Privacy Policy - Hookspector

Effective Date: November 27, 2025

1. Introduction

This Privacy Policy explains how Infinea Consulting Ltd ("we", "us", "our") collects, processes, and protects data when you access or use Hookspector ("Service"), in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

Hookspector is a free, anonymous webhook testing utility. Unlike traditional services, we do not collect accounts, require registration, or store webhook payloads. This Privacy Policy reflects our minimal data collection approach.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller Information

Data Controller: Infinea Consulting Ltd

Address: Andor utca 21/c fszt. 1., 1119 Budapest, Hungary

VAT ID: HU14930883

Contact Email: [email protected]

3. Categories of Data Collected

Given the anonymous, ephemeral nature of Hookspector, we collect minimal data:

3.1 Connection Data (Logged for 14 Days)

• Connection and disconnection events
• Connection ID
• Endpoint path/ID
• IP address
• Timestamp

3.2 Cookies

• Endpoint identifier (stored in browser cookies to associate your browser with your webhook endpoint)

3.3 Analytics Data (Anonymous)

We collect anonymous usage analytics through PostHog and Google Analytics:

PostHog Events:

• App opened (with referrer, UTM parameters, device type, country)
• Endpoint copied
• HMAC verification toggled on/off
• Event HTTP headers copied
• Event payload copied
• Event received (with topic, signature validation status)
• Event opened
• Cloudhooks link opened

Google Analytics Data:

• Device information (browser type, operating system)
• Page views and user interactions
• Geographic data (country/region level from anonymized IP)
• Traffic source information (referrer URL, campaign info)
• Anonymized IP addresses

3.4 Ephemeral Data (Not Stored)

The following data exists only in server memory during active transmission and is never persisted:

• Webhook payloads
• HTTP headers from incoming webhooks
• HMAC signing secrets (when entered for verification)
• Rate limiting counters (per IP address)

3.5 Support Communications

If you contact us via email:

• Email correspondence and attachments
• Any information you voluntarily provide in your message

3.6 Data We Do NOT Collect

• Personal identifiable information (PII)
• Account credentials or registration data
• Email addresses (unless you contact support)
• Payment or billing information
• Persistent webhook history
• Webhook payload content

4. Legal Bases for Processing

We process data under the following GDPR legal bases:

4.1 Legitimate Interest (Primary Basis)

As a free utility tool, we rely on legitimate interests to:

• Provide the webhook testing functionality
• Prevent abuse and ensure service availability (rate limiting, connection logs)
• Analyze usage patterns to improve the Service
• Maintain security and prevent fraud

Our legitimate interests do not override your fundamental rights because:

• Data collection is minimal and necessary for service operation
• The Service is anonymous and requires no personal information
• Webhook payloads are never stored
• You can stop using the Service at any time

4.2 Legal Obligation

We retain certain logs and records to comply with applicable laws, including:

• Infrastructure security logging (for abuse prevention)
• Tax and accounting records related to business operations

4.3 Consent

We do not rely on consent as our primary legal basis. However, by continuing to use the Service after reading this Privacy Policy, you acknowledge our data processing practices.

5. Sources of Data

5.1 Data You Provide

• Webhook payloads and HTTP requests you send to your endpoint
• HMAC signing secrets you optionally enter for verification
• Support requests and communications you send to us

5.2 Data Collected Automatically

• Connection logs (IP address, timestamps, endpoint IDs)
• Analytics data (anonymous usage patterns, device information, geographic location)
• Cookies (endpoint identifier)

5.3 Data from Third-Party Sources

• Infrastructure logs from Render (our hosting provider)
• Analytics data from PostHog and Google Analytics

6. Purposes of Processing

We process data for the following specific purposes:

6.1 Service Provision

• Generating unique webhook endpoints for your browser session
• Receiving and transmitting webhook requests to your browser in real-time
• Displaying webhook headers and payloads in your browser
• Verifying HMAC signatures when you provide a signing secret

