Privacy Policy

Last updated: May 19, 2026

1. Overview

Webhook Guardian, Inc. ("we", "us") operates the Webhook Guardian service at webhookguardian.com. This policy explains what data we collect, why we collect it, and the choices you have. We've tried to write it in plain English — if anything is unclear, email privacy@webhookguardian.com.

2. Data we collect

We collect only what is necessary to operate the service:

• Account data — email, name, and password hash (or OAuth provider ID).
• Billing data — processed by Stripe; we store the last 4 digits and brand of your card for receipts.
• Integration credentials — OAuth refresh tokens for connected platforms (Stripe, Shopify, GitHub), stored encrypted at rest.
• Webhook delivery metadata — event type, timestamp, status code, retry count, and payload size for each event we monitor.
• Webhook payloads — retained according to your plan (7, 30, or 90 days) and then permanently deleted.
• Usage telemetry — page views and feature usage on the dashboard, used to improve the product.

3. How we use it

Your data is used exclusively to (a) provide the monitoring service you signed up for, (b) bill you accurately, (c) send you operational emails (alerts, weekly digests, account notices), and (d) improve the product. We do not sell, rent, or share your data with advertisers.

4. Read-only access to your platforms

When you connect Stripe, Shopify, or GitHub, we request the minimum read-only OAuth scopes required to read delivery logs. We do not request write access. You can revoke access at any time from your account settings or directly from the platform.

5. Subprocessors

We rely on the following subprocessors:

• Cloudflare — hosting and edge network.
• Clerk — authentication.
• Stripe — billing.
• AWS (us-east-1) — database and object storage.
• Postmark — transactional email.

6. Data retention

Webhook payloads follow your plan's retention window. All other data is retained while your account is active. If you delete your account, all personal data and payloads are permanently deleted within 30 days, except where retention is required by law (e.g. invoices for tax purposes).

7. Your rights

You can export, correct, or delete your data at any time. Under GDPR and CCPA you have the right to access, rectify, erase, restrict processing, and port your data. Email privacy@webhookguardian.com and we'll respond within 30 days.

8. Security

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). OAuth refresh tokens are encrypted with per-tenant keys. We follow SOC 2 controls and undergo annual penetration testing.

9. Changes to this policy

If we make material changes, we'll notify you by email at least 14 days before the change takes effect. The "last updated" date at the top of this page always reflects the current version.

10. Contact

Webhook Guardian, Inc. · 548 Market St #41922 · San Francisco, CA 94104 · privacy@webhookguardian.com