Privacy Policy
Version 2026-05-01 · Last update: May 2026
1. Data controller
The controller for personal data collected via release.wtf is:
Maxime LEBRUN — Entrepreneur individuel (EI)
SIREN : 843 326 430
Headquarters address : 36 rue Charles Sanglier, 45000 Orléans, France
Email : hey@release.wtf
2. Data collected and purposes
| Data | Purpose | Legal basis | Retention period |
|---|---|---|---|
| Authentication (magic link), service notifications | Contract performance | As long as the account is active | |
| Postal address and tax ID | Compliant invoicing (Commercial Code, GDPR art. 6) | Legal obligation | 10 years (accounting requirement) |
| Submitted content (events, calendars) | Service performance | Contract performance | Until deleted by the user |
| Connection logs (hashed IP, user-agent) | Security, anti-fraud, anti-abuse | Legitimate interest | 30 days max |
| Usage stats (views, ICS downloads, calendar clicks, short link redirects, anonymized) | Understanding Service usage | Legitimate interest | 90 days |
| Payment data (last 4 digits of card) | Transaction identification | Contract performance | Stored by Stripe (see below) |
release.wtf has no access to full banking data (card number, CVV, etc.). All payment data is handled exclusively by our provider Stripe.
3. Cookies
release.wtf uses no tracking or advertising cookies. Only one technical cookie is used:
drop_cal_sess— session cookie, created only when a user signs in to their admin area. It keeps the session active. It is removed on sign-out or expires automatically after 30 days.
Public event pages viewed by anonymous visitors set no cookies. Traffic is measured anonymously and aggregated via Counter (see sub-processors below), without any cookies, logged IPs, or advertising trackers.
Note on event links (short links). When you add an event to your calendar (Apple, Google, Outlook) and later click the link from your calendar app, that link may pass through a technical redirection domain (release.wtf/r/<token> or a short alias like rls.wtf/<token>) before sending you to the final destination. This redirection lets us measure, anonymously, the actual click-through rate on drops for aggregated statistics. No personal data is stored at this step: only an irreversible hashed fingerprint of your IP address (sha256) is kept for up to 90 days, alongside a simplified browser identifier (e.g. "Chrome/iOS", never the precise version). No cookie is set during this redirection. The legal basis for this processing is legitimate interest (internal audience measurement, GDPR art. 6.1.f).
4. Sub-processors (third-party services)
To deliver the Service, release.wtf relies on the following providers. All have signed GDPR commitments or operate under standard contractual clauses approved by the European Commission.
| Provider | Role | Location | Data processed |
|---|---|---|---|
| LWS — Ligne Web Services | Server hosting (web + database) | France (EU) | All Service data (storage, execution) |
| Stripe Payments Europe Ltd. | Payment processing and invoicing | Ireland (EU) with US sub-processors (standard contractual clauses) | Email, name, address, tax ID, card data (encrypted) |
| Resend Inc. | Sending transactional emails (magic link, receipts) | United States (Privacy Shield successor + standard contractual clauses) | Recipient email, email content |
| Cloudflare, Inc. | DNS and anti-DDoS protection (where applicable) | United States with EU presence | Visitor IP, technical HTTP logs |
| Counter (counter.dev) | Anonymous, aggregated audience measurement (analytics) | Germany (EU) | Visited URL, referrer, user-agent, language, screen resolution, time zone. No cookies, no logged IP, no fingerprinting. |
| Crisp IM SARL | In-dashboard support messaging | France (Nantes, EU) | IP address, user-agent, content of messages exchanged with support, anonymous session cookie to identify your tab during the conversation. No personal data (email, identity) is transmitted automatically — only if you provide it yourself in the chat. |
Links to providers' privacy policies:
- LWS — GDPR policy
- Stripe — Privacy Policy
- Resend — Privacy Policy
- Cloudflare — Privacy policy
- Counter — About & privacy
- Crisp — Privacy Policy
5. Transfers outside the EU
Some of our providers (Stripe sub-processors, Resend, Cloudflare) may process data outside the European Union (mainly the United States). These transfers are governed by the European Commission's standard contractual clauses and, where applicable, by the Data Privacy Framework (DPF).
6. Your rights (GDPR)
In accordance with GDPR and the French Data Protection Act, you have the following rights over your personal data:
- Right of access — obtain a copy of the data concerning you.
- Right of rectification — correct inaccurate data.
- Right to erasure (art. 17) — permanent deletion of the account and associated data ("Delete my account" button on the My account page).
- Right to portability — retrieve your data in an open format (.ics and JSON export).
- Right to restriction and right to object — depending on the applicable legal basis.
- Right to withdraw consent at any time when it is the legal basis for processing.
To exercise these rights, contact us at hey@release.wtf. We commit to responding within one month at most.
7. Complaint to the CNIL
If you feel your rights are not respected, you can file a complaint with the French data protection authority (CNIL):
CNIL — 3 place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07
Phone : 01 53 73 22 22 — www.cnil.fr
8. Security
release.wtf implements technical and organizational measures to protect your data:
- TLS encryption for all communications (HTTPS).
- Database-at-rest encryption on LWS servers.
- SHA-256 hashing of connection IPs (never stored in plaintext).
- Automatic pseudonymization of emails in error logs.
- Passwordless authentication (single-use magic link).
- HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options).
9. Data retention after deletion
When you delete your account, all your data is erased from our servers. However, certain accounting information (invoices, payment data) is retained by our provider Stripe for the legal accounting retention period (10 years in France), in accordance with Commercial Code obligations.
10. Policy changes
release.wtf may amend this policy. Any major change will be notified to users by email. The last-update date is shown at the top of this document.
11. Contact
For any question about your personal data: hey@release.wtf