6.2 Abuse Prevention and Security

• Rate limiting based on IP address (3,000 requests per day per IP)
• Monitoring connection patterns to detect and prevent abuse
• Maintaining connection logs to identify malicious activity
• Ensuring service availability for all users

6.3 Service Improvement

• Analyzing anonymous usage patterns to understand feature adoption
• Identifying technical issues and performance bottlenecks
• Developing new features based on usage data
• Optimizing the user experience

6.4 Communications

• Responding to support requests and inquiries
• Providing technical assistance when requested

7. Data Retention

Our retention periods reflect the ephemeral nature of the Service:

7.1 Ephemeral Data (No Retention)

The following data is never stored and exists only in server memory:

• Webhook payloads: Deleted immediately after transmission to your browser
• HTTP headers: Deleted immediately after transmission to your browser
• HMAC signing secrets: Retained in memory per endpoint until explicitly deleted, connection closes, or service restart
• Rate limiting data: Stored only in memory and reset periodically

7.2 Connection Logs (14 Days)

Connection logs containing IP addresses, timestamps, endpoint IDs, and connection events are retained by our hosting provider (Render) for 14 days, then automatically deleted.

7.3 Analytics Data

• PostHog: Retained according to PostHog's data retention policy (see Section 8 for DPA details)
• Google Analytics: Retained for 26 months (Google's default setting)

All analytics data is anonymized and cannot be linked to individual users.

7.4 Support Communications (Indefinite)

Email correspondence sent to our support address is retained indefinitely (the longest period permitted by EU law) to maintain service history and improve support quality.

7.5 Browser Data (User-Controlled)

The endpoint identifier cookie remains in your browser until you:

• Clear your browser cookies
• Delete site data
• Use private/incognito mode

8. Processors and Third-Party Recipients

We engage the following third-party processors to provide the Service. All processors are bound by Data Processing Agreements (DPAs) ensuring GDPR compliance:

8.1 Infrastructure and Hosting

Render

• Purpose: Hosting infrastructure, server logs
• Data Processed: Connection logs (IP addresses, timestamps, endpoint IDs)
• Location: United States (Virginia)
• DPA: https://render.com/dpa

8.2 Analytics

PostHog

• Purpose: Anonymous usage analytics
• Data Processed: Usage events, device type, country (IP anonymized)
• Location: European Union
• DPA: https://posthog.com/dpa

Google Analytics

• Purpose: Anonymous usage analytics
• Data Processed: Page views, device info, anonymized IP, geographic data
• Location: United States
• DPA: Available through Google Analytics Admin console (Admin > Account Settings > Data Processing Amendment) or at https://www.google.com/analytics/terms/dpa/dataprocessingamendment_20130906.html

8.3 No Other Recipients

We do not sell, rent, or share your data with any other third parties for their own purposes.

9. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), particularly the United States. We ensure all international transfers comply with GDPR requirements through appropriate safeguards.

9.1 Transfers to the United States

Render (Hosting Infrastructure)

• Location: Virginia, United States
• Safeguard: Standard Contractual Clauses (SCCs) as specified in Render's DPA
• Data Transferred: Connection logs (IP addresses, timestamps, endpoint IDs)

Google Analytics

• Location: United States
• Safeguard: Standard Contractual Clauses (SCCs) as specified in Google's Data Processing Amendment
• Data Transferred: Anonymous usage analytics with IP anonymization enabled

9.2 Transfers within the EU

PostHog

• Location: European Union
• Data Transferred: Anonymous usage analytics
• Note: As PostHog operates within the EU, no international transfer safeguards are required

9.3 Safeguards for International Transfers

We protect your data during international transfers through:

1. Data Processing Agreements (DPAs): All processors handling international transfers have signed DPAs containing Standard Contractual Clauses (SCCs) approved by the European Commission
2. Technical Measures: All data transfers are encrypted in transit using TLS 1.3 or higher
3. Data Minimization: We transfer only the minimum data necessary for each processor's function
4. Anonymization: Analytics data is anonymized before transfer, reducing privacy risks

9.4 Your Rights

You have the right to:

• Review the DPAs linked in Section 8 to understand the safeguards in place
• Request additional information about specific international transfers
• Object to international transfers in certain circumstances
• Lodge a complaint with your supervisory authority if you have concerns

For more information about international transfers, contact us at [email protected].

