Privacy Policy

At Zhook, we take a "Privacy-by-Design" approach to MQTT and Webhook automation. This policy explains what data we collect, why we collect it, and how we protect it while acting as both a Data Controller and a Data Processor.

Account Information: When you sign up via Google or GitHub, we collect your name, email address, and account identifiers to manage your subscription and identity.

Payload Data (Service Provision): Zhook processes and stores the contents of MQTT and Webhook payloads (JSON, XML, plaintext, or binary) on your behalf. For this data, you are the Data Controller and Zhook is the Data Processor.

Technical Data: We automatically collect IP addresses, device identifiers, browser types, and usage metrics (rate limits, trigger counts) for security, debugging, and service optimization.

We use the collected information solely to:

• Route and deliver payloads to your specified endpoints.
• Execute automation rules (JSON matching, text parsing) as configured by you.
• Maintain the HistoryBundle archive for your audit and forensic needs.
• Protect our infrastructure from abuse, DDoS attacks, and unauthorized access.

We retain data only as long as necessary to provide our service:

• Standard Logs: System metadata and transient event logs are typically purged after 30 days.
• Long-Term Payload Storage: If you are on a Compliance/Pro tier, Zhook stores raw payloads in an encrypted vault for up to two (2) years.
• Account Deletion: Upon account termination, all account data is deleted within 30 days. You are responsible for exporting your data (via HistoryBundle) before closing your account.

We do not sell your personal information. We share data only with trusted sub-processors necessary for our service:

• Infrastructure: Upstash (Serverless Redis/Kafka), Railway, MongoDb, Cloudflare, Resend - All EU based
• Billing: Stripe.
• Authentication: Google OAuth, GitHub OAuth.

Your data is protected by industry-standard technical and organizational measures:

• Encryption: All data is encrypted using TLS 1.3 in transit and AES-256 at rest.
• Access Control: We implement strict role-based access controls (RBAC) and zero-trust internal architecture.
• Auditability: Every access to your "Data Vault" is logged and monitored for unauthorized activity.

Zhook is based in Poland (EU). If data is transferred outside the EEA, we ensure compliance through Standard Contractual Clauses (SCCs) or other legally recognized transfer mechanisms to ensure your data remains protected.

Under the GDPR and other global privacy laws, you have the right to:

• Access, correct, or delete your personal information.
• Export your payload history (via the HistoryBundle feature).
• Withdraw consent for non-essential processing.
• Object to automated decision-making.

For any privacy-related inquiries or to exercise your rights, please contact our Data Protection Team: legal@zhook.dev