How Webhook Platform handles your data.

Account information. When you sign in with Google, we receive and store your Google account identifier, name, email address, and profile image. We do not receive or store your Google password.

Workspace and application data. We store organization names, memberships, member roles (owner or member), endpoint URLs, endpoint descriptions, endpoint metadata, HMAC signing secrets, API key hashes, notification preferences (notification email addresses and Slack webhook URLs you provide), billing identifiers (Stripe customer and subscription IDs), and team invitation records (invitee email, role, and expiry).

Delivery operations data. When you send webhook events through the platform, we store event types, webhook payloads (as JSON), delivery attempt status, response status codes, response bodies, latency measurements, retry state, and error messages to route, monitor, and replay deliveries.

Usage data. We track the number of messages sent per application each month to enforce plan quotas. This counter resets on the first day of each calendar month.

We use account and configuration data to provision workspaces, authenticate users via Google OAuth, issue and validate API credentials (API keys are stored as SHA-256 hashes; the plaintext key is shown only at creation or rotation), deliver webhook events to your configured endpoints, surface delivery logs, and enforce security controls such as endpoint circuit breakers and SSRF protection.

We use contact information to send product notices, access-related messages, team invitations (via email), failure and endpoint-disabled notifications (via email or Slack, depending on your notification settings), support responses, and billing updates.

The dashboard uses a session cookie managed by NextAuth to authenticate your browser session. We also set a cookie (activeOrgId) to remember which organization you are currently working in. These cookies are essential to operate the service and cannot be disabled while using the dashboard.

We do not use advertising cookies or third-party tracking pixels.

Webhook payloads you send through the platform may contain personal data belonging to your end users or other third parties. You are the data controller for all content transmitted via webhook payloads. We process this content solely as a data processor on your behalf to deliver, log, and retry webhook events.

You are responsible for ensuring you have the necessary rights, consents, and legal basis to transmit any personal data contained in your payloads through the platform.

We do not sell personal information. We share data with the following categories of service providers, only to the extent needed to deliver the service:

• Authentication: Google (OAuth sign-in)
• Payment processing: Stripe (subscription billing, plan management)
• Email delivery: Resend (team invitations, failure notifications)
• Hosting: Cloud infrastructure providers for application servers, databases, and static assets

We may also disclose information when required to comply with law, enforce service terms, protect the platform, or investigate abuse.

Account and workspace records are retained while the account remains active and afterward only as needed for security, billing, support, or legal obligations.

Delivery attempt logs (including webhook payloads, response bodies, and error messages) are retained according to your active plan tier. Current public tiers retain logs for 7, 30, or 90 days, after which they are purged automatically. See the pricing page for plan-specific retention windows.

Team invitation records expire after 7 days and are retained only for audit and support purposes.

You can update endpoint configuration, rotate API keys, manage notification preferences (email and Slack), and manage team access (invite or remove members) from the dashboard at any time.

Depending on your jurisdiction, you may have the right to access, correct, delete, or port your personal data, or to restrict or object to certain processing. To exercise any of these rights or to request full account and data deletion, email [email protected]. We will respond within 30 days or within the timeframe required by applicable law.

General product support is available through [email protected] or the contact page.

The service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact [email protected] and we will promptly delete it.

Your information may be processed and stored in countries other than the one in which it was collected, including the United States. Where we transfer personal data internationally, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms recognized by applicable law.

We use reasonable administrative and technical safeguards to protect stored account information and delivery data, including hashed API key storage (SHA-256), HMAC-SHA256 signed webhook payloads, SSRF protection on endpoint URLs, and encrypted connections. No system can guarantee absolute security, so you should avoid sending secrets or data you are not authorized to process. To report a security concern, contact [email protected].

If this policy changes materially, we will update this page, revise the effective date, and where practicable provide notice via the dashboard or the email address associated with your account. Your continued use of the service after a change takes effect constitutes acceptance of the revised policy.