Makrly auto-generates your product communications from GitHub commits. Connect your repo and get: social posts for X, LinkedIn, Threads, Bluesky, and Facebook; an auto-updating changelog with embeddable widget; an AI-generated FAQ from your URLs; a public idea board where users vote on features; and a shareable roadmap. Free forever for public repos.

How does Makrly generate posts from my commits?

Makrly reads your commit messages, filters out trivial ones, and uses AI to generate platform-specific posts in your voice. A 2-minute quiz captures your tone so posts sound like you, not generic marketing copy.

How does the changelog work?

Enable auto-mode and every commit or merged PR becomes a changelog entry. Embed the widget on your site with a single script tag. Customize themes, colors, position, and trigger icon. Users can react to entries and subscribe via RSS.

Is my code safe? What permissions do you need?

Yes, your code is safe. We only request read-only access to your repositories. We read commit messages and file names — never your source code. We can't modify your repo or push changes. Revoke access from GitHub settings anytime.

Can I use my own AI API key?

Yes! Bring your own key from OpenAI, OpenRouter, or Straico. Choose from 40+ models including GPT-4o, Claude, Llama, and more. Pay pennies per generation directly to your provider — we never charge per post.

Privacy Policy

Last updated: March 3, 2026

1. Introduction

Welcome to Makrly ("we," "our," or "us"). We are committed to protecting your privacy and ensuring you understand how we collect, use, and safeguard your information when you use our service at makrly.com (the "Service").

This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights regarding your personal data. It applies to all users of the Service, including visitors to our public-facing widgets (changelog, help center, and idea boards).

2. Information We Collect

2.1 Information from GitHub

When you authenticate with GitHub, we collect:

Your GitHub username and profile information
Your email address associated with your GitHub account
Access to your public and private repositories (based on permissions you grant)
Commit messages, diffs, and metadata from repositories you connect
Commit author information: When you connect a repository, we collect commit metadata including author names and email addresses from your commit history. This may include data from other contributors to the repository.
Pull request data: Pull request titles, descriptions, author names, and merge timestamps from repositories you connect
Repository README: We cache your repository's README content to provide context for AI-generated content

When you enable real-time sync (GitHub webhooks), we also receive push events and pull request data automatically as they occur. Webhook payloads are stored temporarily (typically 7 days) for event processing and idempotency verification, then associated data is stored per our normal retention policies.

2.2 Information You Provide

Your content preferences and personality quiz responses (including formality, energy, detail, humor, self-presentation, and technical depth preferences)
Social media platform preferences
Custom AI prompts and writing style configuration
Payment information (processed securely by Stripe — we do not store card details)
Third-party API keys you voluntarily provide (stored with AES-256-GCM encryption)
Cancellation feedback if you choose to provide a reason when cancelling your subscription
Changelog and idea board customization (custom categories, entry templates, SEO descriptions)

2.3 Automatically Collected Information

Usage data and analytics (e.g., feature engagement, onboarding progress)
Device and browser information
IP address and approximate location data
Activation events: Onboarding milestones including first dashboard visit, first repository sync, first post generated, quiz completion, webhook registration, and changelog creation. These events are stored with timestamps to track your progress and trigger relevant onboarding assistance.
Email interaction tracking: We record which onboarding and trial reminder emails have been sent to you (with timestamps) to prevent duplicate sends and to respect your engagement preferences
Subscription events: Changes to your subscription tier, payment successes and failures, and associated metadata are logged for billing accuracy and support

2.4 Changelog Widget Analytics

If you embed our changelog widget on your website, we collect the following information from visitors who view the widget:

Hashed IP address: We use a one-way hash (SHA-256) of visitor IP addresses for rate limiting and analytics purposes. We do not store raw IP addresses.
User agent: Browser and device information
Referrer: The URL of the page where the widget is embedded
View timestamps: When changelog entries are viewed
Reactions and feedback: Optional emoji reactions (happy, neutral, sad), text feedback, and follow-up email addresses if voluntarily provided by the visitor

This data is collected to provide view counts and analytics for your changelog entries. Rate limiting (one view per IP per hour) prevents abuse.

2.5 Image Processing & Uploads

When you use our social media graphics features (code snippets, browser mockups, image editing), all image processing occurs in your browser. We do not upload, store, or process your social media graphics on our servers. The images you create remain entirely on your device until you choose to download or share them.

