Privacy.

prelight is operated by Greyframe, a software studio based in Trondheim, Norway. We are the data controller for everything you put into prelight. The summary: we collect the minimum we need to run the service, we don't sell anything to anyone, and you can delete your account at any time.

What we store

• Account — name, email, hashed password, organisation name, and the timestamp you signed up.
• Watch list — which software your team has opted into, and your notification preferences for each one.
• Session — a signed cookie that keeps you logged in. Sessions expire after 30 days of inactivity.
• Operational logs — request paths, status codes, and worker exceptions. Retained for 30 days for debugging, then discarded.

We do not store IP addresses long-term, run analytics scripts in the browser, or use third-party trackers. The only outbound network calls from the app are to fetch software vendor release notes on your behalf.

Retention

• Account data — retained until you delete your account or 24 months after your last sign-in, whichever comes first.
• Notification history — 12 months from the send date, then purged.
• Operational logs / Sentry errors — 30 days, then purged.
• Backups — weekly D1 snapshots retained 90 days for disaster recovery, then overwritten.
• Data export bundles — 7 days from the moment you request one, then irrecoverably removed from cache storage.

Sub-processors

We use a small, deliberate list of sub-processors. Adding or replacing any of them is announced by email at least 14 days before the change takes effect — see DPA for full terms.

• Cloudflare, Inc. — application hosting (Workers, D1, KV, Queues, Email Routing). Data resides in Cloudflare's global network. Terms: Cloudflare DPA.
• Functional Software, Inc. (Sentry) — server-side error reporting. Stack traces and request metadata are sent on uncaught exceptions; no in-browser tracking. Terms: Sentry DPA.

Mail in and out flows through Cloudflare Email Routing — there is no separate mail provider. No analytics, advertising, or session-replay sub-processors are used.

What we send you

Transactional email only — release notifications you opted into, sign-in and password-reset flows, and (rarely) operator-initiated service messages about incidents or planned downtime. Every notification has a one-click unsubscribe link in the header and footer.

Your rights

EU/EEA residents have the following rights under GDPR. UK residents have equivalent rights under the UK GDPR. We respond within 30 days of a verifiable request.

• Article 15 — Access. Use the export tool in your settings to download a full JSON dump of everything we hold about you.
• Article 16 — Rectification. Edit your name and notification preferences from settings; email privacy@prelight.dev for anything else.
• Article 17 — Erasure ("right to be forgotten"). Use the "Delete account" action in settings. Solo-owned workspaces are deleted; multi-member workspaces survive with ownership transferred to the next admin.
• Article 18 — Restriction. Email us to suspend processing while a dispute is resolved.
• Article 20 — Portability. The export is delivered as machine-readable JSON, suitable for re-import elsewhere.
• Article 21 — Objection. Object to any processing by emailing us; we'll restrict or stop unless we have an overriding legal basis.
• Lodge a complaint. You can complain to your local supervisory authority. In Norway that is Datatilsynet.

Security

Passwords are hashed with bcrypt. Sessions are signed with a server-side secret. All transport is HTTPS only, with HSTS preloaded. If we suffer a breach affecting your data, we will email you within 72 hours of becoming aware of it.

Changes

We will update this page when the substance changes — not for typos. Material changes are announced by email at least 14 days before they take effect.

Contact

Greyframe · Trondheim, Norway · privacy@prelight.dev