Privacy Policy

Last updated: March 21, 2026

This Privacy Policy describes how we collect, use, and protect your personal data when you use our Services.

Unless otherwise defined in this policy, capitalized terms have the meanings given in our Terms and Conditions.

This policy applies to individuals who interact with our Services directly. If you are an end user of a product or service provided or operated by one of our customers, please refer to that customer's privacy policy.

Table of Contents

1. Who we are
2. What we collect
3. How we use your data
4. Who we share data with
5. How long we keep data
6. Your rights
7. Cookies, tracking, and analytics
8. Security and breach notification
9. Controller and processor roles
10. Children's privacy
11. Changes to this policy
12. Contact

1. Who we are

We are the controller of personal data we process for our own business purposes, as described in this Privacy Policy. Where we process personal data on behalf of our customers and in accordance with their instructions, we act as a processor or service provider, as applicable under relevant law.

This Privacy Policy does not apply to any third-party websites, applications, or services that we do not own or operate.

Data controller: Figstra Software GmbH, Christoph-Rapparini-Bogen 10, 80639 Munich, Germany. Email: [email protected].

Data Protection Officer. We have assessed our current obligations under Article 37 GDPR and Section 38 BDSG and, based on our present organization and processing activities, we do not currently designate a Data Protection Officer. We will review this position if our processing activities or legal obligations change.

2. What we collect

We collect or process the following categories of personal data:

Webhook payload data (all users): HTTP request data sent to webhook URLs generated through the Services, including headers, body content, query parameters, and sender IP address. This data is submitted by you or by third parties sending requests to your webhook URLs. Webhook payloads may contain personal data depending on what is sent.
Usage and technical data (all users): information generated automatically when you use the Services, including IP address, browser type and version, device type, operating system, pages visited, referring URL, and timestamps. Collected automatically when you access the Services.
Communications (users who contact us): name, email address, message content, and any attachments. Collected when you contact us through email or other support channels.

Data we do not collect. The Services do not require accounts. We do not collect names, email addresses, passwords, or billing information through the Services at point of use. We do not knowingly collect biometric data or special categories of personal data.

Automatic technical data. Visitors can browse public parts of the Services without creating an account or actively submitting information. However, we automatically process limited technical data such as IP address and device and browser information when they access the site. This processing is described in Section 7 (Cookies, Tracking, and Analytics).

Data provision. Providing personal data is not a contractual requirement. However, certain technical data is processed automatically as part of delivering and securing the Services.

3. How we use your data

We use your personal data to provide, secure, and improve the Services. Specifically:

Purpose	Data used	Legal basis
Providing the Services (public use without a DPA)	Webhook payload data, usage and technical data	Legitimate interest (operating, securing, and troubleshooting the service requested by the user)
Security and abuse prevention	Usage and technical data, IP addresses	Legitimate interest (protecting the Services and users from abuse, fraud, and unauthorized access)
Analytics and improvement	Usage and technical data	Legitimate interest (understanding how the Services are used to improve them)
Responding to inquiries	Communications	Legitimate interest (handling support requests and inquiries)

Where an identified customer has entered into a Data Processing Agreement with us, we process data submitted through the Services on that customer's behalf and under their instructions. That processing is governed by the DPA and not by the controller legal bases in this table.

We do not sell or share your personal data for advertising, marketing, or behavioral profiling purposes.

We do not use personal data you submit to our Services to train our own AI or machine learning models.

We share personal data only where necessary to operate and secure the Services.

Service providers. The following service providers process personal data on our behalf:

Name	Purpose	Location
UpCloud Oy	Hosting and storage	Finland
Hetzner Online GmbH	Analytics infrastructure	Germany
Cloudflare, Inc.	CDN, storage, and security	United States
Google Cloud EMEA Limited (Google Workspace)	Email and communications	Ireland
Functional Software, Inc. (Sentry)	Error reporting	United States

Lawful disclosure. We may disclose personal data where required by law, regulation, court order, or governmental authority, or where reasonably necessary to protect our rights, property, or safety, or those of others.

Business transactions. In connection with a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity.

International transfers. Some of our service providers are located outside the EEA. Where personal data is transferred outside the EEA, UK, or Switzerland, we rely on appropriate safeguards recognized under applicable law, such as adequacy decisions, the EU–US Data Privacy Framework where applicable, and/or standard contractual clauses. For details on the safeguards applicable to a specific transfer, contact us at [email protected].

