sigvane

Privacy Policy

Last updated: 25 April 2026

This Privacy Policy explains how Sigvane ("we", "us", "Sigvane") processes personal data when you use our website at sigvane.com and our hosted webhook ingestion service at api.sigvane.com (together, the "Service"). It is intended to reflect applicable European Union and German data-protection law.

1. Who is the controller

The controller under Art. 4(7) GDPR for the processing described in this policy is:

Andrejs Cernikovs
Paul-Schallück Straße 7
50939 Köln
Germany
Email: contact@sigvane.com

Full contact details are available in our Impressum.

2. How to contact us about privacy

For any question about this policy, to exercise a data-subject right, or to raise a concern, write to contact@sigvane.com.

3. What we collect, why, and the legal basis

3.1 Sign-in with GitHub

When you sign in with GitHub, we receive the profile data needed to create and maintain your Sigvane account, such as your numeric GitHub user id, username, and avatar URL.

Legal basis: Art. 6(1)(b) GDPR — performance of our contract with you.

3.2 API keys

When you create an API key, we store an opaque key identifier, a one-way hash of the secret, the creation and last-used timestamps, and a revocation timestamp where applicable. We use this to authenticate access to the Service.

Legal basis: Art. 6(1)(b) GDPR.

3.3 Inbox configuration and webhook secrets

For each inbox you create, we store its identifier, slug, provider type, webhook URL, timestamps, and the webhook secrets needed to verify incoming request signatures. Webhook secrets are protected at rest because the Service allows you to reveal them on demand.

Legal basis: Art. 6(1)(b) GDPR.

3.4 Webhook payloads (inbox items)

When an external provider (such as GitHub) sends a webhook to your inbox and the signature verifies, we record the raw request body, a filtered subset of request headers, any provider-supplied delivery id, and the time Sigvane recorded the item.

We may also extract limited metadata from headers or payloads, such as the event type, as needed to categorize, index, and serve inbox items through the Service.

Webhook bodies may contain personal data about third parties, such as names or email addresses included in provider events. Sigvane may parse limited parts of webhook payloads or headers to categorize, index, and serve inbox items through the Service. Beyond that, Sigvane does not use webhook payload contents for its own independent purposes.

Legal basis for our account-related provision of this functionality: Art. 6(1)(b) GDPR. With respect to personal data contained inside webhook payloads that we process on your behalf, you are generally the controller and Sigvane acts as your processor. See section 8.

3.5 Server and security logs

Our backend host (Hetzner Online GmbH, Germany) and our website host (Google Ireland Limited / Firebase Hosting) produce technical logs that may include the client IP address, user agent, and request metadata. We use these logs to operate the Service, diagnose failures, and defend against abuse. Logs are retained for no longer than necessary for these purposes, typically up to 14 days.

Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in operating, securing, and debugging the Service.

3.6 Cookies

The website at sigvane.com does not use analytics, advertising, or tracking cookies.

When you sign in at api.sigvane.com, we set a strictly necessary session cookie (SESSION, lifetime: browser session) to keep you logged in during that browser session.

Legal basis: § 25(2) no. 2 TDDDG for the technically necessary cookie, and Art. 6(1)(b) GDPR for the related processing of personal data.

4. How long we keep your data

  • Account data (GitHub profile link, API key metadata, inbox configuration, webhook secrets): for as long as your account exists. When you delete your account, associated data is scheduled for deletion immediately and is usually removed right away, but may take up to 24 hours to complete.
  • Webhook payload records (inbox items): according to the retention window configured for the relevant inbox, within the limits enforced by the Service. Items past their retention window are deleted by a background cleanup job.
  • Server and security logs: see section 3.5.

The Service is currently free to use and we do not generate invoices.

5. Recipients, providers, and sub-processors

We use the following providers to operate the Service:

Provider Role / purpose Location
Hetzner Online GmbH Backend hosting and storage Germany
Google Ireland Limited (Firebase Hosting) Website hosting and related technical delivery EU
GitHub, Inc. OAuth sign-in provider and external webhook source United States

We do not sell personal data and we disclose personal data to third-party providers only as needed to operate the Service.

6. International transfers

Where personal data is processed in a country outside the European Economic Area, we rely on an applicable transfer mechanism required by law.

Where relevant, this may include an adequacy decision such as the EU-U.S. Data Privacy Framework or other appropriate safeguards under Art. 46 GDPR.

GitHub may process personal data in the United States in connection with OAuth sign-in and webhook delivery. Google or Firebase providers may also process personal data outside the European Economic Area where applicable to the hosting or delivery of the Service.

7. Your rights

Under the GDPR you have the right to:

  • access your personal data (Art. 15)
  • have inaccurate data corrected (Art. 16)
  • have your data erased (Art. 17)
  • restrict processing (Art. 18)
  • receive your data in a portable format (Art. 20)
  • object to processing based on legitimate interests (Art. 21)
  • withdraw consent at any time where processing is based on consent (Art. 7(3))

To exercise any of these rights, write to contact@sigvane.com.

The fastest way to exercise the right to erasure for your account data is to delete your account from the Service. This triggers deletion of the account and associated data, which is usually completed immediately but may take up to 24 hours.

For personal data contained inside webhook payloads, please direct data-subject requests to the Sigvane user operating the relevant inbox, because that user is generally the controller of that data. Sigvane will support them as processor.

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR), in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement.

8. Sigvane as processor for webhook payload contents

When you forward webhooks through Sigvane, personal data contained in the payloads is processed by Sigvane on your behalf. With respect to that data, you are generally the controller and Sigvane acts as your processor.

The processor terms governing this relationship are set out in section 9 of our Terms of Service.

You are responsible for configuring your provider integration so that the payloads sent to Sigvane do not contain more personal data than necessary for your workflow, and for having a lawful basis for your own processing of that data.

9. Children

Sigvane is not directed at children under 16 and we do not knowingly process the personal data of children.

10. Changes to this policy

We may update this policy as the Service evolves. The "Last updated" date at the top of this page reflects the latest revision. If we make material changes to this policy, we will provide notice before those changes take effect, for example by email to your registered address or by an in-product notice.