Privacy

Last updated: 2026-05-18

Middleman is a hosted webhook proxy. Below is what we collect, where it goes, and how to ask for it back. Plain English, no surprises.

What we collect

When you sign up: your email address and a password hash. Supabase Auth manages this — we never see the plaintext password.

While you use the service:

• The endpoint UUIDs you create.
• Each request that hits your proxy URL: method, path, headers, body, response status and body, timestamps. This is the history feature.
• Any JSON template you configure.

If you click "Notify me when available" on the pricing page: your email and the tier you expressed interest in. Stored separately from your account.

Anonymous analytics: we use PostHog to count pageviews and clicks. If you're signed in, your endpoint UUID is the identifier — your real-world identity is not linked.

Where it goes

• Supabase — database + auth (hosted in the EU).
• PostHog — product analytics (hosted in the EU).
• Google Cloud — hosting (EU region).

We don't sell or share your data with anyone else.

How long we keep it

• Request history: capped at the last 100 requests per endpoint and swept regularly. Not designed for long-term storage.
• Account data (email, endpoints): until you delete your account.
• Pricing-page interest list: until paid tiers ship, or you ask us to remove it.

Your rights

You can ask us to:

• Show you what we have on file for your account.
• Delete your account and everything tied to it.
• Remove your email from the pricing interest list.

Email us at support@middleman.fyi.

Cookies

• A session + refresh-token cookie pair (HttpOnly, SameSite=Lax) for authentication.
• A guest endpoint cookie if you visit without signing in.
• PostHog uses localStorage for its anonymous identifier — not a cookie.

No third-party advertising cookies, no cross-site tracking.

Changes

We'll update this page if our practices change. The date at the top reflects the most recent revision.