Privacy Policy
Last updated: May 23, 2026
This policy explains what data HookDeploy collects, how we use it, and what choices you have. HookDeploy (hookdeploy.dev) is operated by SnapStack Technologies Inc. ("we", "us"). By using hookdeploy.dev or app.hookdeploy.dev, you agree to this policy.
This document is written to be readable, not to replace legal counsel. If you have questions, contact privacy@hookdeploy.dev.
What we collect
Account data
When you create an account, we collect:
- Email address (required for authentication)
- Display name (optional)
- Avatar URL (optional, if you upload one)
- Password hash (managed by Supabase Auth — we never store plaintext passwords)
Organization and team data
If you use team features, we store:
- Organization name and slug
- Member list with assigned roles
- Invitation emails and tokens (until accepted or expired)
Webhook and usage data
When you use HookDeploy to capture webhooks, we store:
- Request metadata — HTTP method, headers, query parameters, content type, body size, source IP, timestamp
- Request bodies — the raw payload sent to your endpoint URL
- Forward and replay records — target URLs, status codes, response times, errors
- Usage counters — request counts per billing period, endpoint counts, member counts
Webhook payloads may contain personal data or secrets sent by third-party services. You control what senders transmit to your endpoints.
Billing data
Paid plans are processed by Stripe. We store your Stripe customer ID and subscription status. We do not store credit card numbers.
Support communications
If you contact us, we collect the information you provide (name, email, message, optional plan).
Technical logs
Cloudflare and Supabase may log request metadata for security and debugging. We do not log webhook payload contents in application logs.
How we use your data
We use collected data to:
- Provide the service — capture, display, forward, and replay webhooks
- Authenticate you and enforce role-based access
- Enforce plan limits
- Process billing through Stripe
- Send transactional emails
- Respond to support requests
- Maintain security and prevent abuse
We do not sell your data. We do not use webhook payloads for advertising or model training.
How we store data
| Data type | Storage | Location |
|---|---|---|
| Account, org, endpoint metadata | Supabase (PostgreSQL) | Cloud-hosted |
| Webhook payloads | Cloudflare R2 | Encrypted at rest |
| Auth sessions | Supabase Auth | Cookie-based, PKCE flow |
| API key hashes | PostgreSQL | SHA-256, plaintext never stored |
| Auth/rate-limit cache | Cloudflare KV | Ephemeral, TTL-based |
All database tables use Row Level Security.
Retention
Request retention depends on your plan:
| Plan | Retention period |
|---|---|
| Free | 7 days |
| Starter | 30 days |
| Team | 90 days |
| Enterprise | 365 days |
After retention expires, request metadata and payloads are deleted automatically. Deleting an endpoint removes all associated requests immediately.
Third-party services
- Supabase — authentication, database, edge functions, realtime
- Cloudflare — Workers, R2, KV, Pages
- Stripe — payment processing
- Resend — transactional email
Security
- TLS encryption for all traffic
- Payload encryption at rest on R2
- API keys stored as hashes
- Row Level Security on every table
- Service role keys never exposed to the browser
- Payload bodies and auth tokens never logged
Your rights
You may have the right to access, correct, delete, or export your personal data. Email privacy@hookdeploy.dev — we respond within 30 days.
Cookies
The dashboard uses essential cookies for Supabase Auth sessions. We do not use advertising or analytics cookies at this time.
Children
HookDeploy is not intended for users under 16.
International transfers
Data may be processed in the United States and other countries where our providers operate.
Changes
We may update this policy. Material changes will be noted here with an updated date.
Contact
SnapStack Technologies Inc.
Privacy: privacy@hookdeploy.dev
Support: support@hookdeploy.dev