Privacy Policy — Webhook Box

1. Introduction

This Privacy Policy explains how Webhook Box (“Operator”, “we”, “us”) collects, uses, stores, and protects information when you use the Webhook Box platform (“Service”).

The Service is technical in nature and primarily intended for developers and organizations. We seek to apply good-faith compliance with applicable data protection principles, including those found in the GDPR and the Brazilian LGPD, to the extent they apply to the Service and to the data we process.

2. Data Collected

Webhook Box may collect and store the following categories of data:

(a) Authentication data. Email, name, and related metadata used to create and manage your account. This information is stored and managed by Supabase Auth, which protects passwords using secure hashing. The Operator cannot access plaintext passwords.

(b) Operational data. Webhooks, payloads, headers, parameters, logs of requests, timestamps, and other technical data that you voluntarily send to or through the Service.

(c) Technical data. IP addresses, user agents, session identifiers, and diagnostic data used to maintain security, monitor performance, and prevent abuse.

(d) Payment data. Billing-related data is processed exclusively by Stripe. The Operator does not store credit card numbers or other sensitive payment information.

3. Purpose of Processing

The data collected is used for the following purposes:

(a) to operate, maintain, and improve the Service;
(b) to authenticate Users and manage accounts;
(c) to provide technical support and respond to requests;
(d) to monitor performance, detect and prevent fraud, abuse, or security incidents;
(e) to comply with legal, regulatory, or judicial obligations.

The Operator does not use transmitted data for independent marketing, advertising, or selling of information unrelated to the User’s own use of the Service.

4. Legal Basis and Compliance (Overview)

Where data protection laws such as GDPR or LGPD apply, processing may be based on: (a) performance of a contract (providing the Service you requested); (b) legitimate interests (security, fraud prevention, service improvement), balanced with your rights; and (c) compliance with legal obligations.

5. Storage and Infrastructure

Service data is stored in a single MongoDB Atlas cluster, which offers native encryption at rest and in transit (TLS). The Service infrastructure includes:

(a) MongoDB Atlas as the primary data store;
(b) Supabase for authentication and user data;
(c) Render for backend execution;
(d) Vercel for frontend hosting; and
(e) Stripe for payment processing.

The Operator may update or change infrastructure providers, while seeking to use vendors that follow recognized security practices.

6. Access to Data

Access to data is restricted to authorized technical staff of the Operator and is used solely for:

(a) providing support;
(b) investigating incidents;
(c) preventing abuse or misuse;
(d) debugging and maintaining the Service; and
(e) technical analysis to ensure correct operation.

Access follows the principle of least privilege. Data is not accessed for independent commercial exploitation.

7. Data Retention and Deletion

Data may be retained for as long as necessary to provide the Service, comply with legal obligations, and maintain security. Retention periods may vary by plan or by feature (for example, temporary webhook inspection).

Data may be automatically removed according to internal policies or plan-specific limits. Once deleted, data cannot be restored.

Users may request deletion of data associated with their account, subject to legal or contractual retention requirements.

8. International Data Transfers

Data may be processed in countries other than the User’s country of residence, depending on infrastructure regions chosen in MongoDB Atlas, Supabase, Render, Vercel, and Stripe.

Reasonable measures such as encryption, access control, and contractual safeguards (where applicable) are used to protect data during such transfers.

9. Cookies and Tracking Technologies

The Service may use essential cookies or similar technologies to maintain sessions, store preferences, and enhance security. These cookies are typically required for the basic operation of the Service.

Analytics or performance tools may be used to understand usage patterns and improve the Service. Where required by law, we will provide appropriate notices and, when necessary, obtain consent.

10. User Rights

Depending on applicable law, Users may have the right to request:

(a) access to personal data we process about them;
(b) correction of inaccurate or incomplete data;
(c) deletion of data, where applicable;
(d) portability of data, where technically feasible; and
(e) clarification regarding data processing.

To exercise such rights, Users may contact the Operator using the contact information below.

11. Children’s Data

The Service is not directed to children, and we do not knowingly collect personal data from individuals under the minimum age required by applicable law. If we become aware that such data has been collected, we will take reasonable steps to delete it.

12. Changes to this Privacy Policy

This Privacy Policy may be updated from time to time. The updated version will replace previous versions upon publication. Continued use of the Service after changes are published will be interpreted as acceptance of the updated Policy.

13. Contact

For questions about this Privacy Policy or to exercise data-related rights, Users may contact the Operator at:

support@webhookbox.com