Privacy Policy

Effective Date: January 15, 2026
Last Updated: January 15, 2026

Overview

PreviewKit ("we", "us", "our") respects your privacy. This Privacy Policy explains how we collect, use, and protect your data when you use our service.

PreviewKit is a GitHub Action that deploys per-PR frontend preview containers into your own Azure infrastructure. Your backend and database remain in your control.

Short version: We collect minimal data. We don't sell it. We don't read your code.

1. Data Controller

Company: [Your Company Name]
Contact: support@previewkit.dev
Location: [Your Address]

2. What Data We Collect

2.1 Data You Provide Directly

For Free Tier Users:

• None - Free tier requires no registration

For Paid Tier Users:

• Email address (for billing and support)
• Company name (optional)
• Payment information (processed by Stripe, we never see card numbers)

2.2 Data Collected Automatically

When you use PreviewKit:

GitHub Integration Data:

• GitHub organization/username
• Repository names (e.g., "myorg/myrepo")
• Pull Request numbers
• Commit SHAs (first 7 characters)
• GitHub Actions metadata (run IDs, timestamps)

Usage Data:

• License key hash (not the key itself)
• Number of active preview environments
• Number of deployments per month
• Deployment timestamps
• Cloud provider used (Azure/AWS/GCP)
• Service names (e.g., "my-app-frontend")

Technical Data:

• IP addresses (for API requests, retained 7 days)
• User agent strings
• API request logs (retained 30 days)

2.3 Data We DO NOT Collect

We never access or store:

• ❌ Your source code
• ❌ Your environment variables (beyond what you configure)
• ❌ Your cloud provider credentials
• ❌ Your container images or application data
• ❌ Contents of your Pull Requests
• ❌ Your team conversations
• ❌ Personal files or documents

3. How We Use Your Data

3.1 Service Delivery

• Validate license and enforce usage limits when you deploy frontend previews
• Track deployment events (create/destroy) for billing
• Enable PR comments with preview URLs (posted by the GitHub Action)

3.2 Billing and Payments

• Process subscription payments via Stripe
• Generate invoices
• Detect and prevent fraud

3.3 Support

• Respond to support requests
• Debug deployment issues
• Improve service reliability

3.4 Analytics and Improvement

• Understand feature usage
• Improve service performance
• Plan new features
• Aggregate (anonymized) usage statistics

3.5 Legal Compliance

• Comply with court orders
• Prevent Terms of Service violations
• Protect our legal rights

4. Data Sharing

We share your data only in these situations:

4.1 Third-Party Service Providers

All providers are GDPR-compliant and have Data Processing Agreements.

4.2 Legal Requirements

• When required by law
• To protect our rights
• To prevent fraud or abuse

4.3 Business Transfers

If we're acquired, your data may transfer to the new owner (you'll be notified).

4.4 What We DON'T Do

• ❌ Sell your data to third parties
• ❌ Use your data for advertising
• ❌ Share data with data brokers
• ❌ Train AI models on your code

5. Data Retention

You can request early deletion (see section 7).

6. Data Security

6.1 Measures We Take

• ✅ Encryption in transit (HTTPS/TLS)
• ✅ Encryption at rest (database)
• ✅ License keys hashed (SHA-256, never stored plain)
• ✅ Access controls (least privilege)
• ✅ Regular security updates
• ✅ Audit logging

6.2 What You Should Do

• Secure your GitHub secrets
• Use OIDC instead of long-lived credentials
• Secure your license key (treat like a password)
• Enable 2FA on your accounts

6.3 Data Breaches

If we discover a breach affecting your data:

• Notification within 72 hours (GDPR requirement)
• Details of what was compromised
• Steps we're taking
• Steps you should take

7. Your Rights (GDPR & Privacy)

7.1 Right to Access

Request a copy of all data we have about you.

How: Email support@previewkit.dev with your license key or email address.

7.2 Right to Rectification

Correct inaccurate data.