10. Data Subject Rights

Under GDPR, you have specific rights regarding your personal data. Given the anonymous and ephemeral nature of Hookspector, the exercise of some rights is limited.

10.1 Your Rights Under GDPR

Right to Access (Article 15): You may request confirmation of whether we process your personal data. However, because:

• The Service is anonymous (no accounts or registration)
• Webhook payloads are never stored
• Analytics data is anonymized and cannot be linked to you

We can only provide access to connection logs if you can identify the specific IP address and timeframe of your usage within the 14-day retention period.

Right to Rectification (Article 16): Given that we collect minimal data and no personal profile information, there is typically no data to rectify. If you believe any support correspondence contains inaccurate information, contact us to request correction.

Right to Erasure - "Right to be Forgotten" (Article 17)

• Webhook data: Already deleted immediately after transmission
• Connection logs: Automatically deleted after 14 days
• Cookies: You can delete the endpoint cookie through your browser settings
• Support emails: Contact us to request deletion of specific correspondence

Right to Restrict Processing (Article 18): You can stop us from processing your data by:

• Ceasing to use the Service
• Deleting cookies from your browser
• Blocking our analytics through browser settings or extensions

Right to Data Portability (Article 20): Due to the anonymous and ephemeral nature of the Service, there is no personal data to export or transfer. The Service does not create a personal data profile.

Right to Object (Article 21): You may object to processing based on legitimate interests by:

• Stopping use of the Service
• Blocking analytics cookies
• Using browser privacy features (Do Not Track, ad blockers)

Right to Withdraw Consent: As we primarily rely on legitimate interests rather than consent, this right is limited. However, you can withdraw from analytics tracking by using opt-out tools provided by PostHog and Google Analytics.

10.2 How to Exercise Your Rights

To exercise any of these rights:

1. Contact us at [email protected] with "Data Rights Request" in the subject line
2. Specify which right(s) you wish to exercise
3. Provide relevant details (such as IP address and timeframe for connection log requests)
4. We will respond within one month of receipt

10.3 Limitations on Rights

Due to the Service's design:

• We cannot identify you from analytics data (it's anonymous)
• We cannot retrieve webhook payloads (they're never stored)
• We cannot link connection logs to you without your IP address and timeframe
• Many rights are automatically fulfilled by the Service's ephemeral architecture

10.4 Right to Lodge a Complaint

If you're unsatisfied with how we handle your request, you have the right to lodge a complaint with your supervisory authority (see Section 15 for details).

11. Webhook Payload Responsibility

11.1 User Responsibility for Webhook Content

You are solely responsible for the content of webhook payloads sent to your Hookspector endpoint. While we provide the infrastructure to receive and display webhooks, we:

• Do not control what data you or third-party services send to your endpoint
• Do not store, process, or analyze webhook payload content
• Are not responsible for any personal data contained in your webhooks
• Cannot and do not monitor webhook content for PII or sensitive data

11.2 Our Role Regarding Webhooks

We act as a technical intermediary that:

• Receives HTTP requests at your endpoint
• Transmits the data directly to your browser in real-time
• Deletes all webhook data immediately after transmission

We do not process personal data contained in webhook payloads—we merely transmit it. This data exists only in server memory for milliseconds during transmission and is never written to disk or logs.

