GDPR Compliance

General Data Protection Regulation

Last Updated: January 2025

EU GDPR Compliant

WebhookDrop is fully compliant with the General Data Protection Regulation (GDPR) and committed to protecting the privacy rights of individuals in the European Economic Area (EEA).

1. Introduction

This GDPR Compliance Statement outlines how WebhookDrop ("we", "our", "us") complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). We are committed to protecting and respecting your privacy in accordance with GDPR requirements.

This document provides detailed information about our data processing activities, your rights under GDPR, and how we ensure compliance with data protection principles.

2. Data Controller Information

WebhookDrop acts as the Data Controller for personal data processed through our service.

Service Name: WebhookDrop

Email: support@webhookdrop.app

Data Protection Contact: support@webhookdrop.app

Website: https://webhookdrop.app

3. Legal Basis for Processing

We process personal data based on the following legal grounds under GDPR Article 6:

Contractual Necessity (Art. 6(1)(b))

Processing necessary for contract performance:

  • Account creation and management
  • Webhook data storage and retrieval
  • Service delivery and support
  • Billing and payment processing

Legal Obligation (Art. 6(1)(c))

Processing required by law:

  • Tax and accounting records (7 years)
  • Fraud prevention and detection
  • Compliance with data protection laws

Consent (Art. 6(1)(a))

With your explicit consent for:

  • Marketing communications (opt-in)
  • Optional analytics and tracking
  • Newsletter subscriptions

Legitimate Interests (Art. 6(1)(f))

For our legitimate business interests:

  • Service improvement and optimization
  • Security and fraud prevention
  • System maintenance and monitoring
  • Customer support quality improvement

4. Personal Data We Collect

4.1 Account Data

  • Email Address: For account identification, login, and communication
  • Password: Encrypted using bcrypt (never stored in plain text)
  • Account Display Name: Optional user-provided name
  • Verification Status: Email verification timestamp
  • Account Creation Date: Registration timestamp

4.2 Webhook Data

All webhook payloads are encrypted using AES-256-GCM

  • HTTP request headers
  • Request body/payload content
  • Source IP addresses
  • Request timestamps
  • HTTP methods and response codes

4.3 Technical Data

  • IP addresses (for security and service delivery)
  • Browser type and version
  • Device information
  • Access logs (90-day retention)
  • API usage metrics (anonymized)

5. How We Process Your Data

GDPR Processing Principles

We adhere to all six GDPR data processing principles:

Lawfulness, Fairness & Transparency

Clear legal basis and transparent practices

Purpose Limitation

Data used only for specified purposes

Data Minimization

Only necessary data collected

Accuracy

Data kept accurate and up-to-date

Storage Limitation

Automatic deletion after retention period

Integrity & Confidentiality

AES-256-GCM encryption & security

6. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights:

Right of Access (Art. 15)

Obtain confirmation and access to your personal data

How to exercise: Email support@webhookdrop.app or use account settings

Response time: Within 30 days

Right to Rectification (Art. 16)

Correct inaccurate or incomplete personal data

How to exercise: Update via account settings or contact support

Response time: Immediate via settings, or within 30 days

Right to Erasure (Art. 17) - "Right to be Forgotten"

Request deletion of your personal data

How to exercise: Delete account via settings or email support@webhookdrop.app

Response time: Immediate deletion; complete within 30 days

Right to Restriction of Processing (Art. 18)

Limit how we process your data

How to exercise: Email support@webhookdrop.app

Response time: Within 30 days

Right to Data Portability (Art. 20)

Receive your data in machine-readable format (JSON)

How to exercise: Export via account settings or email support@webhookdrop.app

Response time: Immediate export available; custom requests within 30 days

Right to Object (Art. 21)

Object to processing based on legitimate interests or direct marketing

How to exercise: Opt-out links in emails or email support@webhookdrop.app

Response time: Immediate for marketing; within 30 days for other objections

Rights Related to Automated Decision-Making (Art. 22)

We do not use automated decision-making or profiling

All account and service decisions involve human review

Right to Withdraw Consent (Art. 7(3))

