Privacy Policy

Last updated: March 13, 2026

1. Introduction

EmitHQ (“Company,” “we,” “us”) operates the EmitHQ webhook infrastructure platform. This Privacy Policy explains what data we collect, why, and how we handle it.

We act as a data processor for webhook payload data (processing on your instructions) and as a data controller for account and usage data.

2. Data We Collect

Category	Examples	Legal Basis
Account data	Name, email, company name, password hash	Contract performance
Billing data	Stripe customer ID, subscription status (no card numbers stored)	Contract performance
API keys	SHA-256 hashes only — plaintext never stored	Contract performance
Webhook payloads	Event data you send through the Service (transit and temporary storage)	Contract / Legitimate interest
Delivery metadata	Timestamps, HTTP status codes, response times, endpoint URLs	Legitimate interest
Usage data	Event counts, API call volumes, dashboard interactions	Legitimate interest
Analytics	Anonymized page views via Plausible (no cookies, no PII)	Legitimate interest

3. How We Use Your Data

Deliver webhook events to configured endpoints
Manage retry logic and dead-letter queues
Authenticate API requests and enforce tenant isolation
Monitor service health and debug delivery issues
Process billing and enforce usage quotas
Improve the Service based on aggregate usage patterns

We never inspect, sell, or share webhook payload content with third parties. Payloads are processed solely for the purpose of delivery.

4. Data Retention

Webhook event data is retained according to your subscription tier:

Free: 3 days
Starter: 14 days
Growth: 30 days
Scale: 90 days

Account data is retained for the duration of your account plus 30 days after termination. Billing records are retained as required by law (typically 7 years).

5. Subprocessors

We use the following third-party services to operate the platform:

Provider	Purpose	Data Processed
Cloudflare	Edge computing, CDN, DDoS protection	Request headers, payloads (transit)
Railway	Application hosting	All application data
Neon	PostgreSQL database	All persisted data
Upstash	Redis (queues, caching)	Queue job data, cache entries
Stripe	Payment processing	Billing data
Clerk	Authentication	Account credentials, session data
Plausible	Web analytics	Anonymized page views (no PII)

6. Your Rights (GDPR)

If you are in the European Economic Area, you have the right to:

Access — Request a copy of your personal data
Rectification — Correct inaccurate data
Erasure — Request deletion of your data (“right to be forgotten”)
Portability — Export your data in a machine-readable format (via API)
Restriction — Limit how we process your data
Objection — Object to processing based on legitimate interest

To exercise these rights, contact us at privacy@emithq.com. We will respond within 30 days.

7. Your Rights (CCPA)

If you are a California resident, you have the right to:

Know what personal information we collect and how it is used
Request deletion of your personal information
Opt out of the sale of personal information (we do not sell personal information)
Non-discrimination for exercising your privacy rights

8. International Data Transfers

Our infrastructure is hosted in the United States. If you are located outside the US, your data will be transferred to and processed in the US. For EU customers, we rely on Standard Contractual Clauses (SCCs) as the legal mechanism for data transfers. Our Data Processing Agreement includes SCCs.

9. Security

We implement industry-standard security measures including: TLS 1.2+ encryption in transit, AES-256 encryption at rest, PostgreSQL Row-Level Security for tenant isolation, timing-safe signature verification, and API key hashing (SHA-256).

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before taking effect. The “Last updated” date at the top of this page reflects the most recent revision.

11. Contact

For privacy-related inquiries: privacy@emithq.com