Changelog images and logos: If you upload images or logos for your changelog entries, these files are stored on our CDN (Bunny CDN) and are accessible via public URLs. You can delete uploaded images at any time, and they are automatically removed when you delete the associated changelog entry or your account.

2.6 Public Ideas & Roadmap

If you enable the public ideas and roadmap feature, visitors to your idea board may submit ideas, vote, and comment. We collect the following from these visitors:

Submission data: Name, email address (if required by the board owner), idea title, description, and category
Hashed IP address: Used for rate limiting (one submission per minute per IP) and vote deduplication. Raw IP addresses are not stored.
Votes: Anonymous votes tracked by hashed IP address
Comments: Comment content and optional author name and email

Idea board owners configure whether email is required for submissions. All public submissions are visible to the board owner in their dashboard.

2.7 Help Widget & Contact Form

Our embeddable help widget includes a FAQ search feature and contact form:

Search queries: FAQ search terms are logged with a truncated hashed IP address and result count for analytics purposes
FAQ feedback: Helpful/unhelpful votes per article, tracked by hashed IP address
Contact form submissions: Name, email address, and message content. These are stored in the account owner's inbox and may be forwarded to their configured support email address.

2.8 Developer API

If you use our Developer API, we generate scoped API keys on your behalf. We log API usage including request timestamps, endpoints accessed, and rate limit data. API keys can be configured with expiry dates and specific permission scopes.

3. How We Use Your Information

We use the information we collect to:

Generate social media posts from your GitHub commits using AI
Create and publish changelogs, help docs, and idea boards
Personalize content based on your preferences and writing style
Process payments and manage your subscription
Improve and optimize our Service
Send transactional emails (subscription confirmations, payment receipts, payment failure notices)
Send onboarding emails to help you get started (welcome email, feature nudges on days 1, 3, and 5 after signup)
Send trial reminders before your trial period ends (1 and 3 days before expiry)
Detect and prevent fraud or abuse through rate limiting and audit logging
Provide analytics and usage insights for your changelogs, help docs, and idea boards
Track activation milestones to provide timely, relevant onboarding guidance
Monitor payment health and notify you of failed payment attempts
Maintain audit trails for compliance and security incident investigation

4. AI Processing

We use third-party AI services to generate social media posts and changelog descriptions from your commit data. Your commit messages and related metadata are sent to these services for processing. We do not use your data to train AI models.

AI Providers we use:

OpenAI — For GPT-4o and GPT-4o-mini models
OpenRouter — A routing service that may connect to Anthropic (Claude), Google (Gemini), Meta (Llama), and other AI providers
Straico — An AI platform providing access to multiple language models

If you provide your own API keys, the respective AI provider's terms of service and privacy policy apply to that processing. The AI providers process your data according to their respective privacy policies and data processing agreements.

Note on AI-generated content: AI outputs may not always be accurate. You are responsible for reviewing all generated content before publishing. We do not make automated decisions that produce legal effects or significantly affect you based solely on AI processing.

EU AI Act compliance: Our use of AI is limited to content generation assistance (social media posts, changelog descriptions). This is not classified as a high-risk AI system under the EU AI Act. All AI outputs require human review before publication, and no automated profiling or scoring of individuals is performed.

5. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

Contract (Article 6(1)(b)): Processing necessary to provide the Service you signed up for, including generating posts from your commits, managing your subscription, sending transactional emails, and providing account features.
Legitimate Interest (Article 6(1)(f)): Processing necessary for our legitimate interests, such as improving our Service, preventing fraud, ensuring security, sending onboarding emails, and analyzing usage patterns — where these interests are not overridden by your rights.
Consent (Article 6(1)(a)): Where you have given explicit consent, such as for analytics cookies or providing optional feedback and contact information through our widgets.
Legal Obligation (Article 6(1)(c)): Where we need to process data to comply with a legal obligation, such as retaining payment records for tax purposes or responding to lawful data subject requests.

For data collected from third-party contributors via repository commits, our legal basis is the legitimate interest of the account holder in using the Service to create content from their repositories.

6. Data Sharing and Sub-processors

We do not sell your personal information. We share your data only with the following categories of service providers, each bound by data processing agreements:

6.1 Infrastructure & Hosting

Vercel — Application hosting and serverless functions (United States)
Neon — PostgreSQL database hosting (United States)
Bunny CDN — Content delivery network for widget scripts, uploaded images, and logos (Global edge network, primary storage in Germany)

6.2 Payment Processing

Stripe — Payment processing, subscription management, and invoicing. Stripe is PCI-DSS Level 1 compliant. We never store your card details on our servers.

