Back to home

Privacy Policy

Last updated: April 2026

Data controller

WebhookHub is operated by Max MacFarlane, a sole trader based in the United Kingdom. For any privacy-related enquiries, you can reach us at support@webhookhub.dev.

Data we collect and why

Account data

Collected when you register an account:

  • Name and email address — to create and manage your account
  • Password (hashed) — for authentication
  • OAuth provider ID (GitHub or Google) — only if you choose to sign in with a social account

Lawful basis: performance of a contract (Article 6(1)(b)) — we need this to provide you with the service you signed up for.

Webhook request data

Collected when HTTP requests are received at your webhook endpoints. This is the core of the service — you send webhooks here specifically to inspect them.

  • Full HTTP request: method, URL, headers, body, query parameters, and content type
  • Sender IP address
  • Request size in bytes
  • Timestamp of receipt

Lawful basis: performance of a contract (Article 6(1)(b)) — capturing and displaying webhooks is the core service.

Forwarding data

Collected when you forward or replay requests to a destination URL:

  • Destination URL
  • Response status, headers, body, and response time
  • Error details if forwarding fails

This data lets you see the result of forwarded requests.

Lawful basis: performance of a contract (Article 6(1)(b)) — forwarding is a feature you explicitly initiate.

Billing data

  • Stripe customer ID and subscription details — for subscription management and billing
  • We do not store credit card numbers. All payment processing is handled entirely by Stripe.

Lawful basis: performance of a contract (Article 6(1)(b)) for subscription management, and legal obligation (Article 6(1)(c)) for tax record retention.

Usage data

  • Requests per month, forwards per month, and endpoint count — used to enforce plan limits

Lawful basis: performance of a contract (Article 6(1)(b)) — used to enforce the plan limits you agreed to.

Technical data

  • Laravel session cookie — functional, not used for tracking
  • IP address — used for rate limiting on webhook endpoints (120 requests per minute per endpoint)

Lawful basis: legitimate interest (Article 6(1)(f)) — rate limiting protects the service for all users. The session cookie is strictly necessary for the site to function.

Third-party processors

We share data with the following third-party service providers in order to operate WebhookHub:

ProcessorPurposeData sharedPrivacy policy
StripePayment processingName, email, payment detailsstripe.com/privacy
HetznerServer hosting (Germany) All data is stored on Hetzner infrastructure hetzner.com/legal/privacy-policy
GitHub / GoogleSocial authentication (optional)OAuth tokens during login Their respective policies

Our servers are hosted in the EU (Germany), which is adequate for GDPR purposes.

International data transfers

Your data is stored on servers hosted by Hetzner in Germany, within the European Economic Area. However, Stripe, our payment processor, may transfer data to the United States as part of processing payments. Stripe relies on Standard Contractual Clauses and other safeguards to ensure your data is protected in accordance with GDPR. For details, see Stripe's privacy policy.

Data retention

  • Free plan: Webhook request data is not stored persistently. Requests are received and displayed in real time only.
  • Indie plan: Webhook request data is retained for 30 days, then automatically deleted.
  • Pro plan: Webhook request data is retained for 90 days, then automatically deleted.
  • Account data: Retained until you delete your account.
  • Billing data: Retained as required by UK tax law (typically 6 years).

Automated cleanup runs daily. When a subscription ends, associated data is purged automatically.

Your rights under GDPR

As a user, you have the right to:

  • Access your personal data — available through the dashboard and profile page.
  • Rectification — you can update your name and email on the profile page.
  • Deletion — you can delete your account from the profile page, which removes all associated data including endpoints, webhook requests, and forwards.
  • Data portability — you can request an export of your data by contacting support.
  • Object to processing — contact us at support@webhookhub.dev.
  • Withdraw consent — for optional processing like social login, you can unlink providers from your profile page.
  • Lodge a complaint with the ICO (Information Commissioner's Office) at ico.org.uk.

Cookies

WebhookHub uses functional cookies for authentication and a small number of cookies set by PostHog for product analytics. We do not use third-party advertising or cross-site tracking cookies.

  • Laravel session cookie — required for authentication and CSRF protection.
  • PostHog analytics cookies — used to associate product events with your account. See the Product Analytics section below for details and how to opt out.

Product Analytics

We use PostHog (EU-hosted, Frankfurt) to understand how WebhookHub is used so we can fix issues and prioritise improvements.

What we track

  • Page views and navigation within the application.
  • Product events such as account creation, endpoint creation, plan upgrades, and feature usage.
  • Approximate location at country level (derived from IP; the IP itself is not retained long-term by PostHog).
  • Browser and device category.
  • Your account email and name (associated with your user record).

What we never track

  • Webhook request bodies, headers, or query parameters.
  • Endpoint URLs or UUIDs.
  • Forward destination URLs or response content.
  • Billing pages, payment details, or any Stripe content.
  • Any data flowing through your endpoints — your customers' webhook data is never sent to PostHog under any circumstances.

Session recording: WebhookHub does not record user sessions at this time. If we enable session recording in future, we will update this policy and notify existing users before doing so.

Retention: PostHog retains event data for 12 months. After that period, data is automatically deleted.

Legal basis: We process this data under our legitimate interests in operating and improving WebhookHub (UK GDPR Article 6(1)(f)). You have the right to object to this processing at any time.

Opt out: You can disable analytics tracking entirely from your account settings. Opting out takes effect immediately and applies to both server-side and browser-side analytics.

Security

We take the following measures to protect your data:

  • Passwords are hashed using bcrypt.
  • All traffic is encrypted via HTTPS/TLS.
  • Webhook request data is only accessible to the endpoint owner, enforced via authorization policies.
  • Stripe webhook signatures are verified to prevent tampering.
  • CSRF protection is enabled on all forms. Webhook reception and Stripe webhook endpoints use their own verification mechanisms instead.

Age restriction

WebhookHub is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at support@webhookhub.dev and we will delete it.

Data breach notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours and inform affected users without undue delay, as required by GDPR.

Changes to this policy

We may update this policy from time to time. The date at the top of this page indicates when it was last updated. Material changes will be communicated via email to registered users.

Contact

For any privacy-related questions or to exercise your rights, contact us at support@webhookhub.dev.

Last updated: April 2026