Withdraw consent for processing based on consent

How to exercise: Email support@webhookdrop.app or use account settings

Response time: Immediate effect

7. Data Retention Periods

Webhook Data Retention (Automatic Deletion)

Free Trial

14 days

Auto-deleted after retention period

Starter Plan

90 days

Auto-deleted after retention period

Business Plan

180 days

Auto-deleted after retention period

Enterprise Plan

365 days

Auto-deleted after retention period

Other Data Retention

  • Active Account Data: Retained while account is active
  • Deleted Account Data: Permanently removed within 30 days
  • Billing Records: 7 years (legal requirement)
  • Support Communications: 2 years
  • System Logs: 90 days
  • Backup Data: Included in retention periods above

8. International Data Transfers

EU Data Residency

All webhook payload data is stored in the European Union:

  • Primary Storage: Cloudflare R2 (EU region)
  • Backup Storage: EU region
  • Database: EU-based PostgreSQL
  • No transfers outside EU/EEA for webhook data

Third-Party Services

We use limited third-party services that may process data:

  • Email Service (Mailgun): For transactional emails
    Safeguards: EU-based service, Standard Contractual Clauses (SCCs)
  • Payment Processors: For billing (if applicable)
    Safeguards: PCI DSS compliance, SCCs

9. Technical and Organizational Security Measures

We implement appropriate technical and organizational measures as required by GDPR Article 32:

Technical Measures

  • • AES-256-GCM encryption at rest
  • • TLS 1.2+ encryption in transit
  • • Bcrypt password hashing
  • • Multi-factor authentication (MFA)
  • • Regular security audits
  • • DDoS protection (Cloudflare)
  • • Intrusion detection systems

Organizational Measures

  • • Staff data protection training
  • • Access control policies (RBAC)
  • • Confidentiality agreements
  • • Data processing records (Art. 30)
  • • Incident response procedures
  • • Regular compliance reviews
  • • Privacy by design approach

10. Data Protection Officer (DPO)

You can contact our Data Protection Officer for any GDPR-related inquiries:

Email: support@webhookdrop.app

Subject Line: GDPR Inquiry - [Your Topic]

Response Time: Within 72 hours for urgent matters, 30 days for formal requests

11. Cookies and Tracking Technologies

We use cookies in compliance with GDPR and ePrivacy Directive:

Essential Cookies (No Consent Required)

Authentication, security, session management

Functional Cookies (Opt-In)

Preferences, language, interface settings

Analytics Cookies (Opt-In)

Anonymized usage statistics, performance monitoring

Manage your cookie preferences via our cookie consent banner or browser settings.

12. Children's Personal Data

Age Restriction: Our service is not intended for individuals under 18 years of age.

  • We do not knowingly collect data from children under 16 (GDPR age of consent)
  • If we discover we have collected data from a child, we will delete it immediately
  • Parents/guardians can contact us at support@webhookdrop.app to request deletion

13. Data Breach Notification (Art. 33 & 34)

Our Commitment:

  • Supervisory Authority Notification: Within 72 hours of breach discovery (Art. 33)
  • User Notification: Without undue delay if high risk to rights and freedoms (Art. 34)
  • Breach Documentation: All breaches documented per Art. 33(5)
  • Mitigation Actions: Immediate containment and remediation measures

14. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, particularly in your EU member state of residence, workplace, or where an alleged infringement occurred.

EU Data Protection Authorities:
https://edpb.europa.eu/about-edpb/about-edpb/members_en

While you have the right to lodge a complaint, we encourage you to contact us first at support@webhookdrop.app so we can address your concerns directly.

15. Contact Us - GDPR Requests

Exercise Your GDPR Rights

Email Addresses

  • General Privacy: support@webhookdrop.app
  • Data Protection Officer: support@webhookdrop.app
  • GDPR Requests: support@webhookdrop.app

Response Times

  • Acknowledgment: 48-72 hours
  • Full Response: Within 30 days (extendable to 60 days for complex requests)
  • Urgent Matters: Prioritized handling

Identity Verification: For security, we may require identity verification before processing GDPR requests.

GDPR Compliant

Committed to EU Data Protection Standards

This GDPR Compliance Statement was last updated in January 2025 and reflects our current data processing practices in accordance with GDPR requirements.