Privacy policy
Effective date: March 21, 2026.
This Privacy Policy ("Policy") describes how KupaLabs FZCO, a company incorporated under the Dubai Integrated Economic Zones Authority (DIEZA), with registered address at Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates (License No. 52710; Tax Registration No. 104850133000001), and operator of the DiffHook service ("KupaLabs," "DiffHook," "we," "us"), collects, uses, discloses, and protects information when you use our website, web application, APIs, and related services (collectively, the "Service").
If you do not agree with this Policy, please do not use the Service.
1. Who we are
DiffHook is a product built and operated by KupaLabs FZCO. The data controller for personal data processed in connection with the Service is KupaLabs FZCO. For questions about this Policy or to exercise your rights, contact us at support@diffhook.com.
Data Processing Agreements. Where you use the Service to process personal data on behalf of your own end-users or customers and DiffHook acts as your data processor under applicable law (including GDPR Article 28), our Data Processing Agreement ("DPA") governs that processing. The DPA is available at support@diffhook.com or through your account settings. Please execute the DPA before using the Service to process personal data for which you are a controller.
2. Information we collect
Account and profile information
When you register or are invited to a workspace, we collect information such as your name, email address, workspace name, role, and authentication details (for example password hashes or SSO identifiers). We do not store plaintext passwords in recoverable form.
Billing information
If you purchase a paid plan, our payment processor (Stripe, Inc.) collects payment method details and billing address directly. We receive limited billing metadata (such as Stripe customer ID, subscription status, and invoice references) as necessary to manage your account. We do not store full card numbers.
Service usage and technical data
We collect technical information necessary to operate and secure the Service, including IP address, device and browser type, approximate location derived from IP, timestamps, API request metadata, error logs, and feature usage data. This falls into the CCPA category of "internet or other electronic network activity information."
Monitor and integration configuration
To run the Service, we store the URLs, schedules, selectors, labels, webhook endpoints, and integration settings you configure. Webhook payloads and delivery logs may contain content retrieved from the URLs you monitor ("Scraped Content"), which may include personal data about third parties if the monitored URL contains such data. You are responsible for ensuring that your use of such data complies with applicable law.
Communications
If you contact us (for example via support forms or email), we retain those messages and related metadata to respond to your inquiry and improve support quality.
Cookies and similar technologies
We use cookies and local storage for authentication, session management, and user preferences (such as theme). We use analytics tools subject to consent where required by applicable law. For details on the specific cookies we use, see our Cookie Policy. Strictly necessary cookies (authentication sessions, CSRF tokens) do not require consent and are deployed on every visit. All other cookies are deployed only with your prior consent where required by the ePrivacy Directive, UK PECR, or equivalent law.
3. How we use information
We use personal and technical information to:
- Provide, operate, maintain, and improve the Service (including monitoring, webhooks, billing, and integrations).
- Authenticate users, enforce security, detect fraud and abuse, and troubleshoot issues.
- Communicate with you about the product, security alerts, subscription renewals, and transactional notices (these communications are required for the Service and cannot be opted out of while your account is active).
- Send optional marketing or product education emails if you have opted in, or where otherwise permitted by applicable law.
- Comply with legal obligations and respond to lawful requests from courts, regulators, and law enforcement.
- Analyze aggregated or de-identified usage data to understand product performance and inform product decisions.
We do not sell your personal information. We do not use your personal data for automated individual decision-making (including profiling) that produces legal or similarly significant effects, within the meaning of GDPR Article 22.
4. Legal bases for processing (GDPR)
If the GDPR or the UK GDPR applies to your use of the Service, we rely on the following legal bases:
- Performance of a contract (Article 6(1)(b)): processing necessary to provide the Service you have requested, including account management, billing, and delivery of monitoring results.
- Legitimate interests (Article 6(1)(f)): security monitoring, fraud prevention, product improvement using aggregated data, and direct marketing to existing customers (where not overridden by your rights). We have conducted and documented legitimate interest assessments (LIAs) balancing these interests against data subject rights; copies are available upon request.
- Consent (Article 6(1)(a)): optional marketing communications and non-essential cookies (where required). You may withdraw consent at any time without affecting the lawfulness of prior processing.
- Legal obligation (Article 6(1)(c)): compliance with applicable law, tax obligations, and lawful requests.
5. Sharing and subprocessors
We share information with service providers ("subprocessors") who assist us in providing the Service. Our key subprocessors include hosting and infrastructure, payment processing (Stripe), transactional email delivery, error monitoring, and analytics tools. A full and current list of our subprocessors, including the processing location and data categories handled by each, is maintained at diffhook.com/subprocessors and updated with at least 30 days' advance notice of material changes.
We may disclose information if required by law, court order, or governmental or regulatory request, or if we reasonably believe disclosure is necessary to protect the rights, safety, or property of DiffHook, our users, or the public.
In the event of a merger, acquisition, or sale of all or substantially all of DiffHook's assets, your information may be transferred to the acquiring entity, subject to this Policy and the DPA. We will notify you of any such transfer and, where required, obtain your consent or provide a means to opt out.
We do not share personal data with third parties for their own independent marketing purposes without your explicit consent.
6. International data transfers
DiffHook and its subprocessors may process your data in countries other than your own, including the United States. Where we transfer personal data from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, we use appropriate transfer mechanisms, including Standard Contractual Clauses (SCCs) approved by the European Commission, or the UK International Data Transfer Agreement (IDTA) as applicable. Copies of applicable transfer mechanism documentation are available upon request at support@diffhook.com.
