Privacy Policy

Last updated: May 14, 2026 · Effective: May 14, 2026

1. Who we are

Silven Dynamics operates Mittr, a webhook delivery platform. We are the data controller for personal data we collect about our customers and visitors. For personal data you submit to Mittr that belongs to your end-users (e.g., personal data inside webhook payloads you send through us), we act as a data processor; you are the controller. See section 2 for the role distinction in detail.

Contact for privacy matters: email [email protected] with the subject "Privacy". We respond within 30 days.

2. Scope + our role under data-protection law

Mittr is a B2B infrastructure service. Our processing of personal data falls into two categories:

Where we act as a processor, our handling of personal data is governed by our Data Processing Addendum (DPA), which is available on request from [email protected]. Enterprise customers receive a signed DPA with their contract; the DPA includes the current subprocessor list, security control details, and notification commitments not duplicated in this public Policy.

3. Information we collect

3.1 Information you provide directly

• Account creation: email address, password (hashed; we never store plaintext), workspace name, your display name.
• Profile: optional avatar URL when you sign in via single sign-on.
• Workspace configuration: endpoint URLs, signing secrets, event-type definitions, alert rules, retry policies.
• Team members: emails and roles of teammates you invite.
• Billing: limited metadata returned by our payment processor (e.g., last four digits of a card). We never see or store full card numbers.
• Support communications: emails, chat messages, screenshots, and any voluntary disclosures you make.

3.2 Information we collect automatically

• Service usage: webhook event payloads you submit, the destinations you configure, delivery attempt outcomes (status codes, response bodies, latencies, retry counts), request and response headers.
• Authentication telemetry: session tokens, IP addresses, user-agent strings, login timestamps, MFA events.
• Audit log: security-relevant actions taken in your workspace with actor identity, timestamp, and IP.
• Operational metrics: aggregated, non-identifying statistics about Service performance.
• Server logs: HTTP request logs retained for short periods for debugging and security.

3.3 Information from third parties

• Single sign-on providers supply your email, name, and avatar when you sign in via SSO.
• SAML identity providers (when configured by your workspace admin) supply your email and any group/role attributes mapped by your IdP.
• Payment processor supplies subscription status, charge events, and refund events.
• Anti-abuse signals from our infrastructure providers help us detect attacks.

4. How we use information

We process personal data for these specific purposes:

• Service provision: authenticate you, deliver webhooks to your configured destinations, track delivery status, surface analytics.
• Account administration: manage your workspace, subscription, team, and billing relationship.
• Communication: send transactional emails (verify-email, password reset, billing notifications, security alerts). We do not send marketing emails without explicit opt-in.
• Security + fraud prevention: detect unauthorised access attempts, abuse patterns, signs of compromised credentials.
• Compliance: respond to lawful requests, meet tax/accounting obligations, document audit-relevant actions.
• Service improvement: analyse aggregated, non-identifying telemetry (delivery volumes, error rates, latency distributions) to find bottlenecks and prioritise features. This analysis is performed on operational metadata, not payload contents.
• Customer support: investigate and resolve your support requests.

What we will not do with your webhook payloads:

• We do not read payload bodies for any purpose other than delivering them and producing the delivery telemetry you see.
• We do not train machine-learning or generative-AI models on payload contents.
• We do not sell, license, or share payload contents with any party other than the destination URLs you configure (and, where strictly required, lawful authorities — see section 6).
• If we add AI-assisted features (e.g., classification, summarisation, anomaly detection) that require analysing payload contents, those features will be opt-in at the workspace level and clearly labelled before any such processing begins.

5. Lawful bases (GDPR/UK GDPR)

Where GDPR or the UK GDPR applies, we rely on the following lawful bases for processing personal data (Article 6):

We do not process special-category personal data (Art. 9) for our own purposes. If your webhook payloads contain such data, that processing is governed by our DPA and your own lawful basis as controller.

