Skip to content

Privacy Policy

Last updated: December 13, 2024

This Privacy Policy explains how Spooled Cloud ("we", "our", or "us") collects, uses, stores, and protects your information when you use our webhook queue and background job services (the "Service"). We are committed to protecting your privacy and handling your data responsibly.

Summary: We collect only what we need to provide our service. We don't sell your data. We don't track you across websites. Your job data is encrypted and isolated.

1. Information We Collect

Account Information

When you create an account, we collect:

  • Email address: For account authentication, notifications, and support
  • Organization name: Optional, for team accounts
  • Password: Hashed using bcrypt—we never store plain text passwords

Billing Information

For paid subscriptions, we collect:

  • Payment method: Processed and stored by Stripe, our payment provider
  • Billing address: Required for invoicing and tax compliance
  • Transaction history: Records of payments for your account

Note: We never have access to your full credit card number. Stripe handles all payment processing in compliance with PCI-DSS.

Job Data

When you use the Service to process jobs, we store:

  • Job payloads: The data you submit for processing
  • Webhook data: Data received from third-party webhook sources
  • Job metadata: Status, timestamps, retry counts, queue names
  • Idempotency keys: Used to prevent duplicate processing

Job payloads are encrypted at rest using AES-256 and automatically deleted according to your plan's retention policy.

Usage Data

We automatically collect:

  • API access logs: IP addresses, endpoints called, response codes, timestamps
  • Error logs: For debugging and service improvement
  • Performance metrics: Latency, throughput, and resource utilization
  • Dashboard usage: Page views, feature usage (aggregated)

Device Information

When you access the dashboard, we collect:

  • Browser type and version
  • Operating system
  • Screen resolution (for UI optimization)
  • Timezone (for displaying timestamps correctly)

2. How We Use Information

We use the information we collect to:

  • Provide the Service: Process jobs, manage queues, deliver webhooks, and provide real-time updates
  • Authenticate users: Verify identity and protect accounts
  • Process payments: Manage subscriptions and billing
  • Maintain security: Detect and prevent fraud, abuse, and security threats
  • Improve the Service: Analyze usage patterns to enhance performance and features
  • Communicate: Send service announcements, security alerts, and respond to support requests
  • Comply with law: Meet legal obligations and respond to lawful requests

3. Data Sharing

We do not sell your personal information. We share data only in these circumstances:

Service Providers

We work with trusted third parties who help us operate the Service:

  • Cloudflare: Infrastructure, DDoS protection, CDN
  • Stripe: Payment processing
  • Neon: PostgreSQL database hosting
  • Upstash: Redis hosting for real-time features

These providers are contractually bound to protect your data and use it only for the services they provide to us.

Legal Requirements

We may disclose information when required by:

  • Valid court orders or subpoenas
  • Law enforcement requests (with proper legal process)
  • Government regulatory requirements

We will notify you of such requests unless legally prohibited from doing so.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you and provide options before your data is transferred to a new entity.

4. Data Retention

We retain data according to the following schedule:

Data Type Retention Period
Job Payloads According to your plan (7-90 days)
Account Information Duration of account + 30 days after deletion
API Access Logs 90 days
Error Logs 30 days
Billing Records 7 years (legal requirement)

You can request earlier deletion of your data by contacting us at security@spooled.cloud.

5. Data Security

We implement industry-standard security measures:

  • Encryption in transit: TLS 1.3 for all connections
  • Encryption at rest: AES-256 for stored data
  • Access controls: Role-based access with least-privilege principles
  • Key management: API keys hashed before storage
  • Data isolation: PostgreSQL Row-Level Security for multi-tenancy
  • Regular audits: Security reviews and penetration testing
  • Monitoring: 24/7 intrusion detection and alerting

For more details, see our Security page.

6. Your Rights

Depending on your location, you may have the right to:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your data (subject to legal retention requirements)
  • Export: Receive your data in a portable format (JSON)
  • Objection: Object to certain processing activities
  • Restriction: Request limitation of processing in certain circumstances
  • Withdraw consent: Where processing is based on consent

To exercise these rights, contact us at privacy@spooled.cloud. We will respond within 30 days.

7. Cookies and Tracking

We do not use tracking cookies or third-party analytics that track you across websites.

We use only essential cookies for:

  • Authentication: Keeping you logged into the dashboard
  • Session management: Maintaining your session state
  • Security: CSRF protection and fraud prevention

These cookies are strictly necessary for the Service to function and cannot be disabled.

8. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards for international transfers:

  • Standard Contractual Clauses (SCCs) with service providers
  • Data processing agreements with all vendors
  • Compliance with EU-US Data Privacy Framework where applicable

Enterprise customers can specify data residency regions (US, EU, Asia-Pacific).

9. GDPR Compliance (For EU Users)

For users in the European Economic Area:

  • Legal bases: We process data based on contract performance, legitimate interests, and consent
  • Data controller: Spooled Cloud is the data controller for account data
  • Data processor: We act as a data processor for job payloads you submit
  • DPO: Contact our Data Protection Officer at security@spooled.cloud
  • Supervisory authority: You have the right to lodge a complaint with your local data protection authority

10. CCPA Compliance (For California Users)

For California residents:

  • Right to know: You can request what personal information we collect and how we use it
  • Right to delete: You can request deletion of your personal information
  • Right to opt-out: We do not sell personal information
  • Non-discrimination: We will not discriminate against you for exercising your rights

11. Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child, please contact us at security@spooled.cloud.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via:

  • Email to your registered address
  • Notice in the dashboard
  • Update to the "Last updated" date

Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

For privacy and security-related inquiries:

Email: security@spooled.cloud

We aim to respond to all privacy inquiries within 30 days.