Privacy Policy

Effective date: March 13, 2026  ·  Questions: [email protected]

1. Who we are

Hookwing provides webhook infrastructure for developers and AI agents. This policy explains what data we collect, why we collect it, and how we handle it. We keep this plain because we would want the same if we were reading it.

Data controller: Hookwing Inc., Vancouver, British Columbia, Canada. Contact: [email protected].

2. Data we collect

Account data: Email address, name (if provided), and billing information for paid plans. We collect this when you sign up.

Usage data: API requests, endpoint configurations, event delivery logs, error rates, and feature usage. We use this to operate and improve the Service.

Event payload data: The webhook payloads you send through Hookwing. We process this data to deliver it to your configured destinations. We do not read, analyze, or use payload content for any purpose other than delivery.

Technical data: IP addresses, user agent strings, and access timestamps, collected automatically for security and abuse prevention.

3. How we use your data

  • To operate the Service — delivering webhooks, managing retries, maintaining delivery logs
  • To communicate with you about your account, billing, and service changes
  • To detect and prevent abuse, fraud, and security incidents
  • To comply with legal obligations

We do not sell your data. We do not use your data for advertising. We do not share your event payload data with third parties.

4. Data retention

Event payload data is retained according to your plan's retention window. You can delete individual events, endpoints, and your entire account at any time via the dashboard or API.

Account and billing records are retained for as long as your account is active and for a reasonable period afterward to satisfy legal and tax obligations.

5. Third-party services

We use the following third-party services to operate Hookwing:

  • Cloudflare — hosting, CDN, and DDoS protection
  • Stripe — payment processing (we do not store card numbers)

These providers are bound by their own privacy policies and data processing agreements. We do not share personal data with other third parties.

6. Cookies

We use a single session cookie to maintain your authenticated state. We do not use tracking cookies, advertising pixels, or third-party analytics scripts. No cookie consent banner required.

7. Your rights

Under GDPR and applicable privacy laws, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Object to processing or withdraw consent

To exercise any of these rights, email [email protected]. We will respond within 30 days.

8. Security

We use HTTPS everywhere, encrypt data at rest, and enforce strict access controls. All webhook payloads are transmitted over TLS. Signing secrets are never logged or exposed in API responses.

To report a security vulnerability, email [email protected].

9. Changes to this policy

We may update this policy as the Service evolves. Material changes will be communicated by email at least 14 days before taking effect. The effective date at the top of this page reflects the most recent revision.

10. Contact

Questions or requests: [email protected].