DiffHook/Docs
PlatformData & Privacy

Data & Privacy

What DiffHook stores, how long it's kept, and how to control it.

What we monitor

DiffHook fetches publicly accessible URLs. We do not:

  • Store credentials or session cookies
  • Bypass authentication walls
  • Access pages behind a login

If the URL you provide requires authentication, the monitor will see the login page, not the protected content.

What data is stored

Page content

When a change is detected, DiffHook stores:

Data Retention
Text diff (added / removed fragments) 14 days
Full page text (before & after) 14 days
Visual snapshots 30 days
Webhook delivery logs 90 days

After the retention window, data is permanently deleted and cannot be recovered.

We do not store page snapshots or diffs for checks where no change is detected.

Account data

We store your email address, hashed password, team configuration, and monitor settings for as long as your account exists.

API keys are stored as irreversible hashes — we cannot read your key after it is created.

Who can see your data

  • Your team members — anyone with access to your team can view monitors, logs, and diff content
  • DiffHook staff — engineering and support staff can access your data to investigate reported issues, subject to internal access controls and audit logging
  • Third parties — we do not sell or share your data with third parties. See our Privacy Policy for the full list of sub-processors (hosting, email, payments)

GDPR

DiffHook processes data in the EU and is GDPR-compliant.

Your rights under GDPR:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your account and associated data
  • Portability — export your monitor configuration and logs
  • Objection — opt out of specific processing activities

To exercise any of these rights, email privacy@diffhook.com.

For enterprise customers requiring a Data Processing Agreement (DPA), contact support@diffhook.com.

Data residency

All data is stored in EU data centers (AWS eu-west-1). We do not currently offer region-specific data residency outside the EU. If your compliance requirements demand a different region, contact support@diffhook.com.

Security practices

  • All API traffic is encrypted over TLS 1.2+
  • Data at rest is encrypted using AES-256
  • API keys are stored as bcrypt hashes
  • Webhook payloads are signed with HMAC-SHA256
  • We conduct regular security reviews and penetration tests

Cookies

DiffHook uses cookies for session management and basic analytics. No tracking cookies are set for third-party advertising. See our Cookie Policy for details.

Deleting your data

Delete a monitor

Go to App → Monitors, open the monitor, and click Delete. The monitor and all its associated logs and snapshots are queued for deletion.

Delete your team

Go to App → Settings → Danger zone → Delete team. This permanently removes all monitors, logs, and team data within 30 days.

Delete your account

Go to App → Settings → Account → Delete account. Your personal data is removed from our systems within 30 days.

For immediate data deletion requests (e.g. GDPR erasure), email privacy@diffhook.com.