Privacy Policy

1. Introduction

Cullit LLC (“Company,” “we,” “us,” or “our”) operates cullit.io and the Cullit CLI and GitHub Action (collectively, the “Service”). This Privacy Policy explains how we collect, use, and protect information when you use our Service.

2. Information We Collect

Information You Provide

Account information: When you log in via our authentication provider (WorkOS AuthKit), we collect your user ID, display name, email address, and profile picture URL. We also generate and store a Cullit API key, organization membership, role, and login timestamps.
Organization data: If you create or join an organization, we store the organization name, membership roster (user IDs and roles), and team API keys including key label, assignment metadata, status (active/revoked), and creation/revocation timestamps.
Sponsorship data: Optional sponsorship activity is handled by GitHub Sponsors under GitHub's own privacy policy.
Configuration data: Settings you provide in your .cullit.yml configuration file, including AI provider preferences and integration settings.

Information Processed Temporarily

When you use the Service to generate release notes, the following data is processed in-memory and is not stored after your session:

Git Commit Data

Commit messages, author names, dates, and PR references between the refs you specify.

Enrichment Data

Ticket information retrieved from Jira or Linear using your credentials.

Third-Party API Keys

Your third-party API keys (e.g., Anthropic, OpenAI) are used only for the current request and are never logged or stored by us.

Information Stored Persistently

When you use the hosted Service, the following data is stored:

Generation History

A summary of each generation including: project name, version range, AI provider used, output format, change count, a 500-character summary of the generated content, processing duration, and timestamp. Up to 200 history entries are stored per user.

Usage Analytics

Daily aggregated usage metrics including generation counts, changes processed, processing duration, and AI provider breakdown. Retained for 90 days per user/organization.

Information Collected Automatically

Usage analytics: We collect per-user and per-organization usage data including daily generation counts, total changes processed, average processing duration, and AI provider breakdown. This data is retained for 90 days. It does not include your code, commit messages, or generated content.
Website analytics: When you visit cullit.io, we may collect standard web analytics data including IP address, browser type, and pages visited.

3. How We Use Information

We use the information we collect to:

Provide, maintain, and improve the Service.
Process payments for paid subscriptions.
Send you updates about the Service (you can opt out at any time).
Respond to your requests and support inquiries.
Monitor and analyze usage trends to improve user experience.
Comply with legal obligations.

4. Information Sharing

We do not sell your personal information. We may share information only in the following circumstances:

Third-party AI providers: When you use the Service, your git commit data is sent to the AI provider you selected (Anthropic, OpenAI, Gemini, or Ollama) to generate release notes. This data is subject to the AI provider’s terms and privacy policies.
Payment processing: Payment information is processed by Stripe.
Infrastructure hosting: The Cullit API and dashboard are hosted on Railway. Your data may be processed on Railway’s infrastructure.
Transactional email: Account notifications and invite emails are delivered via Resend. Only your email address and message content are shared.
Legal requirements: We may disclose information if required by law, regulation, or legal process.
Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

5. Data Retention

Account Data

Retained while your account is active. Deleted within 30 days of deletion request.

Generation History

Generation metadata and 500-character summaries are retained per user (max 200 entries). Full commit data and complete release notes text are not retained.

Usage Analytics

Daily aggregated usage metrics are retained for 90 days per user/organization.

Organization Data

Retained while the organization is active. Deleted within 30 days of deletion request by the organization owner.

Third-Party API Keys

Never stored. Used only for the duration of the request.

Payment Records

Retained as required for accounting and tax purposes.

6. Data Security

We implement reasonable technical and organizational measures to protect your information, including:

HTTPS encryption for all web traffic.
No storage of third-party API keys.
Summaries of generated release notes (up to 500 characters) are stored; full content is not logged or retained.
JWT session tokens with HttpOnly, SameSite=Lax, and Secure (in production) cookie flags.
CSRF protection via OAuth state parameter validation.
Secure payment processing through Stripe (PCI-compliant).

However, no method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal information we hold about you.
Request correction of inaccurate information.
Request deletion of your information.
Opt out of marketing communications.
Object to or restrict certain processing of your information.

To exercise any of these rights, contact us at matt@cullit.io.

8. Children’s Privacy

The Service is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16.

9. International Users

The Service is operated from the United States. If you access the Service from outside the United States, your information may be transferred to and processed in the United States. For users in the European Economic Area (EEA), such transfers are conducted under Standard Contractual Clauses as approved by the European Commission.

10. Your Rights Under GDPR & CCPA

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you.
Rectification: Request correction of inaccurate data.
Erasure: Request deletion of your personal data (“right to be forgotten”).
Portability: Request your data in a structured, machine-readable format.
Opt-out: California residents may opt out of the “sale” of personal information under CCPA. We do not sell personal data.

To exercise any of these rights, contact us at matt@cullit.io. We will respond within 30 days.

11. Cookies & Local Storage

The Cullit website and dashboard use browser localStorage to persist user preferences (e.g., saved API URL, widget dismissed state). When you log in, we set an HttpOnly authentication cookie (cullit_session) containing a signed JWT token with your user ID and username. This cookie expires after 7 days and uses the Secure flag in production and SameSite=Lax to prevent cross-site request forgery. We do not set cookies for advertising or tracking purposes.

12. Open Source Components

The Cullit CLI and GitHub Action are open-source software licensed under the MIT License. When you use the open-source components locally, no data is transmitted to us. Data is only sent to the third-party AI provider you configure.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the “Last Updated” date.

14. Contact

If you have questions about this Privacy Policy, contact us at:

Cullit LLC

Email: matt@cullit.io

Website: cullit.io