1. Introduction

DiffWatch (“we”, “us”, “our”) operates diff.watch — a website change monitoring API for AI agents and developers. This Privacy Policy explains what data we collect, how we use it, and the choices you have regarding your information.

By using DiffWatch, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

Account Information

Name and email address — provided when you register
Password — hashed with bcrypt and never stored in plaintext (email/password auth only)

API & Monitor Data

API requests made with your API keys
Monitor URLs you configure for change detection
Check frequency settings and webhook URLs
Content snapshots of monitored pages, retained per your plan:
- Free: 7 days
- Pro: 30 days
- Business: 90 days
- Scale: 1 year
Change history and computed diffs

Payment Information

Billing is handled by Polar.sh (our Merchant of Record). We do not store credit card numbers or sensitive payment details. Polar.sh processes all transactions under their own privacy policy.

Technical Data

IP addresses and request metadata (for rate limiting and abuse prevention)
Browser and device information
Anonymized usage analytics to improve the service

3. How We Use Your Information

Provide, operate, and maintain the DiffWatch service
Process API requests and run scheduled monitor checks
Deliver webhook notifications you have configured
Manage billing and subscriptions via Polar.sh
Improve service quality, diagnose bugs, and develop new features
Send transactional emails (account confirmation, plan changes, important service updates)
Enforce our Terms of Service, including detecting and investigating abuse
Comply with applicable legal obligations

4. Data Storage & Security

All data is stored on Cloudflare’s global network (D1 database, R2 object storage, KV cache)
Passwords are hashed with bcrypt — never stored in plaintext
API keys are hashed in the database — the full key is shown only once at creation and cannot be recovered
All connections are encrypted via TLS/SSL
Website snapshots are retained according to your plan (7 days to 1 year), then permanently and automatically deleted
Upon account deletion, all personal data is removed within 30 days, except where retention is required by law

5. Third-Party Services

DiffWatch relies on the following third-party services to operate. Each provider processes data under their own privacy policy.

Cloudflare — hosting, CDN, DNS, and edge compute
Polar.sh — payment processing (Merchant of Record)
WatchTower — web scraping engine used for anti-bot bypass when fetching monitored URLs

6. Data Sharing

We do not sell, rent, or trade your personal data. Your information is shared only in the following limited circumstances:

Payment processing — billing data shared with Polar.sh solely to process your subscription
Legal requirements — disclosure to law enforcement or government authorities when required by applicable law, valid legal process, or to protect the safety of users or the public
Abuse prevention — we may share data with third-party abuse detection services or report to relevant authorities when we detect illegal activity, including child sexual abuse material (CSAM)

7. Your Rights

Regardless of where you are located, you have the right to:

Access — request a copy of the personal data we hold about you
Correct — update inaccurate information in your account settings
Delete — remove your account and associated data via Settings → Danger Zone, or by contacting us
Export — receive a machine-readable copy of your data upon request
Object or restrict — object to certain processing activities or request that we restrict processing in specific circumstances
Withdraw consent — where processing is based on your consent, you may withdraw it at any time

GDPR (EU/EEA Users)

If you are located in the European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR), including the right to lodge a complaint with your local supervisory authority. Our lawful basis for processing your data is: contract performance (to provide the Service), legitimate interests (abuse prevention, security), and legal obligation (compliance with applicable law).

CCPA (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete it, and the right to opt out of its sale. We do not sell your personal information.

To exercise any of these rights, contact us at support@diff.watch.

8. Cookies

DiffWatch uses session cookies only for authentication purposes. We do not use third-party tracking cookies, advertising cookies, or behavioral analytics cookies. You can disable cookies in your browser settings, but doing so will prevent you from logging in to the dashboard.

9. Children’s Privacy

The Service is not directed to children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, please contact us immediately at support@diff.watch and we will delete it promptly.

10. International Data Transfers

DiffWatch operates on Cloudflare’s global edge network. Your data may be processed in data centers outside your country of residence, including in the United States. By using the Service, you consent to such transfers. We rely on Cloudflare’s Standard Contractual Clauses and other appropriate safeguards for international data transfers where required.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you via email and update the “Last updated” date at the top of this page. Continued use of the service after changes are posted constitutes acceptance of the revised policy.

12. Contact

If you have questions, concerns, or requests regarding this Privacy Policy, please reach out at support@diff.watch. For abuse or safety concerns, contact abuse@diff.watch.