Privacy Policy
Last updated: February 23, 2026
toWorthy provides online tools including Webhook Logger, Uptime Monitor, Redirect Monitor, Rate Limit Tester, QR Generator, Secret Share, and developer utilities. Our core principle is data minimization: we process only data required to operate each feature.
Controller and contact
toWorthy is operated by an independent developer acting as data controller for account and product operation data. For privacy requests, use our contact form and include "Privacy Request" in the message.
What we collect
Account data: username, hashed password, and optional email for alerts and account communication. Monitoring data: webhook payloads and headers, uptime/redirect/rate-limit check results, incidents, and monitor configuration. Operational analytics: page path, referrer, and device class for product improvement.
Security and encryption scope
Secret Share messages are encrypted before storage and decrypted only when a valid reveal flow is completed. Encryption and key handling for Secret Share are performed on the server side. Optional secret passwords are stored as one-way Argon2id hashes. Do not rely on this feature as a long-term vault or regulated key-management system.
File processing
Many tools run locally in your browser. File-based tools may process uploads on the server in temporary storage
(for example /tmp) and remove them after processing.
Data retention schedule
| Data category | Purpose | Retention rule |
|---|---|---|
| Account profile | Authentication and account operation | Stored while account is active; removed after account deletion workflow, except legally required records. |
| Webhook requests | Debugging and replay | Pruned automatically when per-endpoint storage limits are reached; users can delete endpoints and related data. |
| Uptime/redirect/rate-limit checks | Monitoring history and incident review | Stored while monitor features are used; deleted when related resources are removed or during operational cleanup. |
| Secret Share records | One-time secret delivery | Secret content becomes inaccessible after expiry/view limits; sensitive fields are wiped when final view is consumed. |
| Operational analytics | Product usage insights | Kept for service analytics and periodically cleaned up according to internal operations policy. |
DSAR workflow (Data Subject Requests)
- Submit a request through the contact form and select "Privacy / DSAR request".
- Specify request type: access, rectification, deletion, restriction, portability, or objection.
- We verify identity before processing account-linked requests.
- We respond within 30 days. For complex requests, this may be extended where law allows, with notice.
- If deletion is requested, we remove eligible data unless retention is legally required or necessary for security/abuse prevention.
Cookies and sessions
We do not use advertising cookies. The app uses strictly necessary technical cookies/session storage (for example session and CSRF protection) to operate securely.
Third parties and transfers
We do not sell personal data. Service providers (hosting, email delivery, infrastructure) may process data on our behalf under contractual safeguards and only for service operation.
Policy updates
We may update this policy. Material changes are published with an updated version date.