11.3 Your Obligations

When using Hookspector, you must:

• Never send sensitive personal data (e.g., health records, financial data, government IDs)
• Avoid transmitting production data containing real customer information
• Use test/dummy data whenever possible
• Comply with GDPR and other data protection laws for any personal data you transmit
• Ensure you have proper authorization to send any data through the Service

11.4 Disclaimer

WE EXPLICITLY DISCLAIM ANY RESPONSIBILITY FOR PERSONAL DATA TRANSMITTED IN WEBHOOK PAYLOADS.

If you transmit personal data through Hookspector:

• You are the data controller for that data
• You bear full responsibility for GDPR compliance
• You must have a lawful basis for processing that data
• You must inform data subjects about the transmission
• We have no liability for your data protection obligations

11.5 Recommended Practices

To protect privacy when testing webhooks:

• Use Shopify's "Send test notification" feature (generates dummy data)
• Create test products/orders with fictional information
• Sanitize production data before sending it to Hookspector
• Never include real customer emails, names, addresses, or payment information
• Treat Hookspector as a public testing tool—don't send anything confidential

12. Security Measures

We implement reasonable technical and organizational measures to protect the limited data we collect:

12.1 Technical Security Measures

Encryption

• All data transmissions use TLS 1.3 or higher encryption
• Webhook data is encrypted in transit between Shopify and our servers
• Connection between our servers and your browser is encrypted

Infrastructure Security

• Hosted on secure cloud infrastructure (Render) with SOC 2 compliance
• Regular security patches and updates applied to all systems
• Web application firewall (WAF) to protect against common attacks

Access Controls

• Limited personnel access to infrastructure
• All access is logged and monitored
• No direct access to webhook payload data (as it's never stored)

12.2 Organizational Security Measures

Policies and Procedures

• Information security policies reviewed regularly
• Incident response plan for security events
• Vendor security assessments for all processors

Monitoring

• Continuous monitoring for suspicious activities
• Regular review of connection logs for abuse patterns

12.3 Data Minimization by Design

The Service's architecture inherently protects privacy:

• Webhook payloads never touch persistent storage
• No databases store webhook content
• HMAC secrets exist only in memory per endpoint
• Automatic data deletion when connections close

12.4 Incident Response

In the unlikely event of a security incident:

• We will contain and assess the incident immediately
• Notify affected users if identifiable and required by law
• Report to supervisory authorities within 72 hours when mandatory
• Document the incident and remediation actions

12.5 Security Limitations

While we implement industry-standard security measures:

• No system can guarantee absolute protection
• Webhook data transmitted over the internet may be intercepted
• You should never send sensitive or confidential information
• The Service is designed for testing, not production use

For security concerns, contact [email protected].

13. Cookies & Similar Technologies

We use cookies to enable the Service's core functionality and understand usage patterns.

13.1 Types of Cookies We Use

Essential Cookies (Strictly Necessary)

• Endpoint identifier cookie: Associates your browser with your unique webhook endpoint
• Duration: Persistent until you delete cookies or clear site data
• Purpose: Required for the Service to function
• Legal Basis: Legitimate interest (necessary for service provision)

These cookies cannot be disabled as they are essential for the Service to work.

Analytics Cookies

• PostHog cookies: Track anonymous usage events
• Google Analytics cookies: Track page views and interactions
• Duration: Up to 2 years
• Purpose: Understand how users interact with the Service
• Legal Basis: Legitimate interest

13.2 Third-Party Cookies

PostHog

• Sets cookies to track anonymous user sessions
• IP addresses are anonymized
• Data stored in the EU

Google Analytics

• Sets cookies for usage analytics (_ga, _gid, _gat)
• IP anonymization is enabled
• Data transferred to the US with appropriate safeguards

13.3 Managing Cookies

Browser Settings

You can manage cookies through your browser settings:

• Block all cookies: Note that this will prevent the Service from functioning
• Delete cookies: This will generate a new endpoint on your next visit
• Private/incognito mode: Cookies are automatically deleted when you close the browser

Analytics Opt-Out

To opt out of analytics tracking:

• Google Analytics: Install the Google Analytics Opt-out Browser Add-on
• PostHog: Enable Do Not Track in your browser settings
• Ad blockers: Many ad blockers automatically block analytics cookies

13.4 Do Not Track

We respect Do Not Track (DNT) browser signals for analytics cookies. When DNT is enabled, we will not load PostHog or Google Analytics tracking scripts.

