Your data, your rules

This Privacy Policy explains what information Outworx Hooks collects, how we use it, and the rights you have over your data. We've tried to write this in plain English. If anything is unclear, email info@outworx.io.

1. Who we are

Outworx Hooks is operated by Outworx For Web Design (“we”, “us”, “our”). We provide a webhook-monitoring service at hooks.outworx.io. For privacy or data-protection questions, contact us at info@outworx.io.

2. Data we collect

Account data

When you sign up we store your email address, optional display name, and profile avatar (if provided via OAuth). We also store your subscription plan and status.

Webhook event data

Our SDK sends us metadata about the webhooks your systems receive: provider, event type, response status, latency, timestamp, and provider-specific identifiers. This is what we need to give you the dashboard and alerts you paid for.

If you opt in by setting captureBody: true on an SDK handler, we also store the request and response bodies. This is off by default because webhook payloads often contain personal data about your end users. You decide which handlers capture bodies. Sensitive request headers (Authorization, Cookie, X-API-Key, etc.) are always redacted before transmission, regardless of the capture setting.

Billing data

Payments are handled by Stripe. We never see or store your card number. We store your Stripe customer ID and subscription status so we know which plan to apply.

Technical data

We log IP addresses and user-agent strings for security, abuse prevention, and basic aggregate analytics. These logs are retained for 30 days.

3. How we use your data

• To provide the service you signed up for: dashboard, alerts, SDK ingestion, team collaboration.
• To process payments and manage your subscription.
• To send you service-related emails (alerts you configure, billing receipts, critical account notices). We do not send marketing email without separate consent.
• To improve the product using aggregate, de-identified usage patterns. We don't build per-user profiles and don't sell data.
• To comply with legal obligations and enforce our Terms.

4. Legal basis (GDPR)

• Contract performance — processing needed to deliver the service you signed up for.
• Legitimate interests — abuse prevention, security logging, aggregate product improvement.
• Legal obligation — tax records, lawful requests.
• Consent — anything you explicitly opt into (e.g. enabling body capture for a handler).

5. Sub-processors

We use the following third-party services to run Outworx Hooks. Each receives only the data needed for their specific function.

Where sub-processors transfer personal data outside your region, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions as applicable.

6. Data retention

• Webhook events are deleted based on your plan: Free 1 day, Pro 30 days, Business 90 days. Deletion runs automatically.
• Account data is kept for as long as your account is active. When you delete your account, account data is removed within 30 days, including from active backups on their normal rotation.
• Billing records may be retained longer as required by tax and accounting law (typically 7 years).
• Security logs (IPs, user-agents) are retained for 30 days.

7. Your rights

Under GDPR and similar laws you can:

• Access your data. Use Settings → Export my data to download everything we hold about you.
• Delete your data. Use Settings → Danger Zone → Delete account. This is immediate and permanent.
• Rectify inaccurate data. Update your profile in settings, or email us.
• Port your data. The export is a machine-readable JSON file.
• Object to processing based on legitimate interests, or withdraw consent for optional processing.
• Lodge a complaint with your local data-protection authority.

8. Cookies

We only use cookies that are strictly necessary to keep you signed in (Supabase auth session). We don't use analytics, advertising, or tracking cookies. No cookie banner is required because we don't set any optional cookies.

9. Security

Data is encrypted in transit (TLS) and at rest. API keys are stored as SHA-256 hashes. Access to production systems is restricted and logged. We don't publish our internal security practices in detail, but responsible disclosure is welcome at info@outworx.io.

10. Data Processing Agreement

If you process personal data of your end users through Outworx Hooks, you are the controller and we are the processor. A Data Processing Agreement (DPA) is available on request — email info@outworx.io.

11. Changes to this policy

We'll update the “Last updated” date above whenever this policy changes. For material changes, we'll notify active users by email at least 30 days before the change takes effect.

12. Contact

Questions, requests, or complaints — email info@outworx.io.