7. Retention
We retain personal information for as long as your account is active and as needed to provide the Service. Upon account termination, we provide a 30-day data export period followed by deletion or anonymization of Customer data within 60 days, as described in our Terms of Service. We may retain certain records for longer periods where required by applicable law, tax obligations, accounting requirements, or for dispute resolution and legal defense. Delivery logs containing Scraped Content are retained for a limited operational period (currently 90 days) and then deleted. Aggregated or de-identified data may be retained indefinitely.
8. Security
We implement appropriate technical and organizational measures to protect personal data, including encryption in transit (TLS) and at rest, access controls, and regular security reviews. No method of transmission or storage is completely secure. We encourage all users to enable multi-factor authentication (MFA), use strong unique passwords, and handle API keys carefully.
In the event of a personal data breach, we will notify affected users and applicable supervisory authorities in accordance with applicable law and our Terms of Service (Section 13).
9. Your rights and choices
Depending on your location, you may have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete personal data.
- Deletion (erasure): Request deletion of your personal data, subject to legal retention obligations.
- Portability: Receive your personal data in a structured, commonly used, machine-readable format and, where technically feasible, have it transmitted to another controller.
- Objection: Object to processing based on our legitimate interests or for direct marketing purposes.
- Restriction: Request restriction of processing in certain circumstances.
- Withdrawal of consent: Where processing is based on consent, withdraw consent at any time without affecting prior processing.
- Complaint: Lodge a complaint with a data protection supervisory authority in your jurisdiction.
How to exercise your rights. You can update some profile information directly in the app. For all other requests, contact us at support@diffhook.com. We will respond within 30 days of receipt of a verifiable request (or within 45 days for CCPA requests), with a possible extension of a further 30 days for complex requests, with notice. We may need to verify your identity before fulfilling a request.
Marketing opt-out. Marketing emails can be disabled in your account notification settings or via the unsubscribe link in any marketing message. Opting out of marketing does not affect transactional or service communications.
10. California privacy rights (CCPA/CPRA)
This section applies to California residents and supplements the rest of this Policy.
Categories of personal information collected. In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email address, IP address, account ID | Yes |
| Personal information (Cal. Civ. Code 1798.80) | Email address, billing name | Yes |
| Commercial information | Subscription plan, billing history | Yes |
| Internet / network activity | API request logs, browser type, session data | Yes |
| Geolocation data | Approximate location derived from IP (city/country level) | Yes |
| Professional / employment information | Workspace name, role | Yes |
| Inferences | Product usage patterns derived from the above | Yes |
We do not collect sensitive personal information as defined by CPRA (such as Social Security numbers, financial account credentials, precise geolocation, racial or ethnic origin, health data, biometrics, or contents of mail, email, or text messages) beyond what you may voluntarily include in support communications.
Purposes for collection. We collect the above categories for the business purposes described in Section 3 of this Policy.
Sharing. We share personal information with subprocessors as described in Section 5. We do not "sell" or "share" (for cross-context behavioral advertising purposes) your personal information as those terms are defined under CCPA/CPRA. We do not use or disclose sensitive personal information for purposes other than those permitted under CPRA.
Your CCPA rights. California residents have the right to:
- Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share it.
- Delete: Request deletion of personal information, subject to legal exceptions.
- Correct: Request correction of inaccurate personal information.
- Opt out of sale/sharing: We do not sell or share personal information; no opt-out is required, but you may contact us to confirm.
- Limit sensitive PI use: Contact us to limit use of sensitive personal information beyond what is strictly necessary.
- Non-discrimination: We will not discriminate against you for exercising your CCPA rights.
How to submit a CCPA request. Submit requests by email to support@diffhook.com, specifying "CCPA Request" in the subject line. We will respond within 45 days (extendable by a further 45 days with notice). We will verify your identity before fulfilling deletion or portability requests. Authorized agents may submit requests on your behalf with written authorization from you and verification of the agent's identity.
11. Children
The Service is intended exclusively for business, developer, and commercial use by adults. It is not directed to children under the age of 13 in the United States (in compliance with COPPA, 15 U.S.C. §§ 6501–6506) or under the age of 16 in the European Economic Area (in compliance with GDPR Article 8), or the applicable minimum age in any other jurisdiction. We do not knowingly collect personal information from children below these age thresholds. If we become aware that we have collected personal information from a child below the applicable threshold, we will delete it promptly. If you believe a child has provided us with personal information, please notify us at support@diffhook.com.
12. Automated decision-making
We do not use your personal data for automated decision-making (including profiling) that produces legal effects or effects of similarly significant consequence concerning you, within the meaning of GDPR Article 22. Account-level risk scoring for fraud and abuse prevention does not constitute automated decision-making that produces legal or similarly significant effects; you may contact us to seek human review of any automated action affecting your account.
13. Changes to this policy
We may update this Privacy Policy from time to time. We will post the revised Policy on this page and update the effective date. For material changes — meaning changes that materially affect your rights or our data practices — we will provide at least 30 days' prior notice by email to your registered address before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the revised Policy, except where applicable law requires express consent.
14. Contact and supervisory authority
For privacy-related questions, requests, or complaints, contact us at:
Email: support@diffhook.com Mail: KupaLabs FZCO, Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates
If you are located in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at https://edpb.europa.eu. The UK supervisory authority is the Information Commissioner's Office (ICO) at https://ico.org.uk.