6. How we share information

We do not sell personal data and we do not share it for cross-context behavioural advertising. We share data only in these specific situations:

• Subprocessors: third-party providers we contract with to operate parts of the Service on our behalf. See section 7.
• Webhook destinations: by design, when you configure an endpoint, your event payloads are delivered to that endpoint. We do not control what those destinations do with the data — that is governed by your relationship with them.
• Your workspace teammates: people you invite to your workspace see the workspace's events, endpoints, and audit log per their assigned role.
• Legal compliance: when required by valid legal process and only to the extent legally required. Where permitted, we notify the affected user.
• Vital interests: in a true emergency, as permitted by GDPR Art. 6(1)(d).
• Business transfers: if Silven Dynamics is acquired, merges, or undergoes restructuring, your data may transfer to the successor entity. Your rights under this Policy will be preserved or you will be given the opportunity to delete your data before transfer.

7. Subprocessors

We engage subprocessors in the following categories to operate the Service:

We contractually require each subprocessor to handle personal data with at least the protections required by GDPR Art. 28 or equivalent. The current named subprocessor list, with locations and notification commitments, is provided to enterprise customers as part of our DPA; email [email protected] to request a copy.

8. International data transfers

Our subprocessors operate globally, so personal data may be processed in jurisdictions outside the one where you reside. Where data is transferred out of the EU/EEA, the UK, or jurisdictions with comparable safeguards, the transfer is protected by one of:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• UK International Data Transfer Addendum (IDTA) or the UK Addendum to the EU SCCs.
• Adequacy decisions, where the receiving country has been recognised as providing adequate protection.
• Recipient-specific certifications such as the EU-US Data Privacy Framework where the recipient participates.

9. Data retention

We retain personal data only for as long as needed to provide the Service plus a reasonable period to satisfy legal, accounting, and dispute-resolution obligations. Specifics by category:

• Webhook event payloads + delivery attempts: retained for the period configured for your plan. You can delete events earlier via the dashboard or API.
• Audit logs: retained for the period configured for your plan, typically 1 year by default with longer retention available on higher tiers.
• Account data: retained while your account is active, plus a short period after deletion to allow recovery and handle disputes.
• Billing + invoice records: retained as required by applicable accounting and tax law.
• Support correspondence: retained for a reasonable period from the last interaction.
• Encrypted backups: rotated on a defined schedule and deleted thereafter.
• Server access logs: short-term, for debugging and security.

Account deletion requests trigger a deletion cycle after which personal data is permanently removed, except backups (which expire on their own schedule) and legally-required billing records.

10. Security

We apply technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include industry-standard practices around:

• Encryption in transit (TLS) and at rest for sensitive fields.
• Strong password hashing for credentials we store.
• Multi-factor authentication available on every plan.
• Signed outbound webhooks so receivers can verify authenticity.
• SSRF protection on outbound delivery targets.
• IP allow/block lists configurable by workspace admins.
• Audit logging of security-relevant actions.
• Role-based access controls with least-privilege defaults.
• Logical separation of each tenant's data, enforced at the application layer.
• Restricted production access for designated personnel only, with MFA, audit logging, and secret management.
• Continuous dependency scanning for known vulnerabilities.

Enterprise customers receive a detailed Security Whitepaper as part of due diligence. Email [email protected] to request it. No system is perfectly secure; see section 18 for breach handling.

11. Your rights

Depending on your jurisdiction, you have one or more of the following rights regarding your personal data:

• Access: receive a copy of the personal data we hold about you.
• Rectification: correct inaccurate or incomplete data.
• Erasure ("right to be forgotten"): request deletion of your data, subject to legal-retention exceptions.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests.
• Restriction: limit how we process your data while a dispute is being resolved.
• Withdraw consent: where processing is based on consent, you can withdraw at any time without affecting prior lawful processing.
• Not be subject to solely-automated decisions that produce legal or similarly significant effects (see section 14).
• Complain: lodge a complaint with your supervisory authority (see section 21).

