← Back to home

Privacy Policy

Last updated: March 2, 2026

1. Data Controller & Data Protection Officer

SideFuel Ltda. ("SideFuel", "we", "us", "our") is the data controller responsible for processing your personal data when you use the Relayers webhook routing platform ("Service").

Data Protection Officer (DPO) / Encarregado de Dados:
Email: dpo@relayers.app

If you are located in the European Economic Area (EEA), Brazil, or any other jurisdiction with data protection laws, you may exercise your rights by contacting our DPO at the address above.

2. Legal Basis for Processing

We process your personal data under the following legal bases, as applicable under the Brazilian General Data Protection Law (LGPD, Art. 7) and the EU General Data Protection Regulation (GDPR, Art. 6):

  • Performance of a contract (LGPD Art. 7, V / GDPR Art. 6(1)(b)): Processing necessary to provide the Service, manage your account, process webhooks, handle billing, and deliver customer support.
  • Legitimate interest (LGPD Art. 7, IX / GDPR Art. 6(1)(f)): Fraud prevention, abuse detection, security monitoring, service performance analytics, and improving the Service. We balance these interests against your rights through regular assessments.
  • Legal obligation (LGPD Art. 7, II / GDPR Art. 6(1)(c)): Compliance with tax, accounting, and regulatory obligations (e.g., retention of financial records for 5 years).
  • Consent (LGPD Art. 7, I / GDPR Art. 6(1)(a)): Where specifically required (e.g., marketing communications). You may withdraw consent at any time without affecting the lawfulness of prior processing.

3. Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Account Data

  • Full name and email address (provided at registration)
  • Password (stored as a bcrypt hash — we never store plaintext passwords)
  • IP address at registration and login
  • Account role and tenant membership

3.2 Billing Data

  • Subscription plan and billing cycle
  • Invoice and payment history
  • Payment method details are processed and stored exclusively by Stripe — we never store credit card numbers, CVV, or full card details on our systems

3.3 Webhook Data (Processed on Your Behalf)

  • HTTP headers (may contain authorization tokens or API keys from third-party providers)
  • Request body / payload (may contain personal data from your end users or customers)
  • Source IP address of the webhook sender
  • Content type and delivery metadata

Important: Webhook payloads may contain personal data of third parties. In this context, you are the data controller for the webhook content, and SideFuel acts as a data processor on your behalf. We process this data solely to provide the routing, transformation, and delivery service. See our Data Processing Agreement (DPA) for details.

3.4 Technical / Usage Data

  • IP address, browser type, and user-agent string
  • API request paths and response codes
  • Service usage metrics (events processed, endpoints created, API calls)
  • Error logs and performance data

3.5 Tunnel / Daemon Connection Data

  • Hostname, operating system, and client version
  • CPU count and memory (for display purposes only)
  • Connection status and last heartbeat timestamp

4. How We Use Your Data

  • Service delivery: Route, transform, and deliver webhooks according to your configuration
  • Account management: Authentication, authorization, and tenant isolation
  • Billing: Process subscriptions, generate invoices, and handle payments via Stripe
  • Security: Detect and prevent fraud, abuse, unauthorized access, and rate-limit violations
  • Service improvement: Analyze aggregated usage patterns to improve reliability and performance
  • Communication: Send service notifications, security alerts, and billing reminders
  • Legal compliance: Fulfill tax, accounting, and regulatory obligations

5. Data Sharing & Sub-Processors

We do not sell your personal data. We share data only with the following categories of sub-processors, under appropriate data processing agreements:

Sub-ProcessorPurposeData SharedLocation
Stripe, Inc.Payment processingEmail, billing info, payment detailsUSA (Privacy Shield / SCCs)
Cloud Infrastructure ProviderHosting & computeAll service data (encrypted at rest & in transit)See service status page
Supabase, Inc.Authentication (optional)Email, auth tokensUSA (SCCs)

We may also disclose data when required by law, court order, or governmental authority, or to protect the rights, property, or safety of SideFuel, our users, or the public.

6. International Data Transfers

Your data may be transferred to and processed in countries outside your jurisdiction, including the United States. When we transfer personal data internationally, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We use EU-approved SCCs with all sub-processors located outside the EEA
  • Adequacy decisions: Where applicable, we rely on adequacy decisions by the European Commission or the Brazilian ANPD
  • LGPD Art. 33: For transfers from Brazil, we comply with the conditions set forth in LGPD Articles 33-36

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy. Specific retention periods:

Data TypeRetention PeriodBasis
Webhook events & delivery attempts7 to 90 days (per plan)Contract — automatic cleanup enforced
Provider webhook events90 daysContract — automatic cleanup
Access logs (IP, user-agent)90 daysLegitimate interest (security)
Account data (email, name)While account is active + 30 days after deletion requestContract
Financial records (invoices, payments)5 years after transactionLegal obligation (tax/accounting)
Daemon connection metadataPurged after 2 minutes of inactivityContract
Device authorization codesPurged upon expiration or useContract

8. Your Rights

Under the LGPD (Art. 18) and GDPR (Art. 15-22), you have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Correct inaccurate or incomplete data
  • Right to erasure ("right to be forgotten"): Request deletion of your personal data, subject to legal retention obligations
  • Right to data portability: Receive your data in a structured, machine-readable format (JSON)
  • Right to restrict processing: Request that we limit how we use your data
  • Right to object: Object to processing based on legitimate interest
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time
  • Right to information about sharing: Know which entities your data has been shared with
  • Right to review automated decisions: Request human review of decisions made solely by automated processing (LGPD Art. 20)

How to Exercise Your Rights

  • Self-service API: Use GET /v1/account/export to download your data and DELETE /v1/account to request account deletion
  • Email: Contact our DPO at dpo@relayers.app

Response Timeframes

  • LGPD: We will respond within 15 business days
  • GDPR: We will respond within 30 calendar days (extendable by 60 days for complex requests)

If you believe your rights have not been adequately addressed, you have the right to lodge a complaint with your local data protection authority (ANPD in Brazil, or the relevant supervisory authority in the EEA).

9. Data Security

We implement technical and organizational measures to protect your personal data:

  • Encryption in transit: All connections use TLS 1.2+
  • Password security: Passwords are hashed with bcrypt (never stored in plaintext)
  • API key security: API keys are stored as SHA-256 hashes
  • Access control: Role-based access control (RBAC) with multi-tenant isolation
  • Session security: Short-lived JWT tokens (15-minute TTL)
  • Security headers: HSTS, X-Content-Type-Options, X-Frame-Options, and more
  • Rate limiting: Protection against brute-force and abuse

For more details, see our Security Policy.

10. Cookies & Tracking

We use only essential cookies required for authentication and session management. We do not use:

  • Third-party tracking cookies
  • Advertising or analytics cookies
  • Social media tracking pixels
  • Fingerprinting or cross-site tracking technologies

Because we only use strictly necessary cookies, no cookie consent banner is required under GDPR Recital 30 / ePrivacy Directive Art. 5(3).

11. Security Incident Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

  • GDPR (Art. 33-34): We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and affected individuals without undue delay if the breach poses a high risk
  • LGPD (Art. 48): We will notify the ANPD and affected data subjects within a reasonable timeframe, describing the nature of the data affected, risks, and mitigation measures taken

12. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email or through the Service at least 30 days before they take effect. The "Last updated" date at the top indicates the most recent revision.

14. Contact

For privacy-related questions or to exercise your data rights:

15. Related Documents