Last updated: 3 April 2026
HookCatcher is a webhook testing platform. This privacy notice explains how we collect, use, store, and protect your personal data when you use our Service.
Account Information: When you register, we collect your email address and an encrypted password. If you sign in with Google, we receive your email address and name from Google.
Webhook Data: When webhooks are sent to your unique endpoint, we capture and store the HTTP method, path, query parameters, request headers (with sensitive infrastructure headers stripped), and request body. This data is associated with your account and is not shared with other users.
Usage Data: We collect basic analytics about how you use the Service, including login times and feature usage, to improve the product.
Payment Data: Payment processing is handled by Paddle, who acts as the Merchant of Record. We do not store your credit card details. Paddle's privacy policy applies to payment data: paddle.com/legal/privacy.
We use your data to:
• Provide and maintain the Service, including webhook capture and delivery.
• Authenticate your identity and manage your account.
• Process payments and manage subscriptions via Paddle.
• Send important service communications (account verification, security alerts).
• Improve the Service based on usage patterns.
Account data is stored in Supabase (hosted in the EU/US) and retained for as long as your account is active.
Webhook data is stored in Upstash Redis and retained according to your plan: 24 hours for Free plans, 30 days for Pro plans. Webhook data is automatically deleted after the retention period.
Upon account deletion, all associated data (profile, webhook history, Redis keys) is permanently removed.
We implement appropriate technical and organisational measures to protect your data, including:
• Encryption in transit (TLS/HTTPS) for all communications.
• Encryption at rest for stored data.
• Automatic stripping of sensitive infrastructure headers (authorisation tokens, internal routing headers) from captured webhooks.
• Multi-tenant data isolation — each user's webhook data is stored in separate namespaced keys.
We do not sell your personal data. We share data only with:
• Supabase — for authentication and profile storage.
• Upstash — for webhook data storage.
• Paddle — for payment processing (Pro plan subscribers only).
• Vercel — for application hosting.
All sub-processors are GDPR-compliant and maintain appropriate data protection agreements.
If you are in the UK or EU, you have the right to:
• Access your personal data.
• Rectify inaccurate data.
• Erase your data ("right to be forgotten").
• Restrict processing of your data.
• Port your data to another service.
• Object to processing of your data.
To exercise any of these rights, contact us at privacy@hookcatcher.dev.
We use essential cookies for authentication and session management. We do not use advertising or tracking cookies. No consent banner is required as we only use strictly necessary cookies.
The Service is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children.
We may update this privacy notice from time to time. Material changes will be communicated via email. The "Last updated" date at the top indicates when the notice was last revised.
For privacy-related queries, contact us at privacy@hookcatcher.dev.