Privacy Policy

Data Controller

The data controller for WhatWeShipped is:
Lucius AB
Swedish Company Registration: 559087-8038
VAT: SE559087803801
Sweden

For privacy-related questions, contact us at: [email protected]

What Data We Collect

Account Information

When you create an account, we collect:

• Email address (for account access and important notifications)
• Name (for display in your profile and team collaboration)
• Password (encrypted and never stored in plain text)
• Account preferences and settings

GitHub Integration Data

When you connect your GitHub account, we access:

• Repository metadata (name, description, visibility)
• Commit information (messages, timestamps, author, file changes)
• Repository structure and file contents (for analyzing changes)
• Your GitHub username and basic profile information

We only request the minimum GitHub permissions necessary to provide our service. You can revoke this access at any time through your GitHub settings.

Project and Content Data

• Project descriptions, names, and settings
• Changelog entries and feature descriptions
• Roadmap items and their status
• Comments and collaboration data within teams
• Public page customization preferences

AI Processing Data

When you use our AI-powered changelog generation feature:

• Commit messages, code diffs, and file changes are sent to OpenAI's API
• This data is used to generate user-friendly feature descriptions
• OpenAI processes this data according to their privacy policy and data usage policies
• You can choose not to use AI generation and create features manually instead

Usage and Technical Data

• IP address and browser information (for security and analytics)
• Login timestamps and session information
• Feature usage patterns (to improve our service)
• Error logs and performance metrics

How We Use Your Data

We use your data exclusively to:

• Provide the service: Generate changelogs, manage roadmaps, sync GitHub data
• Account management: Authentication, billing, customer support
• Team collaboration: Enable organization features and member management
• Service improvement: Fix bugs, optimize performance, develop new features
• Security: Detect fraud, prevent abuse, protect user accounts
• Legal compliance: Meet our legal obligations and enforce our terms

When We Share Data

We share your data only in these limited circumstances:

• Public project pages: Data you choose to make public (changelogs, roadmaps) is visible to anyone with the link
• Team collaboration: Organization members can see shared projects and content
• AI processing: When you use AI changelog generation, commit data is sent to OpenAI's API for processing
• Service providers: Trusted third parties who help us operate the service (hosting, payment processing, email delivery)
• Legal requirements: When required by law, court order, or to protect our rights

Our service providers are bound by strict confidentiality agreements and can only process your data as instructed by us.

How Long We Keep Your Data

• Active accounts: We keep your data as long as your account is active
• Deleted accounts: Data is permanently deleted within 30 days of account deletion
• Billing records: Kept for 7 years as required by Swedish accounting laws
• Support communications: Kept for 2 years to help resolve future issues
• Security logs: Kept for 1 year for fraud prevention and security analysis

You can request immediate deletion of your account and data by contacting us at [email protected].

Your Data Rights

Under GDPR and other privacy laws, you have the right to:

• Access: Request a copy of all data we have about you
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your account and data
• Portability: Export your data in a common format
• Restriction: Limit how we process certain data
• Objection: Object to certain types of data processing

Most of these actions can be performed directly in your account settings. For other requests, email us at [email protected].

International Data Transfers

As a Swedish company, we primarily process data within the European Economic Area (EEA). However, some of our service providers may be located outside the EEA, including:

• Cloud hosting providers (with appropriate safeguards in place)
• Email delivery services
• Payment processors

When we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

Cookies and Tracking

We use cookies and similar technologies for:

• Essential cookies: Required for the service to function (login sessions, security)
• Preference cookies: Remember your settings and preferences
• Analytics cookies: Understand how our service is used (anonymized data only)

We don't use advertising cookies or third-party tracking pixels. You can control cookie preferences in your browser settings.

Data Security

We protect your data with:

• Encryption in transit (HTTPS/TLS) and at rest
• Regular security audits and updates
• Access controls and employee training
• Regular backups with encryption
• Incident response procedures

While we implement strong security measures, no system is 100% secure. We'll notify you promptly of any security incidents that may affect your data.

Children's Privacy

WhatWeShipped is not intended for children under 13. We don't knowingly collect data from children under 13. If we discover that a child under 13 has provided us with personal information, we'll delete it immediately.

Changes to This Policy

We may update this privacy policy to reflect changes in our practices or for legal reasons. When we do:

• We'll notify you via email or in-app notification
• Changes take effect 30 days after notification
• We'll maintain previous versions for your reference
• Significant changes will be clearly highlighted