Full legal text is loaded at build time from Markdown. Jump links from the overview open the matching section below.
Effective date: March 21, 2026.
This Privacy Policy ("Policy") describes how KupaLabs FZCO, a company incorporated under the Dubai Integrated Economic Zones Authority (DIEZA), with registered address at Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates (License No. 52710; Tax Registration No. 104850133000001), and operator of the DiffHook service ("KupaLabs," "DiffHook," "we," "us"), collects, uses, discloses, and protects information when you use our website, web application, APIs, and related services (collectively, the "Service").
If you do not agree with this Policy, please do not use the Service.
DiffHook is a product built and operated by KupaLabs FZCO. The data controller for personal data processed in connection with the Service is KupaLabs FZCO. For questions about this Policy or to exercise your rights, contact us at support@diffhook.com.
Data Processing Agreements. Where you use the Service to process personal data on behalf of your own end-users or customers and DiffHook acts as your data processor under applicable law (including GDPR Article 28), our Data Processing Agreement ("DPA") governs that processing. The DPA is available at support@diffhook.com or through your account settings. Please execute the DPA before using the Service to process personal data for which you are a controller.
When you register or are invited to a workspace, we collect information such as your name, email address, workspace name, role, and authentication details (for example password hashes or SSO identifiers). We do not store plaintext passwords in recoverable form.
If you purchase a paid plan, our payment processor (Stripe, Inc.) collects payment method details and billing address directly. We receive limited billing metadata (such as Stripe customer ID, subscription status, and invoice references) as necessary to manage your account. We do not store full card numbers.
We collect technical information necessary to operate and secure the Service, including IP address, device and browser type, approximate location derived from IP, timestamps, API request metadata, error logs, and feature usage data. This falls into the CCPA category of "internet or other electronic network activity information."
To run the Service, we store the URLs, schedules, selectors, labels, webhook endpoints, and integration settings you configure. Webhook payloads and delivery logs may contain content retrieved from the URLs you monitor ("Scraped Content"), which may include personal data about third parties if the monitored URL contains such data. You are responsible for ensuring that your use of such data complies with applicable law.
If you contact us (for example via support forms or email), we retain those messages and related metadata to respond to your inquiry and improve support quality.
We use cookies and local storage for authentication, session management, and user preferences (such as theme). We use analytics tools subject to consent where required by applicable law. For details on the specific cookies we use, see our Cookie Policy. Strictly necessary cookies (authentication sessions, CSRF tokens) do not require consent and are deployed on every visit. All other cookies are deployed only with your prior consent where required by the ePrivacy Directive, UK PECR, or equivalent law.
We use personal and technical information to:
We do not sell your personal information. We do not use your personal data for automated individual decision-making (including profiling) that produces legal or similarly significant effects, within the meaning of GDPR Article 22.
If the GDPR or the UK GDPR applies to your use of the Service, we rely on the following legal bases:
We share information with service providers ("subprocessors") who assist us in providing the Service. Our key subprocessors include hosting and infrastructure, payment processing (Stripe), transactional email delivery, error monitoring, and analytics tools. A full and current list of our subprocessors, including the processing location and data categories handled by each, is maintained at diffhook.com/subprocessors and updated with at least 30 days' advance notice of material changes.
We may disclose information if required by law, court order, or governmental or regulatory request, or if we reasonably believe disclosure is necessary to protect the rights, safety, or property of DiffHook, our users, or the public.
In the event of a merger, acquisition, or sale of all or substantially all of DiffHook's assets, your information may be transferred to the acquiring entity, subject to this Policy and the DPA. We will notify you of any such transfer and, where required, obtain your consent or provide a means to opt out.
We do not share personal data with third parties for their own independent marketing purposes without your explicit consent.
DiffHook and its subprocessors may process your data in countries other than your own, including the United States. Where we transfer personal data from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, we use appropriate transfer mechanisms, including Standard Contractual Clauses (SCCs) approved by the European Commission, or the UK International Data Transfer Agreement (IDTA) as applicable. Copies of applicable transfer mechanism documentation are available upon request at support@diffhook.com.
