How Nestarc Webhooks handles your data.

The data controller for personal data collected through the dashboard and API (account information, organization membership, notification settings, billing identifiers) is the Operator (Sole individual operator — not a registered business entity.) based in Republic of Korea. Data-subject requests and privacy questions can be sent to [email protected].

For personal data contained in webhook payloads you transmit through the Service, you are the data controller and we act as your data processor. See the “Webhook payload data” section below.

Account information. When you sign in with Google or GitHub, we receive and store your OAuth provider account identifier, name, email address, and profile image. We do not receive or store your provider password.

Workspace and application data. We store organization names, memberships, member roles (owner or member), endpoint URLs, endpoint descriptions, endpoint metadata, HMAC signing secrets, API key hashes, notification preferences (notification email addresses and Slack webhook URLs you provide), payment-processor customer and subscription identifiers issued by our Merchant of Record, and team invitation records (invitee email, role, and expiry).

Delivery operations data. When you send webhook events through the platform, we store event types, webhook payloads (as JSON), delivery attempt status, response status codes, response bodies, latency measurements, retry state, and error messages to route, monitor, and replay deliveries.

Usage data. We track the number of messages sent per application each month to enforce plan quotas. This counter resets on the first day of each calendar month.

We use account and configuration data to provision workspaces, authenticate users via Google or GitHub OAuth, issue and validate API credentials (API keys are stored as SHA-256 hashes; the plaintext key is shown only at creation or rotation), deliver webhook events to your configured endpoints, surface delivery logs, and enforce security controls such as endpoint circuit breakers and SSRF protection.

We use contact information to send product notices, access-related messages, team invitations (via email), failure and endpoint-disabled notifications (via email or Slack, depending on your notification settings), support responses, and billing updates.

Where the GDPR or similar laws apply, we process personal data on the following legal bases:

• Performance of a contract: to create and administer accounts, authenticate users, deliver webhook events, provide dashboard functionality, and manage paid services you request.
• Legitimate interests: to secure the service, prevent abuse, investigate incidents, operate notifications, and improve reliability and support workflows.
• Legal obligations: to keep billing and accounting records, respond to lawful requests, and comply with tax, fraud-prevention, and regulatory requirements.

Strictly-necessary cookies. The dashboard uses a session cookie managed by NextAuth to authenticate your browser session. We also set a cookie (activeOrgId) to remember which organization you are currently working in. These cookies are essential to operate the Service and cannot be disabled while using the dashboard.

Cookie notice on public pages. We display a one-time notice on the public site describing the cookies in use. The dismissal preference is stored in your browser via localStorage (key cookie-notice-dismissed-v1). No consent is recorded server-side because the cookies in use are strictly necessary.

Payment-processor cookies. When you reach the Paddle-hosted checkout flow, Paddle sets its own cookies for fraud prevention, session continuity, and transaction completion. These cookies are set under Paddle's domain and are subject to Paddle's Privacy Policy (opens in new tab).

No advertising or tracking. We do not use advertising cookies, third-party analytics pixels, or cross-site tracking identifiers.

Webhook payloads you send through the platform may contain personal data belonging to your end users or other third parties. You are the data controller for all content transmitted via webhook payloads. We process this content solely as a data processor on your behalf to deliver, log, and retry webhook events.

You are responsible for ensuring you have the necessary rights, consents, and legal basis to transmit any personal data contained in your payloads through the platform.

We do not sell personal information. We share data with the following categories of service providers, only to the extent needed to deliver the service:

• Authentication: Google and GitHub (OAuth sign-in)
• Payment processing (Merchant of Record): Paddle.com Market Ltd and its group affiliates — subscription billing, plan management, tax collection and remittance, fraud prevention, and customer-facing receipts and invoices. Paddle acts as a separate data controller for tax and compliance purposes inherent in its Merchant-of-Record role.
• Email delivery: Resend (team invitations, failure notifications)
• Hosting: Cloud infrastructure providers for application servers, databases, and static assets

We may also disclose information when required to comply with law, enforce service terms, protect the platform, or investigate abuse.

Account profiles, organization membership, endpoint configuration, notification settings, and related workspace records are retained while the account remains active. After account closure, we retain only the records needed to process final billing matters, resolve support requests, investigate fraud or security incidents, defend legal claims, and comply with tax, accounting, and other legal obligations.

Delivery attempt logs (including webhook payloads, response bodies, and error messages) are retained according to your active plan tier. Current public tiers retain logs for 7, 30, or 90 days, after which they are purged automatically. See the pricing page for plan-specific retention windows.

Team invitation records expire after 7 days and are retained only for audit and support purposes.

You can update endpoint configuration, rotate API keys, manage notification preferences (email and Slack), and manage team access (invite or remove members) from the dashboard at any time.

Depending on your jurisdiction, you may have the right to access, correct, delete, or port your personal data, or to restrict or object to certain processing. To exercise any of these rights or to request full account and data deletion, email [email protected]. We will respond within 30 days or within the timeframe required by applicable law.

You may also have the right to lodge a complaint with your local data protection supervisory authority if you believe our processing of your personal data infringes applicable law.

General product support is available through [email protected] or the contact page.

The service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact [email protected] and we will promptly delete it.

Your information may be processed and stored in countries other than the one in which it was collected, including the United States. Where we transfer personal data internationally, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms recognized by applicable law.

We use reasonable administrative and technical safeguards to protect stored account information and delivery data, including hashed API key storage (SHA-256), HMAC-SHA256 signed webhook payloads, SSRF protection on endpoint URLs, and encrypted connections. No system can guarantee absolute security, so you should avoid sending secrets or data you are not authorized to process. To report a security concern, contact [email protected].

If this policy changes materially, we will update this page, revise the effective date, and where practicable provide notice via the dashboard or the email address associated with your account. Your continued use of the service after a change takes effect constitutes acceptance of the revised policy.