afterbatch

Legal

Back Home

afterbatch Data Policy (Privacy Notice)

Last updated: February 20, 2026

This Data Policy explains how afterbatch ("afterbatch", "we", "us", "our") collects, uses, discloses, and protects personal data when you use our website, dashboard, APIs, and webhook notification services (the "Services").

2. Scope

This policy applies to personal data we process about account users, prospective users, and technical contacts in connection with the Services.

3. Data We Process

  1. Account and identity data
  • Name, email address, organization/workspace identifiers, and authentication/session metadata (via our auth provider).
  1. Configuration and integration data
  • Webhook endpoint URLs, selected event preferences, watch configuration, provider selection, and related settings.
  1. Batch and event metadata
  • Provider batch identifiers, canonical status transitions, timestamps, delivery attempt outcomes, and operational metadata required to provide webhook notifications.
  1. Secrets and credentials
  • Provider API keys and webhook signing secrets are handled as sensitive secrets and stored in a dedicated secret manager (WorkOS Vault), not in our primary relational database.
  1. Usage and technical data
  • Log events, request metadata, IP-derived network data, user agent/browser data, and performance/diagnostic telemetry.
  1. Communications data
  • Messages sent to support or operational contacts.

4. Data We Do Not Intend to Store by Default

  1. We do not proxy your provider batch creation requests.
  2. We do not persist full provider batch result bodies in product storage by default.
  3. If you enable delivery modes that include provider completion data in webhook sends, that data is fetched at delivery time for dispatch purposes.

5. Purposes and Legal Bases (Art. 6 GDPR)

We process personal data for the following purposes and legal bases:

  1. Service delivery and account administration
  • Purpose: authentication, watch lifecycle, polling, webhook delivery, support.
  • Legal basis: Art. 6(1)(b) GDPR (contract / pre-contractual steps).
  1. Security and abuse prevention
  • Purpose: fraud detection, endpoint validation, incident response, audit logging.
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interests in security and service integrity).
  1. Reliability and troubleshooting
  • Purpose: monitor failures, retries, and system health.
  • Legal basis: Art. 6(1)(f) GDPR.
  1. Legal compliance
  • Purpose: comply with statutory obligations, regulatory requests, tax/accounting duties.
  • Legal basis: Art. 6(1)(c) GDPR.
  1. Optional non-essential analytics/cookies (if enabled)
  • Legal basis: consent under Art. 6(1)(a) GDPR and, where applicable, Section 25 TDDDG.

We do not intentionally process special categories of personal data under Art. 9 GDPR as part of normal service operation.

6. Data Sources

We collect personal data:

  1. Directly from you (account setup, dashboard use, support requests).
  2. From your authorized integrations and configured providers.
  3. From service providers used to run the Services (for example identity/auth infrastructure).

7. Recipients and Processors

We share personal data only as needed with:

  1. Infrastructure and software providers (hosting, authentication, secret management, database/queue, logging/monitoring, email/support tools).
  2. Professional advisers and auditors under confidentiality obligations.
  3. Courts, regulators, and law enforcement where legally required.
  4. Successors in a merger, financing, reorganization, or asset transfer.

Where required by Art. 28 GDPR, we use data processing agreements with processors.

We do not sell personal data for money.

8. International Transfers

If data is transferred outside the EU/EEA, we use an appropriate transfer mechanism, such as:

  1. Adequacy decisions under Art. 45 GDPR (for example, where applicable, the EU-US Data Privacy Framework for certified US organizations).
  2. Standard Contractual Clauses under Art. 46 GDPR.
  3. Additional safeguards where required by applicable law.

9. Retention

We retain data only for as long as necessary for the purposes above, including security, legal compliance, and dispute handling.

  1. Terminal watch/event/delivery records are subject to lifecycle cleanup policies (currently targeted around 30 days after terminal state, subject to operational needs and legal holds).
  2. Security and audit-relevant logs may be retained longer where needed.
  3. Secrets are managed in the secret store and can be rotated/regenerated.
  4. Where statutory retention periods apply (for example under German commercial or tax law), we retain required records for those periods.

10. Your Rights (EU/EEA)

Subject to legal conditions, you have the rights to:

  1. Access (Art. 15 GDPR).
  2. Rectification (Art. 16 GDPR).
  3. Erasure (Art. 17 GDPR).
  4. Restriction of processing (Art. 18 GDPR).
  5. Data portability (Art. 20 GDPR).
  6. Object to processing based on Art. 6(1)(e) or (f) GDPR (Art. 21 GDPR).
  7. Withdraw consent at any time where processing is based on consent (Art. 7(3) GDPR).
  8. Lodge a complaint with a supervisory authority (Art. 77 GDPR), especially in your habitual residence, place of work, or place of alleged infringement.

To exercise your rights, contact [[email protected]].

11. Cookies and Similar Technologies

We use essential cookies/session mechanisms required for authentication, security, and core functionality.

For non-essential storage/access technologies on end-user devices, consent is collected where required by Section 25 TDDDG in conjunction with GDPR.

12. Automated Decision-Making

We do not use solely automated decision-making that produces legal effects or similarly significant effects on individuals in the context of this Service.

14. Changes to This Policy

We may update this policy from time to time. We will post the revised version with a new "Last updated" date and provide additional notice where required by law.

15. Contact