PlatformData & Privacy

Data & Privacy

What DiffHook stores, how long it's kept, and how to control it. Covers diff snapshots, retention windows, encryption at rest and in transit, sub-processors, and data export and deletion options.

What we monitor

DiffHook fetches publicly accessible URLs. We do not:

  • Store credentials or session cookies
  • Bypass authentication walls
  • Access pages behind a login

If the URL you provide requires authentication, the monitor will see the login page, not the protected content.

What data is stored

Page content

When a change is detected, DiffHook stores the text diff, full page text (before & after), and webhook delivery logs. Each snapshot is capped at 1 MB — pages larger than this are truncated before storage. How long this data is kept depends on your plan:

PlanLog & diff history
Free7 days
Starter30 days
Pro90 days
Business1 year

After the retention window, data is permanently deleted and cannot be recovered.

We do not store page snapshots or diffs for checks where no change is detected.

Account data

We store your email address, hashed password, team configuration, and monitor settings for as long as your account exists.

API keys are stored as irreversible hashes — we cannot read your key after it is created.

Who can see your data

  • Your team members — anyone with access to your team can view monitors, logs, and diff content
  • DiffHook staff — engineering and support staff can access your data to investigate reported issues, subject to internal access controls and audit logging
  • Third parties — we do not sell or share your data with third parties. See our Privacy Policy for the full list of sub-processors (hosting, email, payments)

GDPR

DiffHook processes data in the EU and is GDPR-compliant.

Your rights under GDPR:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your account and associated data
  • Portability — export your monitor configuration and logs
  • Objection — opt out of specific processing activities

To exercise any of these rights, email privacy@diffhook.com.

For enterprise customers requiring a Data Processing Agreement (DPA), contact support@diffhook.com.

Data residency

All data is stored in EU data centers (AWS eu-west-1). We do not currently offer region-specific data residency outside the EU. If your compliance requirements demand a different region, contact support@diffhook.com.

Security practices

  • All API traffic is encrypted over TLS 1.2+
  • Data at rest is encrypted using AES-256
  • API keys are stored as bcrypt hashes
  • Webhook payloads are signed with HMAC-SHA256
  • We conduct regular security reviews and penetration tests

Cookies

DiffHook uses cookies for session management and basic analytics. No tracking cookies are set for third-party advertising. See our Cookie Policy for details.

Deleting your data

Delete a monitor

Go to App → Monitors, open the monitor, and click Delete. The monitor and all its associated logs and snapshots are queued for deletion.

Archive your team

Go to App → Settings → Danger zone → Archive team. All monitors, logs, snapshots, API keys, and member access are permanently and immediately deleted. There is no retention window and no recovery option.

Delete your account

Go to App → Settings → Account → Delete account. Your personal data is removed from our systems within 30 days.

For immediate data deletion requests (e.g. GDPR erasure), email privacy@diffhook.com.