Back to home

Privacy Policy

Last updated: February 10, 2026

1. Introduction

This Privacy Policy explains how Hooktrace ("we", "us", "our") collects, uses, and protects information when you use our webhook inspection service ("Service").

2. Data Controller

Hooktrace is owned and operated by an individual based in Sydney, New South Wales, Australia.

Email: support@hooktrace.net

We have not appointed a Data Protection Officer because we do not carry out large-scale processing of special categories of data. For privacy inquiries, contact us at the email above.

3. Our Role: Controller vs. Processor

Webhook request data: Webhook request data (headers, body, source IP, and related metadata) is processed on your behalf when you use the Service. In this context, you are the data controller (or processor, as applicable) and Hooktrace acts as a data processor. If you are subject to GDPR/UK GDPR and use Hooktrace to process personal data, you may request our Data Processing Addendum at support@hooktrace.net.

Operational and security data: Hooktrace acts as an independent data controller for operational log data and security/abuse-prevention data we process to operate and protect the Service.

4. Information We Collect

We collect the following types of information:

  • Webhook request data: When a request is sent to a Hooktrace endpoint, we store the request method, path, query parameters, headers, body, content type, body size, source IP address, and timestamps so you can inspect and replay the request. IP addresses are treated as personal data under EEA/UK law and are used for endpoint display, abuse prevention, rate limiting, and security monitoring.
  • Endpoint data: We store endpoint metadata including an endpoint ID, creation and expiration timestamps, selected retention period, and access tokens (ingest token and view token) used to send to and view an endpoint. Access tokens are generated using cryptographically secure randomness.
  • Operational log data: Our servers log limited technical data such as request method, hostname, redacted URL, and IP address to operate, debug, and secure the Service.
  • Website analytics: We use Vercel Web Analytics to collect anonymised, aggregated usage data such as page views, referrer URLs, visitor country, device type, browser, and operating system. Vercel Web Analytics does not use cookies, does not collect personal identifiers, and does not track visitors across websites. Visitors are identified by a temporary hash derived from the incoming request, which is discarded after 24 hours. Analytics data cannot be used to identify individual users. You can learn more about how Vercel handles data in their Privacy Policy.

Data minimization: Webhook payloads may include personal data. You should avoid sending unnecessary personal data and should redact or tokenize sensitive fields before sending to Hooktrace. The Service is intended for development and debugging and is not designed for storing special category data.

5. How We Use Information

  • To provide and maintain the Service.
  • To display webhook requests in your inspection dashboard.
  • To replay captured requests to a target URL you provide, stripping Authorization and Cookie headers during replay. You are responsible for ensuring the recipient and transfer are lawful.
  • To improve performance, reliability, and user experience.
  • To prevent abuse, enforce rate limits, and maintain security.

6. Lawful Bases for Processing (EEA/UK)

Where the GDPR or UK GDPR applies, we process personal data on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)) — to provide the Service features you request (capturing, displaying, and replaying webhook requests).
  • Legitimate interests (Art. 6(1)(f)) — to operate, secure, prevent abuse, troubleshoot, and improve the Service (for example, maintaining operational logs and applying rate limits). We consider these interests proportionate and not overridden by your rights, given the temporary nature of endpoints and retention limits.
  • Legal obligation (Art. 6(1)(c)) — where we must retain certain records or disclose information to comply with law.

7. Data Retention

Webhook endpoint data is temporary and automatically deleted after the selected expiration period (currently 1 hour, 24 hours, 48 hours (default), or 7 days). Each endpoint retains a maximum of 500 captured requests. We do not retain webhook payload data beyond the endpoint's active lifetime unless required by law.

Operational logs are retained for 30 days unless a longer period is required for security investigations, legal obligations, or dispute resolution.

8. Data Sharing and Service Providers

We do not sell webhook data. We may share information with service providers (sub-processors) that help us operate the Service. Our current service providers include Vercel (hosting, deployment, and web analytics). These providers are authorised to process personal data only as necessary to provide services to us and are contractually required to protect it. An updated list of sub-processors is available on request at support@hooktrace.net.

9. International Data Transfers

Your data may be processed in countries other than where you reside. Where the GDPR or UK GDPR applies and personal data is transferred outside the EEA/UK to a country not recognised as providing an adequate level of protection, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable) and implement supplementary measures as required.

10. Security

We use reasonable technical and organisational measures designed to protect data in transit and at rest. Access to endpoint data is controlled by unguessable tokens, URLs are redacted in server logs, and Authorization and Cookie headers are stripped during replay. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

11. Cookies and Similar Technologies

We do not use cookies for authentication, session management, or advertising. Vercel Web Analytics, which we use for aggregated website usage statistics, does not use cookies or similar tracking technologies. If our infrastructure providers set strictly necessary cookies (for example, for load balancing or security), those cookies are used only to deliver the Service.

12. Your Rights (EEA/UK)

If the GDPR or UK GDPR applies, you may have the right to: access, rectify, erase, restrict processing, object to processing, and data portability. You also have the right to lodge a complaint with your local supervisory authority.

How to exercise rights: Because the Service has no accounts, we may need the endpoint identifier and the view token (or other proof of control) to locate and verify your request. Email us at support@hooktrace.net.

Processor context: If Hooktrace acts as a processor for webhook request data, we may direct you to contact the relevant controller (for example, the service that sent you the webhook) where appropriate.

13. California Privacy Notice (CCPA/CPRA)

This section applies to California residents to the extent Hooktrace is subject to the CCPA/CPRA.

  • Categories of personal information collected: identifiers (such as IP address), internet or other electronic network activity information (such as HTTP request metadata), and information included in webhook request headers and bodies.
  • Purposes: provide the Service (capture, display, and replay webhook requests), security and fraud prevention, debugging, and service improvement.
  • Retention: webhook endpoint data is retained for the endpoint TTL (1 hour to 7 days) and then deleted. Operational logs are retained for 30 days unless longer retention is required.
  • Sale/Sharing: we do not sell personal information. We do not share personal information for cross-context behavioural advertising.
  • Your rights: subject to applicable exceptions, California residents may request access to, deletion of, and correction of personal information. We will not discriminate against you for exercising your rights.
  • How to submit a request: email support@hooktrace.net with the endpoint identifier and proof of control of the endpoint tokens. You may designate an authorised agent; we may require proof of authorisation and verification of identity.

14. Automated Decision-Making

We do not use webhook data to make automated decisions that produce legal or similarly significant effects about individuals.

15. Australian Privacy Principles (APPs)

We aim to handle personal information consistently with the Australian Privacy Principles (APPs). If you have a privacy concern or complaint, please contact us first at support@hooktrace.net. We will respond within a reasonable time.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC).

16. Children's Privacy

Hooktrace is intended for use by adults and is not directed to individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18. If you believe someone under 18 has provided information through the Service, please contact us at support@hooktrace.net.

17. Changes to This Policy

We may update this Privacy Policy from time to time. If changes are material, we will provide reasonable notice by posting an updated revision date on this page. Changes will be effective upon posting.

18. Contact

Hooktrace is owned and operated by an individual.

Location: Sydney, New South Wales, Australia

Email: support@hooktrace.net