Skip to content
soonThe webhook.co MCP server — turn any webhook into an agent event. See the roadmap

Privacy Policy

Last updated: 10 July 2026

In short (this summary isn't the legal text, but it's honest): This policy covers the hosted webhook.co service. We play two roles: for your account details we're the data controller; for the webhooks you send through us — which may contain other people's data — we're a processor acting on your instructions. We don't sell your data and we don't use it for advertising. Your data is currently hosted mainly in the United States, and we protect transfers with Standard Contractual Clauses. We keep captured data until you delete it or close your account (we don't auto-expire it yet), and we'll honour deletion/erasure requests within 30 days. We're not SOC 2 / HIPAA certified, so please don't send data that needs those. Questions or requests: sourabh@webhook.co.

1. Who we are, and what this policy covers

The hosted webhook.co service (the "Service") is operated by Sourabh Choraria, a sole trader based in Porto, Portugal ("webhook.co", "we", "us"). For data-protection purposes, we are the controller of your account data. Contact: sourabh@webhook.co.

This policy explains what personal data we handle through the hosted Service and why. It applies to the webhook.co websites, dashboard, API, CLI, and MCP server that we operate.

Scope — hosted Service only. This policy covers the Service we operate at the webhook.co domains. webhook.co's open-source software (licensed under the Apache License 2.0, at github.com/webhook-co) can be run by others; if you self-host it, we don't operate it and don't process the data in your deployment — you do, and you're responsible for your own privacy compliance.

2. Our two roles: controller and processor

  • Account data — we're the controller. Information about you and your organisation (sign-up details, billing, usage, support). This policy governs how we handle it.
  • Webhook data you send through us — we're a processor. The webhooks, payloads, and headers you capture may contain personal data belonging to your users or third parties. For that data, you are the controller and we process it only to run the Service for you, on your instructions. Business customers can put this on a formal footing with our Data Processing Agreement. This policy's controller-focused sections (legal bases, your individual rights) are about account data; for the data you capture, your own privacy notice and our DPA govern.

3. What we collect

Account & identity data (you give us): your name, email address, and — if you sign in with Google or GitHub — the basic profile information and avatar those providers share. We support Google, GitHub, and email "magic-link" sign-in; we don't store passwords. We keep the tokens needed to maintain your linked sign-in.

Organisation data: your organisation's name, members, and roles.

Authentication & session data: when you're signed in, we store a session record that includes your IP address and browser user-agent (to keep the session secure). API keys are stored only as a one-way hash — we can't see the original.

The webhooks you capture (processor data): the full request bodies and headers of the webhooks you send through the Service, plus verification and delivery metadata. We store these so you can inspect, search, verify, replay, and deliver them — that's the core feature. We store headers and bodies as received (unredacted), because redacting them would defeat the inspection purpose. These may contain personal data of your end-users; we process it as your processor.

Usage data: counts of the events you process, used for metering, billing, and keeping the Service reliable.

Billing data: if you buy a paid plan, our payment processor Stripe handles your card details — we don't store full card numbers; we keep records of your plan, invoices, and payment status.

CLI telemetry (optional, opt-out): our open-source wbhk command-line tool sends anonymous usage pings by default — the CLI version, your OS/architecture, which command ran, and whether it succeeded. It never includes your data, arguments, tokens, URLs, IDs, or any persistent identifier, and it's collected via Cloudflare Analytics Engine. You can turn it off any time (wbhk telemetry off, WBHK_TELEMETRY=0, or DO_NOT_TRACK=1), and it's automatically off in CI. This applies to anyone using the CLI, whether or not they're a paying customer.

Support communications: if you email us, we keep the correspondence to help you.

4. Why we use it, and our legal basis (GDPR)

  • To provide the Service (create your account, run endpoints, store/inspect/deliver your webhooks, metering) — performance of our contract with you (Art 6(1)(b)).
  • To take paymentcontract, and legal obligation for tax/accounting records (Art 6(1)(c)).
  • To keep the Service secure and prevent abuse (session security, rate-limiting, CAPTCHA, investigating misuse) — our legitimate interests in a safe, reliable service (Art 6(1)(f)).
  • To understand and improve the Service (anonymous CLI telemetry, aggregate usage) — legitimate interests; you can opt out of CLI telemetry.
  • To respond to support requestslegitimate interests / contract.
  • The webhook data you capture — processed on your behalf under our contract and your instructions (you determine the legal basis as its controller).

We don't send marketing emails except transactional/service messages, unless you opt in.

