Who we are
HookSpy ("HookSpy", "we", "us") is a webhook inspection service operated by [YOUR LEGAL ENTITY NAME], a company registered in [JURISDICTION] at [REGISTERED ADDRESS].
This policy explains what personal data we collect, why we collect it, what we do with it, and your rights over it. It applies to everyone who uses the HookSpy hosted service at https://hookspy.io and our official command-line tool.
For privacy-related questions, email privacy@hookspy.io.
What we collect
Information you give us
- Account information. Your email address, your name, and a hash of your password (we never store the password itself).
- Subscription data. Your plan tier and billing dates. Payment card details are handled by our payment processor — we never see them.
- Inbox configuration. The names, slugs, and settings of any inboxes you create.
Information generated by your use of the service
- Captured webhook data. The headers, body, source IP, and timing of every HTTP request sent to your inbox URLs. This is the core function of the service — we hold this data so you can inspect it.
- Authentication sessions. When you sign in, we create a session record containing the issued cookie's hash, the IP address you signed in from, your browser's user-agent string, and timestamps.
- Tunnel tokens. When you create a CLI tunnel token, we store its hash, prefix, name, and last-used timestamp.
- Operational logs. Standard server logs including timestamps, request paths, status codes, and IP addresses, kept for at most 30 days for security and debugging.
What we do not collect
- We don't use third-party analytics or tracking cookies.
- We don't run advertising or share your data with advertisers.
- We don't profile, score, or otherwise process your captured webhook content for any purpose other than displaying it back to you.
About third-party data in webhooks
The webhooks you capture may contain personal data about your customers or end-users (for example, names and email addresses in Stripe payment events). Under GDPR, you are the controller of that data and HookSpy is the processor. You're responsible for having a lawful basis to send it through HookSpy and for telling your end-users about it where required.
If you need a Data Processing Agreement (DPA), email legal@hookspy.io.
How we use it
- To provide the service: displaying your captured webhooks, streaming them to the dashboard and CLI, enforcing rate limits, applying retention.
- To secure your account: verifying your sign-ins, detecting abuse, blocking attacks.
- To bill you: matching your subscription state to your account so the right plan limits apply.
- To communicate with you: sending verification emails, password resets, billing notifications, and (rarely) important service updates. We don't send marketing emails unless you opt in.
- To comply with the law: responding to lawful requests from authorities where we have a legal obligation.
Legal basis (GDPR)
If you are in the EU, EEA, or UK, we process your personal data on the following bases:
- Contract: we need to process your account and inbox data to deliver the service you signed up for.
- Legitimate interest: security logging, fraud prevention, and protecting our service from abuse.
- Legal obligation: tax records and lawful authority requests.
- Consent: for any optional features that require it (we'll ask).
Retention
We hold different categories of data for different lengths of time:
| Data | Retention |
|---|---|
| Captured webhook requests | Per your inbox setting (1, 7, 30, or 90 days based on plan) |
| Account record | Until you delete your account, plus 30 days |
| Sessions | Up to 30 days from last use |
| Tunnel tokens (revoked) | 30 days, then deleted |
| Server logs | 30 days |
| Billing records | As required by tax law in your jurisdiction (typically 7 years) |
When you delete your account, we delete or anonymize your data within 30 days, except for records we're legally required to keep.
Your rights
Depending on where you live, you may have some or all of these rights:
- Access: a copy of the personal data we hold about you.
- Rectification: correcting data that's wrong.
- Deletion: erasing your data ("right to be forgotten").
- Portability: a machine-readable export of your data.
- Restriction: limiting how we use your data while a question is resolved.
- Objection: opting out of processing based on legitimate interest.
- Withdraw consent: for any processing based on consent.
- Complaint: filing with your local data protection authority.
To exercise any of these, email privacy@hookspy.io from the address on your account. We respond within 30 days.
Security
We protect your data with measures including:
- HTTPS for all traffic, with HSTS
- argon2id password hashing
- Session and tunnel tokens stored as SHA-256 hashes — the originals are never written to disk
- Rate limiting and abuse detection
- Encrypted database backups
- Principle-of-least-privilege access controls for our team
No system is perfectly secure. If you discover a vulnerability, please report it to security@hookspy.io. We respond to security reports within 48 hours.
International transfers
Our primary servers are located in [REGION]. If you access HookSpy from outside that region, your data is transferred there to provide the service. Where we transfer data out of the EEA or UK, we rely on Standard Contractual Clauses published by the European Commission.
Children
HookSpy is a developer tool intended for use by adults. We don't knowingly collect data from anyone under 16. If you believe a minor has created an account, contact us and we'll delete it.
Changes to this policy
When we make material changes to this policy, we'll email account holders at least 30 days before the changes take effect. Minor edits (typos, clarifications) may be made without notice — the "last updated" date at the top of this page always reflects the current version.
Contact us
For privacy questions, including how to exercise your rights:
- Email: privacy@hookspy.io
- Postal: [YOUR LEGAL ENTITY NAME], [REGISTERED ADDRESS]
For general support, see our contact page.