Privacy & Data

Overview

This Privacy & Data page explains how Hooksbase handles information across the marketing website, dashboard, API, SDK, CLI, public ingest endpoints, email and form ingest, scheduled webhooks, Automations, event drains, and support workflows.

Hooksbase is infrastructure for customer-controlled event flows. That means the data we process depends heavily on how you configure your projects, sources, destinations, transforms, Automations, event drains, and retention settings.

Data we collect

• Account and organization data, such as name, email address, login method, organization membership, project access, session data, and account security events.
• Authentication data, including password-derived hashes for email login, verification and reset flows, OAuth profile data from Google or GitHub when enabled, and session cookies for the dashboard.
• Project configuration, including project names, webhook settings, routing rules, destinations, custom headers, provider source settings, schedules, retry policies, quota configuration, alert settings, event drains, API-key metadata, and audit-log entries.
• Event data, including webhook payloads, request headers, content type, provider metadata, delivery records, attempt records, responses from configured destinations, replay and DLQ records, idempotency keys, and delivery summaries.
• Email, form, and file ingest data, including parsed email fields, selected headers, form fields, file metadata, and file contents when a paid plan stores uploaded files.
• Automation data, including Automation code, versions, bindings, test inputs, run status, logs, result previews, egress attempts, egress policy configuration, and encrypted egress credentials.
• Billing data, including plan, subscription, checkout, portal, billing account, usage-event, overage, and provider webhook state needed to manage paid projects.
• Operational data, including usage metrics, diagnostic logs, rate-limit and quota events, error data, support context, and security or abuse signals.

How we use data

• Provide, secure, debug, monitor, and improve Hooksbase.
• Authenticate users, authorize organizations and project access, maintain sessions, and send account emails.
• Receive inbound events, validate configured provider signatures, route events, apply transforms and Automations, store dispatch snapshots, retry delivery, support replay and DLQ recovery, and send events to configured destinations.
• Store payloads, files, delivery history, audit logs, summaries, and operational records according to the applicable plan, settings, and platform safeguards.
• Calculate quotas, enforce plan limits, process billing, meter overages when enabled, and prevent billing or infrastructure abuse.
• Send service communications, such as verification emails, password reset emails, organization invitations, operator alerts, incident notifications, and support replies.
• Investigate security events, abuse, service reliability issues, and violations of the Terms of Use.

Customer-controlled flows

You decide what data to send into Hooksbase and where Hooksbase should deliver it. Destinations may include HTTP endpoints, AWS SQS, AWS EventBridge, Google Cloud Pub/Sub, S3-compatible object storage, event drains to webhook sinks, Axiom, Datadog, object storage, OTLP HTTP collectors, or other configured systems supported by the product.

Routing and transforms can affect what your downstream systems receive. Classic transforms and Automations can reshape, redact, or derive event data before dispatch. You are responsible for reviewing those configurations and for ensuring downstream systems are authorized to receive the resulting data.

Retention

Retention depends on plan, settings, enterprise overrides, operational safeguards, and the type of data. Free projects currently have shorter delivery-history and payload-retention windows than paid projects. Paid and enterprise plans can have longer windows and additional file-storage capacity.

Payload retention controls retained source payloads and related file cleanup. History retention controls delivery, attempt, DLQ, replay, bulk-operation, and audit-log history. Delivery summaries and usage analytics may use separate aggregation windows. Signed file URLs can expire before authenticated file access expires.

Hooksbase is not an archival backup service. If you need long-term records, configure event drains or downstream storage that you control before retention expires.

Security

Hooksbase uses a Cloudflare-native architecture with separate Workers for API, dashboard, docs, marketing, and routing surfaces. Control-plane data, delivery data, payload objects, file objects, queues, Durable Objects, and analytics are separated by role in the system architecture.

Secrets and sensitive destination configuration, including webhook secrets, API-key secrets, custom headers, drain credentials, and Automation egress credentials, are encrypted at rest where the application stores them as secrets. API-key and webhook secrets are returned only when created or rotated.

Hooksbase applies authentication, project-scoped authorization, session checks, destination URL validation, reserved-header protections, egress allowlists for customer-managed Automation egress, quota enforcement, rate limits, and operational monitoring. No security measure is perfect, and you are responsible for safe configuration, least-privilege credentials, downstream authorization, and secure handling of exported data.

Third-party services

Hooksbase uses third-party services to operate the product. The exact vendors used can depend on environment configuration and the features you enable.

• Cloudflare provides core infrastructure, including Workers, D1, R2, Queues, Durable Objects, Analytics Engine, routing, and related platform services.
• Stripe or Polar may process checkout, subscription, customer portal, entitlement, usage-metering, and billing webhook data for self-serve paid plans.
• Google and GitHub may provide OAuth login data if those sign-in methods are enabled and you choose to use them.
• AWS SES or Cloudflare email delivery may send verification, password reset, invitation, operator alert, and other service emails when configured.
• Axiom, Datadog, customer-managed object storage, OTLP collectors, HTTP endpoints, cloud queues, and similar destinations receive data only when you configure Hooksbase to send events, drains, or Automation egress to them.

Cookies and website data

The dashboard uses session cookies and local browser state to keep users signed in, protect authenticated routes, remember UI preferences such as theme, and operate the product. The marketing website may receive standard request data through hosting and security infrastructure.

If you use browser privacy controls, block cookies, or clear local storage, some dashboard features may stop working or require you to sign in again.

User controls

You can manage many data controls inside Hooksbase by updating project settings, revoking or rotating API keys and secrets, pausing or archiving webhooks, deleting event drains or destinations, changing schedules, disabling Automations, exporting event-drain data to your own systems, and allowing retention to expire.

Some records are retained for security, billing, abuse prevention, legal, or operational reasons. Project deletion and account deletion behavior may depend on the current product surface and support workflow. Contact hello@hooksbase.com if you need help with access, correction, export, or deletion requests.

International processing

Hooksbase and its vendors may process data in locations where they operate infrastructure or support services. You are responsible for determining whether your use of Hooksbase satisfies your own data-transfer, residency, and compliance requirements.

Changes

We may update this page as Hooksbase changes. If changes are material, we will update the effective date and may provide additional notice through the website, dashboard, email, or another appropriate channel.

Contact

For privacy, data, or security questions, contact hello@hooksbase.com.