Privacy Policy

Hookbase is a webhook monitoring, inspection, and debugging platform. By using Hookbase you agree to this Privacy Policy.

• Account data — name, email address, hashed password, and (if applicable) OAuth provider identifiers when you register.
• Webhook request data — HTTP method, path, headers, body, source IP, and response metadata for every request received at your endpoints. This is the core service data.
• Usage data — request counts, replay counts, and feature usage counters used for quota enforcement and billing.
• Audit logs — records of sensitive account and workspace actions (logins, member changes, config changes) for security and compliance.
• Payment data — billing is handled by Stripe. We store only your Stripe customer ID and subscription status; full card numbers are never stored on our servers.
• Phone number — collected only if you enable SMS-based two-factor authentication via Twilio. Used solely for delivering one-time codes; never used for marketing.
• API keys — hashed identifiers generated when you create an API key. The raw key is shown only once at creation and never stored in plaintext.
• Technical data — browser/device type, IP address, and session tokens collected automatically when you use the web interface.

• Providing and improving the Hookbase service.
• Enforcing plan limits and processing subscriptions.
• Sending transactional emails (password reset, invite, verification).
• Detecting abuse, fraud, and security incidents.
• Complying with legal obligations.

We do not sell, rent, or share your data with third parties for advertising purposes.

Webhook request data is retained for the period covered by your plan:

• Developer (free) — 7 days
• Pro — 30 days
• Enterprise — 365 days

Pinned requests are excluded from automatic purges and kept until you unpin and delete them manually. Account data is retained for as long as your account is active. Upon account deletion, all your data is permanently removed within 30 days.

We share personal data only with:

• Stripe — for payment processing.
• Infrastructure providers — cloud hosting and database providers who process data on our behalf under data processing agreements.
• Error monitoring — anonymised error traces may be sent to Sentry for debugging; no webhook payload data is included.
• Alert destinations you configure — when you set up alert channels (Slack, Discord, PagerDuty, email, or SMS), Hookbase sends alert payloads (endpoint name, event type, request counts, timestamps) to the webhook URLs or addresses you provide. You are responsible for the privacy implications of those destinations.
• Forwarding targets you configure — routing rules and replay targets allow you to forward raw webhook payloads to external URLs of your choosing. Hookbase acts as a conduit; you are solely responsible for the data sent to those targets.
• Twilio — if you enable SMS two-factor authentication, your phone number and a one-time code are transmitted to Twilio to deliver the SMS.
• Legal authorities — if required by law or to protect our legal rights.

You may generate share tokens to create publicly accessible links to individual webhook requests. Anyone with the link can view the request payload without authentication. Share tokens can be revoked at any time from the dashboard, and optionally expire automatically. You are responsible for controlling who you share these links with.

We use session cookies and local storage strictly necessary for authentication and user preferences (e.g. dark mode). We do not use tracking or advertising cookies.

We use industry-standard measures including TLS in transit, hashed passwords (bcrypt), Redis-based rate limiting, two-factor authentication, and tamper-evident audit log hashing. No system is perfectly secure; you are responsible for keeping your credentials confidential.

Depending on your jurisdiction you may have the right to:

• Access a copy of your personal data.
• Correct inaccurate data.
• Request deletion of your account and all associated data.
• Object to or restrict certain processing.
• Data portability (receive your data in a machine-readable format).

To exercise any of these rights, email us at the address below.

Hookbase is not directed at children under 16. We do not knowingly collect data from anyone under 16.

We may update this policy from time to time. Material changes will be notified by email or via an in-app notice. Continued use after a change constitutes acceptance.

For privacy enquiries or data requests, contact us at [email protected].