How: Update via account dashboard or contact support.

7.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your data.

How: Cancel your subscription and email support@previewkit.dev.

Note: We may retain invoices for 7 years (legal requirement).

7.4 Right to Data Portability

Export your data in a machine-readable format.

How: Email support@previewkit.dev (we'll provide JSON export).

7.5 Right to Object

Object to how we process your data.

How: Email support@previewkit.dev.

7.6 Right to Restrict Processing

Request we pause processing your data.

How: Email support@previewkit.dev.

7.7 Right to Withdraw Consent

You can withdraw consent anytime by cancelling your subscription.

8. Cookies

8.1 What Cookies We Use

Essential Cookies:

• Session cookies (logged-in state)
• Security tokens (CSRF protection)

Analytics Cookies (if enabled):

• Page views
• Feature usage
• Error tracking

8.2 Cookie Control

You can disable non-essential cookies in your browser settings. Essential cookies are required for the service to work.

8.3 No Tracking

We do not use third-party tracking cookies or advertising pixels.

9. Children's Privacy

PreviewKit is not intended for users under 13 (US) or 16 (EU). We do not knowingly collect data from children.

If you believe a child has used our service, contact support@previewkit.dev and we'll delete their data.

10. International Data Transfers

10.1 Where Your Data Lives

• Primary database: [Your region, e.g., US-East]
• Backups: [Backup region]
• Processing: May occur in US, EU, or other regions

10.2 EU Users

If you're in the EU and we transfer data outside the EU:

• We use Standard Contractual Clauses (SCCs)
• Or rely on adequacy decisions
• Or obtain your explicit consent

11. California Privacy Rights (CCPA)

If you're a California resident:

11.1 Right to Know

Request what data we collect and how we use it (see section 2).

11.2 Right to Delete

Request deletion of your data (see section 7.3).

11.3 Right to Opt-Out of Sale

We don't sell your data, so this doesn't apply.

11.4 Right to Non-Discrimination

We won't discriminate against you for exercising your rights.

Contact: support@previewkit.dev or call [Your Phone Number]

12. Changes to This Policy

• We may update this policy as the service evolves
• Material changes: 30 days notice via email
• Continued use = acceptance of new policy
• Previous versions: Available on request

13. Contact Us

Questions about privacy?

Email: support@previewkit.dev
Website: previewkit.dev/privacy
Mail: [Your Company Address]

Data Protection Officer (if applicable)

Name: [DPO Name]
Email: support@previewkit.dev

EU Representative (if applicable, for GDPR)

Name: [EU Rep Name]
Address: [EU Address]

14. Supervisory Authority

If you're unhappy with how we handle your data, you can complain to:

EU Users: Your national data protection authority
UK Users: Information Commissioner's Office (ICO)
California Users: California Attorney General

Appendix: Data Processing Agreement (DPA)

For Enterprise customers requiring a DPA, contact hello@previewkit.dev.

Last reviewed: January 15, 2026

Notes for Compliance

⚠️ IMPORTANT: Before going live with paying customers (especially EU customers):

1. Verify compliance:

   • GDPR (EU)
   • CCPA (California)
   • Any industry-specific regulations

2. Add required elements:

   • Your company's legal name and address
   • DPO contact (required for EU if processing large scale)
   • EU representative (required if you're outside EU but serve EU customers)

3. Legal review:

   • Have a lawyer review ($500-1,500)
   • Ensure Standard Contractual Clauses are current
   • Verify cookie consent mechanism

4. Technical implementation:

   • Cookie consent banner (for EU users)
   • Data export functionality (GDPR Article 20)
   • Data deletion workflow (GDPR Article 17)

For MVP (< 10 customers): This template is sufficient with disclaimers. Add:

⚠️ BETA PRIVACY POLICY: We're refining our privacy practices.
If you have concerns, contact support@previewkit.dev before signing up.

Cost to make compliant: $1,000-3,000 (lawyer + tooling) Timeline: 2-4 weeks