5. How long we keep data

We keep personal data for as long as needed to provide the Services and as described below. We also keep data where necessary to comply with legal obligations, resolve disputes, prevent abuse, and defend legal claims.

Data category	Retention criteria
Webhook payload data	Retained for a limited period while the associated webhook URL is active. Deleted automatically after URL expiry or inactivity, or upon request.
Usage and technical data	While needed for security, analytics, abuse prevention, and legal compliance.
Communications	While needed to resolve the inquiry and afterward only as long as needed for legal compliance and dispute resolution.

When data is deleted, we will remove it from active systems without undue delay. Some data may take longer to remove where we are legally required to keep it or where needed for security or fraud prevention. Deleted data may persist in backups, caches, or redundant storage until those are overwritten or cleared in the ordinary course.

You may request deletion of your data by contacting us at [email protected].

6. Your rights

EEA and UK residents. Subject to applicable law and depending on the circumstances, you may have the right to:

access your personal data
request rectification of inaccurate or incomplete data
request erasure of your data
request restriction of processing
receive certain data you provided to us in a structured, commonly used, machine-readable format
object to certain processing, including processing based on legitimate interests
withdraw consent at any time where processing is based on consent
lodge a complaint with your local supervisory authority

Swiss residents. Subject to applicable law and depending on the circumstances, you may have rights under the Swiss Federal Act on Data Protection, including the right to request information about the personal data we process about you, and to request correction, deletion, or objection to certain processing.

Supervisory authorities.

Bavaria (EEA): Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany — https://www.lda.bayern.de
UK: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom — https://ico.org.uk
Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland — https://www.edoeb.admin.ch

Processor-role data. If you are an end user of a product or service operated by one of our customers, please direct rights requests to that customer. We will assist the customer in responding as required under applicable law.

To exercise your rights, contact us at [email protected]. We may need to verify your identity before processing your request. We will respond in accordance with applicable law.

7. Cookies, tracking, and analytics

We use only strictly necessary cookies for core functionality. We do not use advertising trackers, marketing cookies, or third-party analytics trackers.

Our website analytics software is self-hosted on EU infrastructure that we control. It does not set cookies, does not use browser storage, and does not store or retrieve anything on your device. On our own systems, your IP address is anonymized and not stored in raw form. We do not generate persistent user profiles or track visitors across sessions or devices. No separate third-party analytics vendor receives this data.

Infrastructure providers listed in Section 4 (including our CDN and error reporting services) may process technical request data including raw IP addresses as part of delivering and securing the Services.

8. Security and breach notification

We use technical and organizational safeguards designed to protect personal data from unauthorized access, misuse, loss, disclosure, alteration, and destruction. These measures include, where appropriate to the risks involved:

encryption in transit and at rest
restricted access
logging and monitoring
backups
internal processes for handling security incidents

We review and update our safeguards from time to time based on changes to our Services, our processing activities, and relevant risks.

Please note that while we take reasonable measures to protect your data, no service is completely secure. We cannot guarantee absolute security, or that unauthorized access, hacking, data loss, or a data breach will never occur.

If we become aware of a personal data breach, we will take the steps required by applicable law, including notifying regulators and affected individuals where required.

9. Controller and processor roles

The Services can be used in two modes with different data-protection roles:

Public use without a DPA. When you use the Services without having entered into a Data Processing Agreement with us, we process webhook payload data and related technical data as a controller for our own service-operation purposes. The legal bases for this processing are described in Section 3.

Identified customers with a DPA. Where you have entered into a Data Processing Agreement with us, we process data submitted through the Services on your behalf and under your instructions. You act as controller and/or processor, as applicable under relevant law. We act as processor or sub-processor, as applicable. That processing is governed by the DPA.

End users of products or services operated by our customers should direct privacy inquiries and rights requests to the relevant customer.

10. Children's privacy

The Services are not directed at children. You must be at least 18 years old to use the Services, as stated in our Terms and Conditions. We do not knowingly collect personal data from anyone who does not meet this age requirement. If you believe that a child has submitted personal data through the Services, please contact us at [email protected] so we can take steps to delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. Because the Services do not require accounts, changes are communicated by posting the revised policy on the Services. The "Last updated" date at the top indicates the most recent revision.

12. Contact

For questions about this Privacy Policy or to exercise your data rights, contact us at [email protected].