6.3 AI Content Generation

OpenAI, OpenRouter, Straico — As described in Section 4 above

6.4 Email Delivery

SMTP email service — Transactional and onboarding emails are delivered via authenticated SMTP. Email content includes your name, email address, and relevant account information (e.g., subscription status, trial dates).

6.5 Source Code Integration

GitHub — OAuth authentication, repository access, and webhook event delivery

6.6 Scheduled Task Processing

Cron job service — An external scheduling service triggers periodic tasks such as onboarding email delivery, trial reminders, repository syncs, and data cleanup. The service only initiates requests to our endpoints using a shared secret — no personal data is transmitted to or stored by the scheduling service.

We may also disclose your data when required by law, to protect our rights, or to comply with a judicial proceeding, court order, or legal process.

Data Processing Agreements: If you use our embeddable widgets and act as a data controller, you may request a Data Processing Agreement (DPA) by contacting us at hello@makrly.com. We maintain DPAs with our own sub-processors to ensure the entire data processing chain meets GDPR requirements.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

Encryption in transit: All data is transmitted via HTTPS/TLS
Encryption at rest: API keys, access tokens, and webhook secrets are encrypted using AES-256-GCM (authenticated encryption) before storage
IP hashing: Visitor IP addresses are hashed using SHA-256 before storage — raw IPs are not retained. For FAQ search analytics, hashes are additionally truncated to 16 characters to further reduce identifiability.
Secure authentication: OAuth 2.0 via GitHub with session management
Rate limiting: Database-backed rate limiting on sensitive endpoints (data exports, public submissions, API access)
Webhook verification: GitHub webhook payloads are verified using HMAC-SHA256 signatures
Audit logging: Security-relevant events (data exports, account deletions, settings changes) are logged for compliance

However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with our Service. Specific retention periods:

Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
Commit and post data: Deleted immediately when you delete your account or remove a repository.
Pull request data: Deleted when the associated repository is removed or your account is deleted.
Repository README cache: Updated on each sync and deleted when the repository is removed or your account is deleted.
Changelog entries and analytics: Deleted when you delete your account. Widget view analytics are retained as long as the associated changelog exists.
Uploaded images and logos: Removed from CDN when you delete the associated entry, or upon account deletion.
Ideas, votes, and comments: Retained while your account is active. Deleted with account deletion.
Contact form messages: Retained until manually deleted by the account owner, or deleted with account deletion.
Help doc source pages: Fetched documentation content is retained while the help source is active. Deleted when the source is removed or your account is deleted.
FAQ search analytics: Retained for analytics purposes and periodically cleaned up. Deleted with account deletion.
Webhook events: Stored temporarily (up to 7 days) for idempotency and error handling. Periodically cleaned up.
Activation and onboarding data: Activation events and drip email tracking records are retained while your account is active and deleted with account deletion.
Cancellation feedback: Retained for product improvement purposes and deleted with account deletion.
Payment records: Retained for 7 years as required by tax and accounting laws. This includes invoices, payment failure logs, and subscription event history.
Audit logs: User action logs and admin logs are retained for a minimum of 2 years for compliance purposes, or longer as required by law.
Rate limit entries: Temporary records used to enforce rate limits. Automatically expired and cleaned up within hours.
Backups: Purged within 90 days of data deletion.

You can delete your account at any time from your Settings page, or by contacting us at hello@makrly.com. Upon account deletion, we initiate cascading deletion of all your data across our systems.

9. Your Rights

9.1 EU/EEA/UK Residents (GDPR)

If you are located in the EU/EEA/UK, you have the following rights under the General Data Protection Regulation:

Right of Access (Article 15): Request a copy of your personal data. You can export your data directly from your Settings page at any time.
Right to Rectification (Article 16): Correct inaccurate or incomplete data
Right to Erasure (Article 17): Delete your personal information ("right to be forgotten"). You can delete your account from your Settings page, which triggers cascading deletion of all associated data.
Right to Data Portability (Article 20): Export your data in a machine-readable JSON format via the Settings page. Your export includes your profile, settings, repositories, commits, generated posts, and subscription information.
Right to Restrict Processing (Article 18): Request that we limit how we use your data
Right to Object (Article 21): Object to processing based on legitimate interests, including onboarding emails and activation tracking
Right to Withdraw Consent (Article 7): Where processing is based on consent (e.g., analytics cookies), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. You can manage your cookie preferences via the cookie banner or the "Cookies" link in our footer.

