploaded images and other files you submit through the app
    • API keys, access settings, usage counts, and related configuration

    If you publish content or enable public pages, widgets, or public API access, the content you choose to publish may be accessible to the public.

    Connected account and GitHub data

    If you connect Google or GitHub, or install the Change Layer GitHub App, we may receive and process data needed to authenticate you and provide the integration, such as:

    • basic profile and account details from the provider
    • GitHub user identifiers and installation details
    • repository-related data you choose to connect to the Service
    • commit messages and related repository metadata used to generate changelog drafts

    We do not claim ownership of your repository data. We process it only to provide the integration and related product features.

    Billing data

    If you purchase a paid plan, Stripe processes billing and payment information on our behalf. We may receive and store limited billing-related data such as:

    • customer and subscription identifiers
    • plan, billing period, invoice, and payment status information
    • business and billing metadata needed to manage your subscription

    We do not store full payment card details on our own systems.

    Communications data

    If you contact us, request support, leave feedback, or submit an enterprise inquiry, we may collect:

    • your name or company name
    • your email address
    • the content of your message
    • support priority flags and other details you submit with the request

    Usage, device, and analytics data

    We collect information about how the Services are used so we can operate, secure, and improve them. This may include:

    • pages viewed and routes visited
    • feature usage and interaction events
    • approximate device, browser, operating system, and referral information
    • timestamps and technical diagnostics
    • identifiers stored in cookies or local storage by analytics or advertising tools

    Security and abuse-prevention data

    We process technical data to secure the Services and enforce limits, including:

    • IP address
    • request headers and user agent
    • rate-limit and abuse-prevention identifiers
    • login and access events

    3. How We Use Personal Data

    We use personal data to:

    • create and manage user accounts and sessions
    • authenticate users and linked identity providers
    • provide workspaces, publishing, widgets, public pages, and APIs
    • process subscriptions, invoices, plan changes, and payment-related communications
    • send transactional emails, service notifications, support responses, and account messages
    • host and deliver uploaded files and media
    • provide GitHub integrations and GitHub App installation flows
    • generate draft changelog content using AI tools when you use that feature
    • measure product usage, performance, and marketing effectiveness
    • detect abuse, enforce rate limits, protect the Services, and investigate security issues
    • comply with legal obligations and enforce our agreements

    4. Legal Bases for Processing

    Where the GDPR or similar laws apply, we rely on the following legal bases:

    • Contract: to provide the Services you request, including accounts, billing, hosting, integrations, and support
    • Legitimate interests: to secure, maintain, improve, analyze, and market the Services, and to prevent fraud or abuse
    • Legal obligation: to comply with legal, regulatory, tax, and accounting requirements
    • Consent: where we specifically request it for a particular activity

    5. Cookies, Local Storage, and Similar Technologies

    This section is our cookie policy.

    We use cookies, local storage, and similar technologies to operate the Services and understand how they are used.

    Strictly necessary cookies

    Some cookies are required for the Services to work correctly. These may include cookies used to:

    • keep you signed in
    • maintain secure sessions
    • complete sign-in and OAuth flows
    • remember temporary workflow state such as post-login redirects or GitHub installation steps
    • remember the last sign-in provider you used

    Examples of app cookies currently used by the Services include:

    • Better Auth session and sign-in cookies, such as session, state, and account-related cookies
    • lastUsed
    • redirectUrl
    • createChangelog
    • changelogName
    • redirect_url
    • pending_installation_id

    These cookies are necessary for core product functionality and account access.

    Preferences and local storage

    We use browser storage to remember user or interface preferences. This may include:

    • theme and display preferences used by the app
    • local storage used by interactive documentation or developer tooling
    • analytics identifiers stored by third-party analytics tools

    Analytics cookies and storage

    We currently use the following analytics tools:

    • Plausible Analytics for privacy-focused website analytics
    • PostHog for product analytics and pageview tracking

    Plausible is configured through our site layout and is intended to provide website analytics. Plausible describes its service as cookieless in its public documentation, but you should review Plausible's own documentation for the latest details.

    PostHog is loaded on the site and may use local storage and cookies to persist identifiers, session information, and analytics state. In our current implementation, PostHog is initialized without disabling persistence.

    Advertising and conversion measurement

    We currently load an X Ads website tag from the site layout. That tag may use cookies or similar identifiers to measure ad performance, attribute conversions, and build marketing audiences according to X's own policies.

    Managing cookies

    You can usually control cookies and local storage through your browser settings. If you disable essential cookies or storage, parts of the Services may stop working correctly.

    We do not currently provide an in-product cookie preference center.

    6. AI Processing

    When you use AI-assisted changelog generation, we send commit messages and related inputs you choose to process to OpenAI to generate draft output. This processing is used only to provide the feature you request.

    You are responsible for reviewing AI-generated output before publishing or relying on it. AI output may be incomplete or inaccurate.

    7. How We Share Personal Data

    We share personal data only as needed to operate the Services, with your direction, or as required by law. Categories of recipients include:

    • Authentication providers such as Google and GitHub
    • Infrastructure and database providers used to host and run the Services
    • Stripe for subscriptions, billing, and payment processing
    • UploadThing for file upload handling and storage workflows
    • Resend for transactional and support email delivery
    • Plausible Analytics and PostHog for analytics
    • OpenAI for AI-assisted changelog generation
    • Upstash for rate limiting and abuse prevention
    • X Ads for advertising measurement and conversion tracking

    We may also share personal data:

    • if required by law, regulation, court order, or lawful request
    • in connection with a merger, acquisition, financing, or sale of assets
    • to enforce our terms, protect rights and safety, or investigate fraud, abuse, or security issues

    We do not sell personal data for money.

    8. International Transfers

    Our providers may process data in the United Kingdom, European Union, United States, and other countries where they operate.

    Where required, we rely on appropriate safeguards for international transfers, such as contractual protections or other legally recognized transfer mechanisms offered by the relevant provider.

    9. Data Retention

    We retain personal data for as long as reasonably necessary for the purposes described in this policy, including to provide the Services, maintain security, comply with legal obligations, resolve disputes, and enforce agreements.

    In practice, retention may vary by data type:

    • account data is retained while your account remains active and for a reasonable period after closure
    • workspace and published content is retained until deleted by you, your workspace, or us in accordance with our terms
    • support, billing, and transactional records may be retained as needed for legal, tax, accounting, and operational reasons
    • analytics and security data is retained according to our tooling and operational needs

    If you want data deleted, contact us and we will evaluate the request in accordance with applicable law.

    10. Your Rights

    Depending on where you live, you may have rights to:

    • access personal data we hold about you
    • request correction of inaccurate data
    • request deletion of personal data
    • object to or restrict certain processing
    • receive a portable copy of certain data
    • withdraw consent where processing is based on consent
    • complain to a supervisory authority

    To exercise these rights, contact support@changelayer.app.

    We may need to verify your identity before completing a request.

    11. Security

    We use administrative, technical, and organizational measures designed to protect personal data. No system is completely secure, and we cannot guarantee absolute security.

    12. Children's Privacy

    The Services are not intended for children under 16, and we do not knowingly collect personal data from children under 16.

    If you believe a child under 16 has provided us with personal data, contact us and we will investigate.

    13. Changes to This Policy

    We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of the policy.

    14. Contact Us

    CTRLED Labs Ltd
    71-75 Shelton Street
    London WC2H 9JQ
    United Kingdom
    support@changelayer.app