Legal

Privacy Policy

Last updated May 2026

This page explains what data Drumroll collects, why, and how we protect it. We aim for the shortest honest version possible.

Who we are

Drumroll is operated as a sole-developer project. The data controller for purposes of GDPR is the operator of usedrumroll.com. Reach us at hello@usedrumroll.com.

What we collect

We collect only what’s required to make the product work:

  • Account data - email address, optional display name and avatar, and authentication metadata. We do not store your password.
  • Workspace content - workspace name, slug, theme and branding settings, promotional banner settings, and the changelog entries and guides you author.
  • Uploaded assets - logos, favicons, cover images, inline images, and file attachments you upload while authoring. These are publicly readable - they are intended to be embedded on your public changelog or guides pages, so don’t upload anything you wouldn’t put on a public website.
  • Branding extraction - if you paste a website URL to auto-fill your logo and brand color, we fetch that page once, read its publicly visible meta tags, and pre-fill the form. We don’t store the fetched page. If you save the result, the extracted assets become workspace content.
  • Integration credentials - OAuth access tokens for the source systems you connect (GitHub, JIRA, Bitbucket), held encrypted at rest.
  • Synced source data - the releases, fix versions, tags, and Markdown files you import become changelog entries or guides in your workspace. We don’t copy any data outside what each sync touches.
  • Feedback you submit - if you use the in-app feedback widget, we store the message text, the page you were on, and (when available) your account ID and the workspace you were viewing. The email field is optional.
  • Operational logs - request metadata held briefly for debugging. No access tokens, no cookies.

What we do not collect

  • No third-party advertising or marketing trackers.
  • No analytics on the public per-workspace pages your customers visit.
  • No collection of source-system data beyond what you explicitly sync.

Where data lives

Application traffic, database, and uploaded assets are hosted with reputable cloud providers listed below. Data is encrypted in transit and at rest by those providers and by Drumroll. EU/UK customer data may be processed in regions outside the EU; see sub-processors for the list of providers.

Sub-processors

  • Cloudflare Inc. - hosting, edge networking, asset storage
  • Neon Inc. - managed Postgres database
  • Clerk Inc. - authentication and identity
  • GitHub Inc. - GitHub OAuth (when you connect)
  • Atlassian Pty Ltd - JIRA OAuth (when you connect)
  • Atlassian Pty Ltd / Bitbucket - Bitbucket OAuth (when you connect)

Your rights

You can export your data, correct inaccuracies, or request deletion at any time by emailing hello@usedrumroll.com. We aim to respond within 14 days. EU/UK residents have the rights described in GDPR Articles 15–22.

Cookies

We set authentication cookies and short-lived CSRF cookies during connection flows. Both are HTTP-only and same-site. We do not use tracking cookies of any kind.

Changes

Material changes to this policy will be announced in the product changelog and via email to workspace owners.