To exercise these rights, visit your Settings page to export or delete your data, or contact us at hello@makrly.com. We will respond to your request within 30 days, as required by GDPR. If we need more time (up to an additional 60 days for complex requests), we will inform you of the extension and the reasons for the delay.

Right to Lodge a Complaint: If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority (DPA). A list of EU/EEA DPAs can be found at edpb.europa.eu.

9.2 US State Privacy Rights

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or other US states with comprehensive privacy laws, you may have additional rights including:

Right to Know: What personal information we collect, use, and disclose about you
Right to Delete: Request deletion of your personal information
Right to Opt-Out of Sale: We do not sell your personal information to third parties
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, use the self-service tools in your Settings page or contact us at hello@makrly.com. We will verify your identity before processing your request.

10. Automated Decision-Making

We use AI to generate social media posts and changelog descriptions from your commit data. This processing is automated but:

Generated content is always presented for your review before publishing — no content is published automatically without your approval
The AI processing does not produce legal effects or similarly significantly affect you
You retain full control over whether to use, edit, or discard any AI-generated content

We do not use automated decision-making or profiling that produces legal effects or significantly affects our users, as defined under GDPR Article 22.

11. Cookies & Local Storage

We use cookies and similar technologies to provide and improve our Service. For detailed information about each cookie we set, please see our Cookie Policy.

Essential Cookies: Required for authentication, session management, and keeping you logged in. These cookies are necessary for the Service to function and cannot be disabled. These include session tokens set by our authentication provider (NextAuth.js).
Preference Storage: Your cookie consent choice (accept or decline) and the timestamp of your decision are stored in your browser's local storage (not as cookies). These are not sent to our servers.
Analytics Cookies: Optional cookies that help us understand how you use our Service. You can accept or reject these when you first visit our site via the cookie consent banner. The reject button is displayed with equal prominence to the accept button.

You can manage your cookie preferences at any time by clicking the "Cookies" link in the footer of any page, which re-opens the consent banner. You may also clear cookies via your browser settings. Note that disabling essential cookies will prevent you from using the Service.

Our embeddable widgets (changelog, help center, idea board) do not set cookies on your visitors' devices. Widget analytics use server-side IP hashing instead of cookies.

12. Third-Party Links

Our Service may contain links to third-party websites or services (including GitHub, social media platforms, and AI provider websites). We are not responsible for their privacy practices. We encourage you to review their privacy policies before providing any personal information.

13. Children's Privacy

Our Service is not intended for children under 13 years of age (or 16 in the EU/EEA). We do not knowingly collect personal information from children under these ages. If we become aware that we have collected personal data from a child under the applicable age, we will take steps to delete that information promptly.

14. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence. Our primary infrastructure is located in the United States (Vercel and Neon), with CDN edge nodes globally (Bunny CDN, primary storage in Germany).

For transfers from the EU/EEA/UK to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, the EU-US Data Privacy Framework where applicable, and other applicable transfer mechanisms to ensure your data is protected in accordance with GDPR requirements.

Our sub-processors that handle personal data are listed in Section 6, including their geographic locations. We conduct transfer impact assessments and ensure each sub-processor provides appropriate safeguards for international data transfers.

15. Widget Users & Third-Party Visitors

If you interact with a Makrly widget (changelog, help center, or idea board) embedded on another website, please be aware:

The widget is operated by the website owner who has a Makrly account
We act as a data processor on behalf of the website owner (the data controller) for widget-related data
We collect only the data described in Sections 2.4, 2.6, and 2.7 above
We hash IP addresses before storage and do not use widget data for advertising or cross-site tracking
Contact information you voluntarily provide (e.g., in idea submissions or contact forms) is accessible to the website owner

16. Do Not Track & Global Privacy Control

We respect Do Not Track (DNT) browser signals and Global Privacy Control (GPC) signals. When we detect a GPC or DNT signal, we treat it as a valid opt-out of non-essential data collection, equivalent to declining analytics cookies via our consent banner. No additional action is needed on your part.

17. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant Data Protection Authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Article 34). Notification will include the nature of the breach, likely consequences, and measures taken or proposed to address it.

18. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For significant changes that affect how we process your data, we may also notify you via email. Your continued use of the Service after changes constitutes acceptance of the updated policy.

19. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a complaint about how we handle your data, please contact us at:

Email: hello@makrly.com

We aim to respond to all data protection inquiries within 30 days.