PUSHPLAYPUSHPLAY

Last updated: February 4, 2025

Privacy Policy

This Privacy Policy describes how PushPlay (pushplay.dev), operated by Matt Mazzega ("we", "us", or "our"), collects, uses, and protects your personal data when you use our platform and services.

PushPlay is based in France and is committed to complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data We Collect

Account Data

When you sign up via GitHub OAuth, we collect:

  • GitHub username and profile information (name, avatar, email)
  • GitHub user ID
  • OAuth access token (encrypted at rest)

Repository & Code Data

When you use the Service to generate videos, we access:

  • Repository metadata (name, description, language)
  • Pull request data (title, description, diff, files changed)
  • Code snippets relevant to the PR — processed temporarily to generate your video and not stored long-term

Payment Data

Payment information (credit card numbers, billing address) is collected and processed directly by Stripe. We do not store your full payment details. We receive from Stripe: your subscription status, plan type, and a truncated card identifier for display purposes.

Usage Data

We automatically collect:

  • Pages visited, features used, and actions taken within the Service
  • Browser type, operating system, and device information
  • IP address (anonymized where possible)
  • Timestamps of interactions

2. How We Use Your Data

We use your data to:

  • Provide the Service — Authenticate your account, access your repositories, generate changelog videos from your pull requests, and deliver them to you.
  • Process payments — Manage subscriptions, billing, and invoicing through Stripe.
  • Improve the Service — Analyze usage patterns to fix bugs, improve performance, and develop new features.
  • Communicate with you — Send account-related emails (e.g., subscription confirmations, security alerts). We do not send marketing emails without your explicit opt-in consent.
  • Ensure security — Detect, prevent, and respond to fraud, abuse, and security incidents.

3. Legal Basis for Processing (GDPR)

Under the GDPR, we process your personal data on the following legal bases:

  • Performance of a contract — Processing necessary to provide the Service you signed up for (Article 6(1)(b)).
  • Legitimate interests — Analytics, security, and service improvement, where our interests do not override your rights (Article 6(1)(f)).
  • Consent — For optional processing such as marketing communications (Article 6(1)(a)). You may withdraw consent at any time.
  • Legal obligation — Where we are required to process data to comply with applicable laws (Article 6(1)(c)).

4. Third-Party Services

We use the following third-party services to operate PushPlay. Each processes data in accordance with their own privacy policies:

GitHub

Authentication (OAuth) and repository/PR data access. GitHub processes your data under their Privacy Statement.

Stripe

Payment processing and subscription management. Stripe is PCI-DSS compliant and handles all payment card data. See Stripe's Privacy Policy.

Supabase

Database hosting and authentication infrastructure. Your account data and project metadata are stored in Supabase. See Supabase's Privacy Policy.

ElevenLabs

AI voice generation for video narration. Text summaries of your PRs are sent to ElevenLabs for speech synthesis. See ElevenLabs' Privacy Policy.

Vercel

Application hosting and deployment. Vercel may process your IP address and request metadata. See Vercel's Privacy Policy.

5. Data Retention

  • Account data — Retained for as long as your account is active. Deleted within 30 days of account deletion.
  • Generated videos — Stored for as long as your account is active. You may delete individual videos at any time.
  • Code/PR data — Processed transiently during video generation and not stored permanently. Temporary caches are purged within 24 hours.
  • Usage data — Retained in anonymized/aggregated form for up to 24 months for analytics.
  • Payment records — Retained as required by French tax and accounting laws (typically 10 years for invoices).

6. International Data Transfers

Some of our third-party service providers (GitHub, Stripe, Vercel, ElevenLabs) are based in the United States. When your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

  • EU-U.S. Data Privacy Framework certifications
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Providers' own GDPR compliance commitments

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access — Request a copy of the personal data we hold about you.
  • Right to rectification — Request correction of inaccurate or incomplete data.
  • Right to erasure — Request deletion of your personal data ("right to be forgotten").
  • Right to restriction — Request that we restrict processing of your data in certain circumstances.
  • Right to data portability — Request your data in a structured, commonly used, machine-readable format.
  • Right to object — Object to processing based on legitimate interests.
  • Right to withdraw consent — Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at hi@pushplay.dev. We will respond within 30 days. You also have the right to lodge a complaint with the French data protection authority (CNIL).

8. Cookies

PushPlay uses cookies and similar technologies for the following purposes:

  • Essential cookies — Required for authentication and core functionality (e.g., session tokens). These cannot be disabled.
  • Analytics cookies — Help us understand how the Service is used so we can improve it. These are only set with your consent.

We do not use advertising or tracking cookies. You can manage cookie preferences through your browser settings.

9. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (TLS) and at rest
  • Encrypted storage of OAuth tokens
  • Regular security reviews of our infrastructure
  • Minimal data access principles (least privilege)

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to hi@pushplay.dev.

10. Children's Privacy

PushPlay is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or through the Service.

We encourage you to review this page periodically for the latest information on our privacy practices.

12. Contact

If you have any questions about this Privacy Policy or our data practices, please contact:

Matt Mazzega
PushPlay
Email: hi@pushplay.dev
Website: pushplay.dev

Data Protection Authority: CNIL (Commission Nationale de l'Informatique et des Libertés)