HookInbox
GitHub

Privacy Policy

Last updated: February 13, 2026

Overview

HookInbox is a webhook testing and signature verification tool. We take your privacy seriously and follow a data minimization approach.

What We Collect

Webhook Data

  • HTTP headers (filtered to security-relevant headers only)
  • Request body (up to 256 KB, stored for 24 hours by default)
  • Request metadata (method, timestamp, content type)
  • IP address (hashed with salt, never stored in plain text)

What We DON'T Collect

  • Webhook secrets - All signature verification happens in your browser
  • Personal information - No email, name, or account required
  • Raw IP addresses - Only hashed for rate limiting
  • Cookies - We don't use tracking cookies

How We Use Data

  • Display webhook events to you in your inbox
  • Enable signature verification (client-side only)
  • Rate limiting to prevent abuse
  • Debugging and improving the service

Data Retention

Webhook events are automatically deleted after 24 hours (configurable). Inboxes can be manually deleted at any time using the delete token.

Security

We implement industry-standard security practices:

  • All traffic encrypted with HTTPS/TLS
  • Webhook secrets never leave your browser
  • Database access restricted to service role only
  • Rate limiting to prevent abuse
  • Regular security updates

Third-Party Services

We use the following services to operate HookInbox:

  • Supabase - Database hosting (PostgreSQL)
  • Upstash Redis - Rate limiting
  • Vercel - Application hosting

These services may collect their own analytics and logs. Please review their privacy policies for details.

Your Rights

You have the right to:

  • Delete your inbox and all associated data at any time
  • Request information about data we store
  • Request deletion of specific webhook events

Children's Privacy

HookInbox is not intended for use by children under 13 years of age. We do not knowingly collect information from children.

Changes to This Policy

We may update this privacy policy from time to time. The "Last updated" date at the top will reflect when changes were made. Continued use of HookInbox after changes constitutes acceptance of the updated policy.

Contact

Questions about this privacy policy? Contact us at contact@hookinbox.dev