Legal

Privacy Policy

Privacy notice explaining how LSC EUROPA Ltd. handles account, identity-provider sign-in, billing, website, support, and webhook-related personal data.

Effective date
2026-06-14
Version
2026-06-14-v1

Overview

Repost is webhook infrastructure operated by LSC EUROPA Ltd. This Privacy Policy explains how we handle personal data across the Repost website, dashboard, APIs, support channels, billing flows, and customer webhook processing.

Who this policy applies to

This policy applies when someone visits the Repost website, creates or uses a Repost account, administers or joins a customer organization, contacts support, receives product or legal communications, or appears in customer webhook payloads processed through Repost.

Depending on context, “you” may be a website visitor, account user, organization owner or administrator, billing contact, support contact, business prospect, customer representative, or a person whose personal data appears in a customer webhook payload.

This Privacy Policy does not apply to a customer’s own products, websites, services, sources, destinations, or privacy practices. Customers are responsible for giving notices, collecting consents, and establishing lawful bases for personal data they send to Repost in webhook payloads.

Roles of Repost and customers

For account data, billing data, website visitor data, support data, legal-acceptance records, customer-publicity data, service telemetry, security logs, and business communications, Repost acts as a controller.

For personal data contained in customer webhook payloads, Repost processes that data under the Data Processing Agreement on the customer’s behalf. Depending on the customer’s own role, Repost may be a processor or a sub-processor. If your personal data appears in a customer webhook payload, the relevant customer is usually the party that determines why the data is processed and how your rights should be handled.

Personal data we process

We process personal data that you provide directly, that we receive from customers or service providers, and that is generated automatically when Repost is used.

Account and organization data may include name, email address, authentication metadata, OAuth or identity-provider metadata, organization membership, role, business or consumer status, organization settings, security settings, invitations, account activity, and legal-acceptance records. If you choose to sign in with Google or GitHub, Repost may receive account information from that provider according to the provider’s authorization process and your settings, such as your email address, name, username or handle, profile image or avatar, provider account ID, and related provider metadata.

Billing and payment-related data is processed through Stripe or another payment provider and may include customer identifiers, billing contacts, plan or order information, invoices, tax details, payment status, refunds, and fraud or payment-risk signals. Repost does not store full card numbers.

Website and device data may include IP address, approximate location derived from IP address, browser and device information, referrer, pages viewed, timestamps, cookie preference records, and security or routing metadata.

Service usage data may include buckets, forwarders, API tokens or token metadata, event metadata, delivery attempts, request and response logs, destination configuration, operational telemetry, diagnostics, error reports, security logs, and abuse signals.

Support and communication data may include email, Crisp chat content, support requests, attachments, contact preferences, feedback, survey responses, and related communications.

Business and customer-publicity data may include business contact details, company name, role, public logo, public website, customer relationship status, and opt-out requests.

Customer webhook payloads may contain any personal data chosen by the customer. Customers are responsible for the content, accuracy, transparency, lawful basis, and permissions for that data.

Third-party sign-in and identity providers

Repost allows users to create or access an account using third-party identity providers such as Google and GitHub. When you choose one of these sign-in methods, you authorize Repost to receive account information from that provider according to the provider’s authorization process and your settings. This information may include your email address, name, username or handle, profile image or avatar, provider account ID, and related authentication metadata.

Repost uses this information to create and maintain your account, authenticate you, link provider accounts to your Repost account, secure the Service, prevent fraud or abuse, and provide support. Repost may store OAuth tokens, provider account identifiers, and provider metadata where needed to maintain login, session security, account linking, or audit records.

Google and GitHub process your sign-in under their own terms, privacy notices, and account settings. Repost does not control those providers’ processing outside the information that Repost receives from or discloses to them as part of the user-selected sign-in flow.

We process personal data only where we have a legal basis. The legal basis depends on the context and purpose.

PurposeExamplesLegal basis
Provide and administer RepostAccounts, authentication, organizations, dashboard, APIs, event routing, replay, search, exports, support, noticesContract performance or steps before contract
Billing and taxCheckout, invoices, payment status, VAT or tax records, refunds, accountingContract performance and legal obligations
Security and abuse preventionAuthentication logs, API and event telemetry, Cloudflare Turnstile bot-protection signals on authentication and account-recovery flows, abuse signals, fraud or payment-risk signals, rate-limit enforcement, incident responseLegitimate interests in securing Repost, customers, users, and third parties; legal obligations where applicable
Service diagnostics and improvementError logs, performance metrics, aggregate usage, feature diagnostics, support patternsLegitimate interests in operating and improving Repost
Customer webhook processingPayload receipt, storage, delivery, retries, search, replay, export, deletionCustomer instructions under the Data Processing Agreement
Legal and complianceLegal acceptance records, audit trails, sanctions or abuse review, regulatory responses, dispute recordsLegal obligations and legitimate interests in enforcing rights and defending claims
Cookies and live chatConsent preferences, functional chat, related support metadataConsent or opt-in preference where required; legitimate interests for strictly necessary cookies
Customer publicity and business communicationsIdentifying Business Customers, sales communications, logo-list opt-outs, product updatesLegitimate interests in business communications and customer identification, subject to opt-out and the Terms

Where we rely on legitimate interests, we balance those interests against the rights and freedoms of affected individuals.

Customer webhook payloads

Repost does not control what personal data customers include in webhook payloads. Payloads may include ordinary personal data, confidential information, regulated data, or special categories of personal data if a customer chooses to send that data.

Customers must not intentionally send payment card numbers, protected health information, children’s data, special categories of personal data, criminal-offence data, government identifiers, or other data requiring a dedicated regulatory agreement or additional security controls unless Repost has expressly agreed in writing.

Repost processes customer webhook payloads to provide the service, follow customer configuration, secure the service, comply with law, and perform deletion or export. Repost does not use customer webhook payloads to train general AI models unless the customer separately agrees in writing.

Cookies and support chat

Strictly necessary cookies and similar technologies support authentication, session security, routing, Cloudflare security, and storage of consent preferences. We use Cloudflare Turnstile on sign-in, sign-up, and password-reset flows to detect and block automated abuse. Cloudflare may process security signals such as IP address, user-agent, TLS or browser signals, sitekey, origin, and challenge outcome for bot detection and service security.

Functional cookies and scripts, including Crisp live chat, are off by default where opt-in is required and load only after the relevant preference is granted.

Repost does not use analytics or marketing cookie categories under the current Cookie Policy. Cookie preferences can be managed or withdrawn as described in the Cookie Policy.

Customer publicity and marketing communications

For Business Customers, Repost may process company name, standard public logo, business contact details, customer relationship status, and opt-out records to identify the customer as a Repost customer in customer lists, the Repost website, sales materials, investor materials, and other marketing communications, as described in the Terms of Service.

Repost does not use customer-publicity data to imply endorsement, partnership, or approval of a specific statement without prior written approval. Business Customers may opt out of future public customer identification by sending notice to [email protected]. After an opt-out, Repost will stop new public uses within a reasonable period, but existing printed, published, archived, or reasonably difficult-to-remove materials may remain as described in the Terms.

We may send service, legal, billing, security, and product communications. Marketing communications can be declined or opted out where required by law. Service, legal, billing, and security messages may still be sent where needed.

How we share personal data

We share personal data only where needed for the purposes described in this Privacy Policy, the Terms, the Data Processing Agreement, customer configuration, or applicable law.

We may share personal data with:

  • sub-processors and service providers listed on the Sub-processors page, including hosting, infrastructure, billing, support, email, security, and observability providers;
  • organization owners, administrators, and authorized users according to the customer’s settings and roles;
  • customer-configured destinations, integrations, sources, and other third parties instructed or authorized by the customer;
  • payment, tax, fraud-prevention, banking, and accounting providers involved in billing or checkout;
  • professional advisers, auditors, insurers, and legal representatives;
  • courts, regulators, law enforcement, public authorities, or third parties where disclosure is required by law or reasonably necessary to protect rights, safety, security, or service integrity;
  • parties involved in a merger, acquisition, financing, reorganization, sale of assets, insolvency process, or similar corporate transaction, subject to appropriate safeguards.

We may use and disclose aggregate or deidentified information that does not identify an individual unless prohibited by law.

Retention

We retain personal data for the period needed for the relevant purpose, including to provide Repost, follow customer configuration, comply with law, resolve disputes, enforce agreements, maintain security, and keep appropriate business records.

Event and payload retention follows the customer’s applicable plan, dashboard settings, checkout, order form, invoice, or written agreement. Retention may also be affected by deletion requests, exports, backup lifecycle, security holds, legal holds, and technical feasibility.

Account and organization records are retained while the account or organization is active and for a reasonable period after closure where needed for security, audit, dispute, or legal purposes. Billing, tax, accounting, and legal records are retained for legally required periods. Support records are retained for the period needed to respond, improve support, and keep an audit trail. Cookie preference records are retained to remember and prove choices. Security logs may be retained for longer where needed to investigate abuse, protect Repost, or comply with law.

When personal data is no longer needed, Repost deletes, anonymizes, or isolates it according to retention schedules, backup lifecycle, and legal obligations.

International transfers

Current sub-processors, processing locations, and transfer notes are listed on the Sub-processors page. Customer data may be processed outside the European Economic Area, including in the United States and other locations used by Repost or its sub-processors.

International transfers from the European Economic Area, United Kingdom, or Switzerland are supported by EU-US Data Privacy Framework participation where verified, Standard Contractual Clauses where needed, transfer-impact assessments where appropriate, and onward-transfer controls described in the Data Processing Agreement.

Where required by law, you may request information about transfer safeguards by contacting [email protected].

Security

Repost uses technical and organizational controls appropriate to the service, including access controls, TLS in transit, provider encryption at rest where verified, monitoring, logging, backup controls, least-privilege practices, and incident response.

Per-organization envelope encryption is confirmed only for secret-manager secrets and is not claimed for webhook payloads, event history, request/response logs, or search indexes unless separately verified.

No system can be guaranteed to be perfectly secure. Customers are responsible for source systems, destinations, credentials, API keys, webhook validation, endpoint access, organization membership, and customer-side backups.

Automated decisions and AI

Repost does not use personal data to make solely automated decisions that produce legal or similarly significant effects for individuals.

Repost may use automated systems to detect abuse, security risk, delivery failure, payment risk, or policy violations. These systems may flag activity for review, restriction, suspension, or enforcement where allowed by the Terms and applicable law.

Repost does not use customer webhook payloads to train general AI models unless the customer separately agrees in writing.

Your rights and choices

Depending on applicable law, you may request access, rectification, erasure, restriction, portability, objection, or withdrawal of consent. You may also object to processing based on legitimate interests and opt out of direct marketing where applicable.

Requests can be sent to [email protected]. We may need to verify your identity, confirm your authority to act for an organization, or ask for information needed to locate the relevant data. We will respond within the period required by applicable law.

For webhook payload data processed on behalf of a customer, Repost may need to forward, coordinate, or refer the request to that customer because the customer determines the processing purposes and instructions.

You may complain to the Bulgarian Commission for Personal Data Protection or another competent supervisory authority.

Children

Repost is not directed to children and is not intended for use by children under 16. Customers must not intentionally send children’s data through Repost unless Repost has expressly agreed in writing and the customer has all required notices, consents, and legal bases.

Controller identity and contact

LSC EUROPA Ltd. operates Repost. We are a Bulgarian limited liability company with registered office at 6 General Vladimir Vazov Street, Entrance A, Floor 1, Apartment 2, 5800 Pleven, Bulgaria, UIC 204978528 and VAT BG204978528.

Privacy requests can be sent to [email protected]. General legal notices can be sent to [email protected].

Changes

We may update this notice. Material changes will be communicated where required by law.