Privacy Policy
What data HookWatch collects, why we collect it, how we use it, and the choices you have. Written plainly, without compliance theatre.
Last updated: 6 July 2026
This policy explains how HookWatch (“HookWatch”, “we”, “us”) handles personal and operational data when you use the HookWatch service. HookWatch is a webhook reliability, debugging, replay, and monitoring tool for developers.
Who we are
HookWatch is an independent SaaS product operated by an individual developer, not an incorporated company. For any privacy question, contact privacy@hookwatch.dev.
Scope of this policy
This policy covers the HookWatch marketing site, dashboard, API, and terminal client. It does not cover third-party services you connect to HookWatch (for example, the providers that send webhooks to you, or the destination systems you forward them to) — those are governed by their own policies.
Data we collect
We collect the following categories of data.
Webhook data and payloads
When a provider sends a webhook to an endpoint you created, HookWatch may receive and store the delivery so you can inspect, retry, and replay it. Depending on what the provider sends, this can include:
- endpoint URL and configuration
- request headers
- request body / payload
- response status code
- response body or a snippet of it
- delivery timestamps and attempt metadata
- retry / replay metadata
- failure reason and debugging metadata
Account and workspace data
- email address
- name, if you provide one
- authentication and session metadata
- workspace membership and role
Technical and usage data
- IP address
- user agent and basic device/browser metadata
- application and access logs
- security and audit events
- approximate location derived from IP, where used for security
Billing data
HookWatch does not currently run paid billing. If and when billing is enabled, payments would be handled by Paddle, which acts as our payment processor and merchant of record; we would process a billing customer reference and related metadata. We do not claim billing exists today, and we do not store full card details ourselves. See the Refund Policy.
How we use data
- to capture, forward, retry, and replay your webhook deliveries
- to show delivery history, failures, and monitoring in the dashboard and terminal client
- to authenticate you and enforce workspace access
- to operate, secure, debug, and improve the service
- to detect and prevent abuse (see the Acceptable Use Policy)
- to communicate with you about the service
Legal bases / processing reasons
Where data-protection law applies, we rely on: performance of our agreement with you (to provide the service), our legitimate interests (to secure, operate, and improve it), your consent where required, and compliance with legal obligations. We do not claim certification under any specific regime — see the caveats on our Security page.
Data retention
How long we keep webhook deliveries depends on your subscription plan — higher plans retain delivery history for longer. Exact per-plan windows will be published when paid plans launch; account data is kept while your workspace is active. You can delete endpoints and, where supported, their delivery history from the dashboard; deleting your workspace removes its associated data subject to backups and legal requirements.
Data sharing / subprocessors
We do not sell your data. We share data with the third-party providers we use to operate the service (“subprocessors”) — for example hosting and infrastructure. The current list, with honest placeholders where a provider is not yet confirmed, is on the Subprocessors page.
International transfers
Depending on where our infrastructure and subprocessors are located, your data may be processed outside your country. Where required, appropriate transfer safeguards apply. Specific hosting locations are listed on the Subprocessors page once confirmed.
Security measures
We describe what is actually in place today — workspace isolation, write-only secrets, encryption of notification secrets at rest, and SSRF-guarded forwarding — on the Security page, along with an honest list of what we do not claim. We do not claim SOC 2, HIPAA, ISO, or GDPR certification.
User choices and rights
Depending on your location, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing. To exercise a right, contact privacy@hookwatch.dev. Because HookWatch is often a processor of data you control (your webhook payloads), some requests may need to be directed to, or coordinated with, the party that controls that data.
Children's privacy
HookWatch is a developer tool and is not directed to children. We do not knowingly collect personal data from children.
Changes to this policy
We may update this policy as the product develops. Material changes will be reflected by the “Last updated” date above, and where appropriate we will provide additional notice.
Contact
Privacy questions: privacy@hookwatch.dev. For other channels, see Legal Contact.