Privacy Policy
Effective: 2026-05-09. Operator: SideLabs ("we", "us"). Service: Webhook Inbox at inbox.sidelabs.dev.
1. Who we are
Webhook Inbox is a SaaS product operated by SideLabs, a sole-proprietor business based in Tbilisi, Georgia. Contact: support@sidelabs.dev.
2. What we collect
Account data
- Email address — required for sign-in and verification
- Display name — optional, shown to other workspace members
- Password — stored as a bcrypt hash, never in plaintext
- Last login timestamp and IP address — for audit purposes
Workspace and webhook content
- Source / destination configuration that you create (provider, signing secrets, target URLs)
- Webhook payloads that providers (Stripe, Shopify, etc.) send to your ingest URL — the entire body and headers, byte-for-byte
- Delivery attempts, response status codes, response body snippets, and timing data
- Audit log entries for every mutation a workspace member performs
Webhook payloads frequently contain your customers' personal data (emails, billing addresses, transaction amounts, etc.). You are the data controller for that content; we are the data processor.
Billing data
- Plan tier and Paddle subscription identifier — stored on our side
- Card and tax data — handled exclusively by Paddle.com; we never see card numbers, billing addresses, or tax IDs
Operational data
- Server logs (HTTP method, path, status, request id, timing) — retained 30 days
- No third-party analytics, no advertising trackers, no Google Analytics, no Hotjar, no Sentry by default
3. How long we keep it
Raw webhook events and delivery attempts are retained according to your plan: 7 days on Free, 30 days on Pro, 90 days on Business. Account data is kept for the lifetime of your account plus 30 days after deletion. Audit logs are kept for 1 year. Server logs are kept for 30 days.
4. Where we store it
All data lives on a single dedicated server hosted in Frankfurt, Germany (EU). Postgres for transactional data, ClickHouse for event search. Both are encrypted at rest at the disk-volume level. Source signing secrets are additionally encrypted with an application-level key (AES-256-GCM) before being written to Postgres.
5. Who we share it with
We do not sell or rent your data. We share data only with these processors, all under data processing agreements:
- Paddle — payment processing (Merchant of Record). Handles card data, billing addresses, tax. Privacy policy.
- SMTP provider — sends transactional emails (verification, password reset, alerts). Currently configured per deployment; contact us for the current vendor.
- Hosting provider — runs the physical server in Frankfurt.
We disclose data when legally compelled (court order, valid subpoena from a competent authority).
6. Your rights (GDPR)
If you are an EU/EEA resident or your customers are, you have the right to access, rectify, port, restrict, and erase data we process about you. Email support@sidelabs.dev with subject "GDPR request" — we respond within 30 days. Account deletion deletes your workspace, source configurations, audit log, and all stored events permanently within 30 days; backups are purged within an additional 30 days.
7. Cookies
The dashboard at /app/ sets two first-party cookies: wi_session (HMAC-signed session, 30-day TTL, HttpOnly + SameSite=Lax + Secure) and wi_csrf (CSRF double-submit token, same lifetime). No tracking cookies, no third-party cookies.
8. Security
Webhook signing secrets are encrypted at rest. All transport is HTTPS (TLS 1.2+). Login passwords are bcrypt-hashed (cost 12). Auth endpoints are rate-limited per IP. Email verification is required before workspace activation. CSRF tokens guard mutating dashboard requests. Source-code level changes pass through git review before deploy.
9. Changes to this policy
If we make material changes, we will email each workspace owner 14 days in advance. Non-material edits (typos, link fixes) are made silently and reflected in the "Effective" date above.
10. Contact
Privacy questions: support@sidelabs.dev.