We retain personal information for as long as your account is active and as needed to provide the Service. Upon account termination, we provide a 30-day data export period followed by deletion or anonymization of Customer data within 60 days, as described in our Terms of Service. We may retain certain records for longer periods where required by applicable law, tax obligations, accounting requirements, or for dispute resolution and legal defense. Delivery logs containing Scraped Content are retained for a limited operational period (currently 90 days) and then deleted. Aggregated or de-identified data may be retained indefinitely.
We implement appropriate technical and organizational measures to protect personal data, including encryption in transit (TLS) and at rest, access controls, and regular security reviews. No method of transmission or storage is completely secure. We encourage all users to enable multi-factor authentication (MFA), use strong unique passwords, and handle API keys carefully.
In the event of a personal data breach, we will notify affected users and applicable supervisory authorities in accordance with applicable law and our Terms of Service (Section 13).
Depending on your location, you may have the following rights:
How to exercise your rights. You can update some profile information directly in the app. For all other requests, contact us at support@diffhook.com. We will respond within 30 days of receipt of a verifiable request (or within 45 days for CCPA requests), with a possible extension of a further 30 days for complex requests, with notice. We may need to verify your identity before fulfilling a request.
Marketing opt-out. Marketing emails can be disabled in your account notification settings or via the unsubscribe link in any marketing message. Opting out of marketing does not affect transactional or service communications.
This section applies to California residents and supplements the rest of this Policy.
Categories of personal information collected. In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email address, IP address, account ID | Yes |
| Personal information (Cal. Civ. Code 1798.80) | Email address, billing name | Yes |
| Commercial information | Subscription plan, billing history | Yes |
| Internet / network activity | API request logs, browser type, session data | Yes |
| Geolocation data | Approximate location derived from IP (city/country level) | Yes |
| Professional / employment information | Workspace name, role | Yes |
| Inferences | Product usage patterns derived from the above | Yes |
We do not collect sensitive personal information as defined by CPRA (such as Social Security numbers, financial account credentials, precise geolocation, racial or ethnic origin, health data, biometrics, or contents of mail, email, or text messages) beyond what you may voluntarily include in support communications.
Purposes for collection. We collect the above categories for the business purposes described in Section 3 of this Policy.
Sharing. We share personal information with subprocessors as described in Section 5. We do not "sell" or "share" (for cross-context behavioral advertising purposes) your personal information as those terms are defined under CCPA/CPRA. We do not use or disclose sensitive personal information for purposes other than those permitted under CPRA.
Your CCPA rights. California residents have the right to:
How to submit a CCPA request. Submit requests by email to support@diffhook.com, specifying "CCPA Request" in the subject line. We will respond within 45 days (extendable by a further 45 days with notice). We will verify your identity before fulfilling deletion or portability requests. Authorized agents may submit requests on your behalf with written authorization from you and verification of the agent's identity.
The Service is intended exclusively for business, developer, and commercial use by adults. It is not directed to children under the age of 13 in the United States (in compliance with COPPA, 15 U.S.C. §§ 6501–6506) or under the age of 16 in the European Economic Area (in compliance with GDPR Article 8), or the applicable minimum age in any other jurisdiction. We do not knowingly collect personal information from children below these age thresholds. If we become aware that we have collected personal information from a child below the applicable threshold, we will delete it promptly. If you believe a child has provided us with personal information, please notify us at support@diffhook.com.
We do not use your personal data for automated decision-making (including profiling) that produces legal effects or effects of similarly significant consequence concerning you, within the meaning of GDPR Article 22. Account-level risk scoring for fraud and abuse prevention does not constitute automated decision-making that produces legal or similarly significant effects; you may contact us to seek human review of any automated action affecting your account.
We may update this Privacy Policy from time to time. We will post the revised Policy on this page and update the effective date. For material changes — meaning changes that materially affect your rights or our data practices — we will provide at least 30 days' prior notice by email to your registered address before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the revised Policy, except where applicable law requires express consent.
For privacy-related questions, requests, or complaints, contact us at:
Email: support@diffhook.com Mail: KupaLabs FZCO, Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates
If you are located in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at https://edpb.europa.eu. The UK supervisory authority is the Information Commissioner's Office (ICO) at https://ico.org.uk.