Privacy Policy

Account information: When you create an account, we collect your name, email address, and (if using social login) your profile information from Google or GitHub. We do not store your OAuth access tokens.

Webhook data: We store the raw content of all inbound webhook requests routed through your endpoints — including HTTP headers, request body, source IP address, and timestamps. This data is necessary to provide the core service (logs, replay, routing).

Usage and telemetry: We collect anonymised usage metrics such as request counts, delivery success rates, and feature usage to improve the product. We do not sell this data.

Billing information: Payments are processed by Stripe. We store only your Stripe customer ID and subscription status — never your full card number, CVV, or banking details.

Cookies and sessions: We use session cookies to keep you signed in to the dashboard. No third-party advertising or tracking cookies are set.

• To operate and provide the RelayHQ webhook relay service.
• To authenticate you and manage your workspace.
• To process payments and manage your subscription.
• To send transactional emails (delivery failure alerts, billing receipts).
• To detect and prevent abuse, fraud, and security incidents.
• To improve and develop new features based on aggregated usage patterns.

We do not sell, rent, or trade your personal information to third parties. We do not use your webhook payload data for any purpose other than delivering it to your configured destinations.

Webhook request logs are retained according to your plan:

Account data (profile, workspace settings, API keys) is retained as long as your account is active. Upon account deletion, all associated data is permanently removed within 30 days.

We use the following sub-processors to operate RelayHQ:

Each sub-processor is bound by a data processing agreement (DPA) and may only process your data as directed by us.

We take security seriously:

• All data is transmitted over TLS 1.2+.
• API keys are hashed before storage — only the prefix is retained in plaintext.
• Passwords (if used) are hashed with bcrypt.
• Database credentials, Redis URLs, and API secrets are stored as encrypted environment secrets on Fly.io and Vercel.
• We conduct periodic security reviews of our infrastructure.

If you discover a security vulnerability, please report it responsibly to security@relayhq.org.

Depending on your location, you may have the following rights under GDPR, CCPA, or applicable privacy laws:

• Access: Request a copy of all personal data we hold about you.
• Correction: Update inaccurate or incomplete information in your dashboard.
• Deletion: Delete your account and all associated data.
• Portability: Export your webhook logs and workspace data via the API.
• Objection: Object to certain processing activities.

To exercise any of these rights, email privacy@relayhq.org from your registered email address. We will respond within 30 days.

The RelayHQ dashboard uses a single session cookie (relay_session) to keep you authenticated. This cookie is:

• HttpOnly and Secure
• SameSite=Lax
• Expires after 7 days of inactivity

We do not use advertising, tracking, or analytics cookies. The landing page at relayhq.org does not set any cookies.

RelayHQ is not directed at children under 16. We do not knowingly collect personal information from anyone under 16. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.

We may update this privacy policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. Continued use of the service after the effective date constitutes acceptance of the updated policy.

If you have questions, concerns, or requests regarding this privacy policy: