Privacy Policy
Effective date: 1 May 2026
This policy explains what data Conduit collects, why, how long it is kept, and the rights you have over it.
Conduit is a free SaaS that bridges inbound SMTP email to outgoing HTTP webhooks. It is operated as a personal project — there is no company behind it, the source code is not public, and there is no self-hosted version.
1. Who is the controller?
Conduit is operated by:
Christian Joergensen (sole operator) Email: christian@technobabble.dk
I act as the data controller for personal data processed through Conduit. Use the email above for any privacy question, request, or complaint.
2. What data is collected?
Conduit collects only what it needs to operate the service.
Account data
- Email address — used for sign-in, password reset, and service notices
- Hashed password — only if you sign in with email and password (stored as a bcrypt hash; the plaintext is never persisted)
- OAuth subject identifier and email — only if you sign in with Google or GitHub
- Two-factor authentication secret — only if you enable 2FA, stored encrypted at rest
- Timezone preference
Webhook configuration
- Webhook names, target URLs, and per-webhook secrets
- SMTP authentication credentials you configure (bcrypt-hashed)
- Domain ownership verification records
- SMTP security policy settings (allowed source CIDRs, etc.)
Delivery logs (kept for 30 days)
- Sender envelope address
- Recipient envelope address
- Subject line
- SMTP response code returned to the sending server
- Timestamp of the delivery attempt
- HTTP status code returned by your webhook
- Source IP address of the SMTP connection
Audit log (kept for 180 days)
- Action identifier (e.g. "webhook.created", "account.password_changed")
- Timestamp of the action
- Client IP address from which the action was taken
- Brief metadata about the resource involved (e.g. webhook ID and name) — never secrets or message content
Email content is NOT stored
When an email arrives, Conduit forwards the message body to your configured webhook URL and discards it. The full message body and headers exist only in memory for the duration of the delivery call. No part of the message body is written to the database, to disk, or to logs.
Cookies
- A session cookie (HTTP-only) used to keep you signed in
- A CSRF token cookie used to protect form submissions
There are no marketing, advertising, or analytics cookies. Conduit does not use third-party analytics.
3. Why is this data collected?
| Data | Purpose | Lawful basis (GDPR) |
|---|---|---|
| Account email and credentials | Authenticate you to the service | Contract — Art. 6(1)(b) |
| Webhook configuration | Operate the service you signed up for | Contract |
| Delivery logs | Help you debug failures and meet operational/security needs | Contract and legitimate interest |
| Audit log | Record security and configuration changes for your review and account protection | Contract and legitimate interest |
| Cookies (session, CSRF) | Keep you signed in and prevent CSRF attacks | Strictly necessary |
| OAuth identifiers | Let you sign in with Google or GitHub | Contract |
4. How long is data kept?
| Data | Retention |
|---|---|
| Email content (message body and headers) | Not stored — held in memory during delivery only |
| Delivery logs | 30 days, then deleted automatically |
| Audit log | 180 days, then deleted automatically |
| Account and configuration data | Until you delete your account |
| Backups | Encrypted backups are kept for up to 1 year for disaster recovery (see Section 7) |
You can delete your account yourself at any time from the account settings page. Account deletion immediately removes all of your account data, webhooks, and delivery logs from the live database.
5. Third-party processors
The following providers process data on Conduit's behalf:
| Provider | Purpose | Data shared |
|---|---|---|
| HostHatch | Server hosting (New York, United States) | Everything stored by Conduit (database files, application memory) |
| Cloudflare | DNS hosting and Turnstile (anti-bot challenge on auth forms) | Your IP address and a Turnstile token at sign-up and sign-in |
| Resend | Transactional email (sign-up confirmation, password reset, service notices) | Your email address and the message content |
| OAuth sign-in — only if you choose to sign in with Google | Your Google profile email and subject ID | |
| GitHub | OAuth sign-in — only if you choose to sign in with GitHub | Your GitHub profile email and subject ID |
These providers act as data processors and are bound by their own terms to handle the data only for the purposes above.
6. Your rights
The major privacy frameworks (GDPR, UK GDPR, Swiss FADP, and CCPA among them) all give you broadly the same set of rights. Regardless of where you live, when you use Conduit you may:
- Access the personal data Conduit holds about you
- Correct information that is wrong (most fields are editable from the account settings page)
- Delete your account and all associated live data (self-service from account settings)
- Export your data in a machine-readable format
- Object to processing or restrict how your data is used
- Withdraw consent for any processing that relies on consent
- Lodge a complaint with your local data protection authority
To exercise any of these rights — including data export, or deletion of your data from backups — email christian@technobabble.dk. Requests are answered within 30 days.
7. Backups
Encrypted backups of the live database are kept for disaster recovery for up to 1 year, then deleted on a rolling schedule. If you delete your account, residual copies of your data may persist in backups until those backups expire.
If you want your data removed from backups as well — for example, to satisfy a GDPR erasure request — email christian@technobabble.dk and your data will be removed from backup storage as part of the request.
8. International transfers
Conduit's servers are located in New York, United States. If you access Conduit from the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with data-export rules, your personal data is transferred to the United States to operate the service.
The legal basis for this transfer is the Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by the additional safeguards listed in Section 9 (encryption at rest, TLS in transit, no storage of email content). Some sub-processors (Cloudflare, Google, GitHub, Resend) operate globally and may also transfer data outside the EEA; each relies on SCCs or, where applicable, the EU–US Data Privacy Framework.
You can request a copy of the SCCs in force, or more detail on the safeguards in place, by emailing christian@technobabble.dk.
9. Security
Conduit takes reasonable technical measures to protect your data:
- Passwords and SMTP authentication credentials are hashed with bcrypt
- Two-factor authentication secrets are stored encrypted at rest
- Inbound SMTP supports STARTTLS; outbound webhook calls use TLS with certificate validation
- Sessions use HTTP-only cookies and CSRF tokens
- Email content is never written to disk or stored in the database
No service is perfectly secure. If you believe you have found a security issue, please email christian@technobabble.dk.
10. Children
Conduit is not directed at children under 16 and does not knowingly collect data from them. If you believe a child has signed up, email christian@technobabble.dk and the account will be removed.
11. Changes to this policy
If this policy changes in a material way, the new version will be published at this URL with an updated effective date, and signed-in users will be notified by email. Minor edits (typos, clarifications, formatting) may be made without notice.
12. Contact
For any privacy question or request:
Christian Joergensen christian@technobabble.dk