5. Who we share it with (sub-processors)

We don't sell your data or share it for advertising. To run the Service we rely on a small set of trusted infrastructure providers (sub-processors) — including Cloudflare, Neon, Amazon Web Services, Stripe, and Resend. Our Sub-processors page lists each one, what it does, the data it may process, and where it's located, and we update it whenever the list changes.

We may also disclose data if required by law, to protect our rights or users' safety, or as part of a business transfer — in which case we'll tell you.

6. Where your data is, and international transfers

Your data is currently hosted primarily in the United States (our database and object storage default to US regions). We do not currently offer EU data residency. Because we're based in the EU and use US-based providers, moving data to them is an international transfer; we rely on Standard Contractual Clauses (SCCs) incorporated into our agreements with those providers, together with technical safeguards (encryption in transit and at rest), and UK/Swiss addenda where relevant. We rely on SCCs as our primary safeguard rather than depending on the EU–US Data Privacy Framework alone.

7. How long we keep it

  • Account data: for as long as your account is open, and a reasonable period afterwards for legal, tax, and security purposes.
  • The webhooks you capture: we keep them until you delete them or close your account — we do not currently auto-expire or set a fixed retention window on captured data.
  • Deletion & erasure: you can delete endpoints and data from your account, and you can ask us to erase your personal data (see §8). We complete verified erasure requests within 30 days; today some erasure steps are carried out manually. Residual copies in encrypted backups are removed on our normal backup-rotation cycle.

(We're actively building automated data-retention and one-click erasure; until then, the timelines above reflect how it works today — we'd rather tell you that plainly than promise more than the system does.)

8. Your rights

Subject to applicable law, you can ask to access your personal data, correct it, delete/erase it, restrict or object to certain processing, receive a portable copy, and withdraw consent where we rely on it. To exercise any of these, email sourabh@webhook.co; we'll respond within the time the law requires (generally one month). You also have the right to complain to a supervisory authority — in Portugal, the Comissão Nacional de Proteção de Dados (CNPD) — or your local EU/EEA authority.

If your request concerns the webhook data you captured (where you're the controller and we're the processor), we'll help you fulfil it, but you may need to direct the underlying request through the customer whose account holds the data.

9. How we protect your data

  • In transit: all connections use TLS.
  • Secrets: the signing secrets, provider secrets, and ingest tokens you entrust to us are encrypted at rest using AES-256-GCM envelope encryption, with the master keys held in AWS KMS (we never hold them in plaintext).
  • At rest: data stored in our database and object storage benefits from those providers' at-rest encryption.
  • Isolation: tenant data is separated using database row-level security so one organisation can't read another's data.
  • Authentication: OAuth and magic-link sign-in, hashed API keys, and audience-bound tokens.

Being honest about limits: the Service is not end-to-end-encrypted or "zero-knowledge" — we necessarily process your webhook contents to inspect, verify, replay, and deliver them. And we do not currently hold SOC 2, ISO 27001, HIPAA, or PCI certifications; please don't use the Service for data that legally requires them (see the Terms).

10. Cookies

We use only strictly-necessary cookies, so we don't show a cookie banner. These are:

  • a session cookie that keeps you signed in, and
  • short-lived security cookies used during Google/GitHub sign-in (to prevent cross-site request forgery).

They're essential to run the Service and aren't used for tracking or advertising. Our login page also loads Cloudflare Turnstile (bot protection), which may set its own security cookies as a third-party service. Your dark-mode preference is stored in your browser's local storage, not a cookie. We don't use analytics or advertising cookies, and the marketing site sets no cookies at all.

11. Children

The Service isn't directed to children, and we don't knowingly collect data from anyone under 16 (or the age of digital consent where you live). If you believe a child has given us data, contact us and we'll remove it.

12. Data breaches

If a breach affects your personal data, we'll act without undue delay and, where the law requires, notify the relevant supervisory authority within 72 hours, and notify you where there's a high risk to you.

13. California residents (CCPA/CPRA)

If you're a California resident: we do not sell or share your personal information, and we don't use it for cross-context behavioural advertising. When we handle the data you capture, we act as your service provider and use it only to provide the Service. You have rights to know, delete, and correct your personal information; email sourabh@webhook.co to exercise them, and we won't discriminate against you for doing so.

14. Changes to this policy

We may update this policy. For material changes we'll give reasonable notice by email or in-app and update the "Last updated" date above.

15. Contact

Sourabh Choraria (webhook.co), Porto, Portugal — sourabh@webhook.co. For EU/EEA privacy complaints you may also contact the CNPD (the Portuguese data-protection authority) or your local supervisory authority.