Privacy Policy

1. Introduction

SmithKit ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, applications, and services (collectively, the "Service").

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

2. Information We Collect

2.1 Personal Information

We may collect personal information that you voluntarily provide when using our Service, including:

• Account Information: Name, email address, username, and password when you create an account.
• Profile Information: Profile picture, company name, job title, and other information you choose to provide.
• Payment Information: Billing address, payment card details (processed securely through our payment processor, Stripe).
• Communication Data: Information you provide when contacting our support team or participating in surveys.
• OAuth Data: Information from third-party services (GitHub, Google) when you choose to authenticate using these services.

2.2 Automatically Collected Information

When you access our Service, we automatically collect certain information, including:

• Device Information: Browser type, operating system, device type, and unique device identifiers.
• Log Data: IP address, access times, pages viewed, and referring URLs.
• Usage Data: Features used, actions taken, and performance metrics within the Service.
• Cookies and Tracking: Information collected through cookies, web beacons, and similar technologies.

2.3 Information from Third Parties

We may receive information about you from third parties, including:

• GitHub: Repository information, commit data, and organization details when you connect your GitHub account.
• Analytics Providers: Aggregated usage and demographic information.
• Payment Processors: Transaction confirmations and billing information from Stripe.

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 Providing and Improving the Service

• Create and manage your account
• Process transactions and send related information
• Provide customer support and respond to inquiries
• Monitor and analyze usage patterns to improve the Service
• Develop new features and functionality
• Ensure the security and integrity of the Service

3.2 Communications

• Send transactional emails (account verification, password resets, billing)
• Provide product updates and announcements
• Send marketing communications (with your consent)
• Respond to your comments, questions, and requests

3.3 Legal and Safety

• Comply with legal obligations
• Enforce our terms and policies
• Protect our rights, privacy, safety, or property
• Detect, prevent, and address fraud or security issues

4. Data Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

4.1 Service Providers

We share information with third-party vendors who perform services on our behalf, including:

• Supabase: Database and authentication services
• Railway: Application hosting and deployment
• Stripe: Payment processing
• Vercel: Content delivery and edge functions
• OpenAI/Anthropic: AI-powered features (changelog generation, commit messages)

4.2 Business Transfers

If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website of any change in ownership or uses of your personal information.

4.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency).

4.4 With Your Consent

We may share your information for other purposes with your explicit consent.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. We will also retain and use your information as necessary to:

• Comply with our legal obligations
• Resolve disputes
• Enforce our agreements
• Maintain business records for a reasonable period

Data retention periods vary by plan:

• Free Plan: 7 days of activity data
• Pro Plan: 30 days of activity data
• Premium Plan: 90 days of activity data

Upon account deletion, we will delete or anonymize your personal information within 30 days, except where retention is required by law.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

• Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
• Access Controls: Strict access controls and authentication requirements for our systems.
• Secure Infrastructure: Our services are hosted on secure, SOC 2 compliant infrastructure.
• Regular Audits: We conduct regular security assessments and vulnerability testing.
• VaultKit Encryption: Secrets stored in VaultKit use AES-256-GCM encryption with customer-isolated keys.

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Your Rights and Choices

7.1 Account Information

You may update, correct, or delete your account information at any time by logging into your account settings. You may also contact us directly to request access to, correction of, or deletion of personal information.

7.2 Marketing Communications

You may opt out of marketing communications by clicking the "unsubscribe" link in any marketing email or by contacting us. Note that you will continue to receive transactional emails related to your account.

7.3 Cookies

Most web browsers are set to accept cookies by default. You can usually modify your browser settings to decline cookies. However, disabling cookies may affect your ability to use certain features of the Service.

7.4 Do Not Track

We do not currently respond to "Do Not Track" signals. However, you may opt out of certain tracking as described in this policy.

7.5 Data Portability

You have the right to request a copy of your personal data in a structured, commonly used, and machine-readable format. Contact us to request data export.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have data protection laws that are different from the laws of your country.

We take appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Policy, including using Standard Contractual Clauses approved by the European Commission for transfers of personal information from the EEA to the United States.

9. Children's Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us so we can delete such information.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You can request information about the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You can request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out: You can opt out of the sale of your personal information. Note: We do not sell personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, please contact us at privacy@smithkit.dev.

11. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Right of Access: You can request copies of your personal data.
• Right to Rectification: You can request that we correct inaccurate data.
• Right to Erasure: You can request that we delete your personal data.
• Right to Restrict Processing: You can request that we restrict processing of your data.
• Right to Data Portability: You can request transfer of your data to another organization.
• Right to Object: You can object to processing of your personal data.
• Right to Withdraw Consent: Where we rely on consent, you can withdraw it at any time.

Our legal basis for processing personal data includes: performance of our contract with you, legitimate business interests, compliance with legal obligations, and your consent.

You also have the right to lodge a complaint with a supervisory authority in the EEA.

12. Third-Party Links

The Service may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For significant changes, we will provide additional notice, such as an email notification.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

14. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us at: