This Privacy Policy describes how Splithook ("we", "our", "us") collects, uses, and shares information about you when you use our webhook debugging service at splithook.com (the "Service").
1. Data We Collect
Account data
When you register, we collect your email address and a hashed password. If you accept a workspace invitation, we store your membership and role.
Webhook payload data
Webhook request bodies are stored in Redis with a configurable TTL (default: 72 hours) and then permanently deleted. Raw payloads are never written to persistent storage beyond that window. We store metadata (endpoint slug, provider, HTTP method, headers, timestamp) in PostgreSQL for your workspace's request history.
Usage and billing data
If you subscribe to a paid plan, Stripe processes your payment. We store only the Stripe customer ID, subscription status, and plan tier — never raw card data.
Technical data
We collect standard server logs (IP address, user-agent, timestamp) for security and debugging. These logs are retained for 30 days.
2. How We Use Your Data
- Provide the Service — authenticate you, capture and forward webhooks, display your request history.
- Billing — manage your subscription via Stripe.
- Security — detect abuse, rate-limit endpoints, investigate incidents.
- Transactional emails — send account verification, password reset, and workspace invitation emails.
We do not sell your data to third parties or use it for advertising.
3. Data Sharing
| Recipient | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Email, subscription events |
| Sentry | Error monitoring | Stack traces (no payload data) |
| Hetzner / OVH | Hosting | All data, processed under DPA |
We share data with third parties only as necessary to operate the Service, under contractual data protection agreements.
4. Data Retention
- Webhook payloads (Redis): deleted after
WEBHOOK_BODY_TTLseconds (default 72 h). - Webhook metadata (PostgreSQL): kept while your workspace is active; deleted within 30 days of account deletion.
- Account data: deleted within 30 days of account deletion request.
- Server logs: 30 days rolling retention.
5. Your Rights (GDPR)
If you are in the European Economic Area, you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate data.
- Erase your data ("right to be forgotten").
- Restrict or object to processing.
- Data portability — receive your data in a machine-readable format.
- Withdraw consent at any time where processing is based on consent.
To exercise any of these rights, email . We will respond within 30 days.
You also have the right to lodge a complaint with your local supervisory authority (in France: CNIL).
6. Cookies
We use only strictly necessary session cookies for authentication. No tracking or advertising cookies are set. See our Cookie Policy.
7. Security
Webhook payloads in transit use TLS. Secrets stored at rest (HMAC keys, API tokens) are encrypted using AES-256-GCM before being written to the database. We conduct periodic security reviews.
8. Children
The Service is not directed at children under 16. We do not knowingly collect data from minors.
9. Changes to This Policy
We may update this policy. Material changes will be notified by email or a notice on the Service at least 14 days in advance. Continued use after that date constitutes acceptance.