Mitte
RU

Privacy Policy

Last updated: February 13, 2026

Mitte ("we", "us", "our") operates the webhook gateway platform available at mitte.run (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

1. Information We Collect

1.1 Account Information

When you create an account we collect your name, email address, and — if you sign in via GitHub or Google — your profile picture and OAuth provider identifier. If you sign up with email and password, we store a securely hashed version of your password. We never store your password in plain text.

1.2 Billing Information

Payments are processed by Lemon Squeezy. We store your Lemon Squeezy customer ID and subscription status but do not store credit card numbers, bank details, or other payment instrument data.

1.3 Webhook Data

When external services send webhooks to your Mitte endpoints, we temporarily store the request headers, payload body, response body, HTTP status codes, timing data, and retry metadata ("Webhook Logs"). This data is retained according to your plan's retention period (3 days for Free, 14 days for Pro) and is automatically deleted after expiration.

1.4 API Keys

When you generate an API key for MCP or external integrations, the full key is displayed once at creation. We store the key in hashed form along with a hint (last 8 characters) for identification. We record timestamps of when each key was last used.

1.5 AI Features

When you use AI-powered features (Error Explain, Transform Rule generation), portions of your webhook data (such as error messages, headers, and payload excerpts) are sent to our AI provider (OpenAI) for processing. We do not use your data to train third-party AI models. OpenAI processes this data under their API Data Usage Policy, which states that API inputs and outputs are not used for model training.

1.6 MCP (Model Context Protocol) Access

When AI assistants connect to your account via the MCP endpoint, they authenticate using your API key and can access the same data available through the dashboard: endpoints, logs, stats, and plan information. All MCP requests are logged and subject to the same retention policies.

1.7 Usage & Analytics Data

We collect anonymized usage metrics including daily/weekly/monthly active user counts (via Redis HyperLogLog), page views, and feature usage. We use Sentry for error tracking, which may collect device information, browser type, and IP address when errors occur.

2. How We Use Your Information

  • Provide the Service: receive, store, transform, and forward webhooks to your target URLs.
  • Authentication: verify your identity and manage sessions.
  • AI features: analyze webhook errors and generate payload transformation rules.
  • MCP integration: allow AI assistants to manage your webhooks on your behalf.
  • Notifications: send in-app and email alerts about anomalies, quota warnings, and trial expiration.
  • Billing: manage your subscription, enforce plan limits, and process payments.
  • Improvement: analyze usage patterns to improve performance, reliability, and features.
  • Security: detect and prevent abuse, rate-limit requests, and monitor for anomalies.

3. Data Sharing

We do not sell your personal information. We share data only with:

  • Your target servers: webhook payloads are forwarded to URLs you configure, including HMAC signatures.
  • OpenAI: when you use AI features, relevant webhook data excerpts are sent for processing.
  • Lemon Squeezy: billing and subscription management.
  • Resend: transactional emails (verification, notifications).
  • Sentry: error tracking and performance monitoring.
  • Infrastructure providers: DigitalOcean (hosting), which process data per their own privacy policies.

4. Data Retention

  • Account data: retained until you delete your account.
  • Webhook logs: automatically deleted after your plan's retention period (3 or 14 days).
  • Redis stats: aggregate counters retained for up to 90 days; hourly granularity data is recycled every 24 hours.
  • API keys: retained until you delete them or your account.
  • Notifications: retained until you delete your account.

5. Data Security

We implement industry-standard measures to protect your data, including: encrypted connections (TLS/HTTPS), hashed passwords and API keys, HMAC-signed webhook forwarding, per-endpoint signing secrets, rate limiting, and isolated per-user data access controls. However, no method of electronic transmission or storage is 100% secure.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access, correct, or delete your personal data.
  • Export your data in a portable format.
  • Object to or restrict certain processing activities.
  • Withdraw consent at any time (for consent-based processing).

To exercise these rights, contact us at [email protected].

7. Cookies

We use essential cookies for session management and authentication. We do not use third-party advertising or tracking cookies.

8. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children.

9. International Transfers

Your data may be processed on servers located outside your country of residence (currently in the United States via DigitalOcean). By using the Service, you consent to such transfers.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notification. Continued use of the Service after changes constitutes acceptance.

11. Contact Us

If you have questions about this Privacy Policy, please contact us at [email protected].