How to exercise these rights: email [email protected] with subject "Data Request". Include the email associated with your Mittr account and the right you're exercising. We respond within 30 days (extendable by a further 60 days for complex requests). Workspace owners and admins can also use the in-product Data Export and Delete All Data tools on plans that include them.

12. Cookies + similar technologies

Mittr uses a small number of cookies and similar storage, grouped by purpose:

We do not use advertising or cross-site tracking cookies. We do not currently use third-party analytics cookies. If we add product analytics in the future, this section will be updated and a cookie banner shown to EU/UK visitors with a real "Reject all" option.

13. Marketing communications

We send transactional emails (verify, reset, billing, security) automatically as part of providing the Service — these are not marketing and you cannot unsubscribe from them while your account is active.

We may send marketing emails (product updates, newsletters, beta announcements) only if you explicitly opt in. Every marketing email includes a one-click unsubscribe link.

14. Automated decision-making

We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing without human involvement. Automated systems do enforce abuse limits (rate limits, SSRF checks, suspicious-login blocks); their decisions are reversible by contacting support and reviewable by our team.

15. Children's data

Mittr is a B2B developer tool, not directed at children. We do not knowingly collect personal data from anyone under the age of 16, or the equivalent minimum age under applicable local law. If you believe a child has provided data to us, email [email protected] and we will delete it promptly.

16. California addendum (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides additional rights. In the past 12 months we have collected the categories of personal information described in section 3 for the purposes described in section 4.

Your CCPA/CPRA rights:

• Right to know what personal information we have collected, used, disclosed, or sold.
• Right to delete personal information we have collected from you.
• Right to correct inaccurate personal information.
• Right to opt-out of "sale" or "sharing" — we do not sell or share for cross-context behavioural advertising.
• Right to limit use of sensitive personal information — we do not use sensitive personal information beyond providing the Service.
• Right to non-discrimination for exercising your CCPA/CPRA rights.

To exercise these rights, email [email protected] with subject "California Data Request". You may also use an authorised agent; we will require written authorisation and identity verification.

17. EU/UK addendum (GDPR / UK GDPR)

If you are in the European Economic Area or the United Kingdom, this addendum supplements the main Policy.

Data Protection Officer: we have not appointed a formal DPO under GDPR Art. 37 (our core activities do not require one at our current scale). Privacy questions go to [email protected].

Right to complain: you may lodge a complaint with your local supervisory authority. Find yours at edpb.europa.eu (EU) or ico.org.uk (UK).

18. Data breach notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will:

• Notify the relevant supervisory authority within the timeframe required by applicable law (within 72 hours under GDPR Art. 33).
• Notify affected individuals without undue delay where the breach is likely to result in high risk to their rights and freedoms (GDPR Art. 34).
• Document the breach, its effects, and remedial action.
• Cooperate with regulators and affected customers in remediation.

19. Beta-specific notice

Mittr is currently in Beta. During the beta period we may collect somewhat broader diagnostic data than the eventual general-availability product, to identify and fix reliability issues. We minimise this collection and apply the same retention and security protections to it. Diagnostic data is operational metadata (event identifiers, status codes, latencies, retry counts) — not the contents of your payloads. It is never used for advertising and never sold. When Mittr exits beta, this section will be updated.

As we add new capabilities — including any future AI-assisted delivery, classification, or observability features — we will keep the principle in section 4: anything that requires reading payload contents will be opt-in, labelled, and reflected in this Policy before it is activated for your workspace.

20. Changes to this policy

We may update this Privacy Policy from time to time. The "Effective" date at the top tracks the current version.

For material changes we will notify active account holders by email at least 30 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

21. Contact + complaints

Privacy questions, data-subject requests, complaints, or requests for our DPA: [email protected] with the subject "Privacy".

If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority (sections 17 above) or seek a judicial remedy in the appropriate jurisdiction.