13.5 No Advertising Cookies

We do not use any advertising or marketing cookies. All cookies serve functional or analytical purposes only.

14. Children's Privacy

Hookspector is a technical tool designed for developers and businesses. It is not intended for use by children.

14.1 Age Restriction

The Service is intended only for users who are at least 16 years of age. We do not knowingly collect data from anyone under 16.

14.2 No Data from Children

If we discover that we have inadvertently collected data from someone under 16:

• We will immediately delete any associated data
• We will take steps to prevent future access

14.3 Parental Notice

If you believe your child under 16 has used the Service, contact us at [email protected] and we will promptly delete any data.

15. Changes to this Privacy Policy

15.1 Right to Modify

We reserve the right to update this Privacy Policy to reflect changes in our practices, legal requirements, or Service features.

15.2 Types of Changes

Minor Changes:

• Typographical corrections and clarifications
• Formatting improvements
• Updates to contact information
• Addition of newly integrated processors performing similar functions

These changes will be made directly to the policy with an updated effective date.

Material Changes:

• New purposes for processing data
• Changes to data retention periods
• New categories of data collected
• Significant changes to international data transfers
• Changes affecting your rights

15.3 Notification of Changes

For Minor Changes:

• Updates will be posted at https://www.hookspector.xyz/privacy
• The "Effective Date" at the top will be updated
• No additional notification provided

For Material Changes:

Given the anonymous nature of the Service, we cannot notify you directly. However:

• We will post a prominent notice on the Service for at least 30 days
• The "Effective Date" will be updated
• Material changes will be highlighted at the top of the policy

15.4 Continued Use

By continuing to use Hookspector after changes take effect, you acknowledge and agree to be bound by the updated Privacy Policy. If you disagree with material changes, you should stop using the Service.

15.5 Review Responsibility

Because we cannot notify you of changes:

• You are responsible for periodically reviewing this Privacy Policy
• We recommend checking for updates if you use the Service regularly
• The effective date always reflects the most recent version

16. Contact Information & Complaints

16.1 How to Contact Us

For all privacy-related matters, contact:

Email: [email protected]

Postal Address:

Infinea Consulting Ltd Andor utca 21/c fszt. 1. 1119 Budapest Hungary

VAT ID: HU14930883

16.2 Types of Requests We Handle

• Data subject rights requests
• Privacy policy questions
• Security concerns
• Complaints about data handling
• General privacy inquiries

16.3 Response Times

• Initial acknowledgment: Within 48 hours
• Substantive response: Within 30 days
• Complex requests: May extend by 60 days with notice
• Urgent security matters: Within 24 hours

16.4 Lodging a Complaint with Supervisory Authorities

If you are dissatisfied with our response, you have the right to lodge a complaint with a data protection supervisory authority.

Hungarian Supervisory Authority: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) National Authority for Data Protection and Freedom of Information

Address: 1055 Budapest, Falk Miksa utca 9-11

Phone: +36 1 391 1400

Email: [email protected]

Website: https://naih.hu

Your Local Authority:

You may also file a complaint with the supervisory authority in:

• Your country of habitual residence
• Your place of work
• The place where the alleged infringement occurred

For supervisory authorities in other EU member states, visit: https://edpb.europa.eu/about-edpb/about-edpb/members_en

16.5 Language Support

We accept privacy requests in:

• English (primary)
• Hungarian
• Other EU languages (we will make reasonable efforts to accommodate)

Summary: Hookspector is a free, anonymous webhook testing tool. We collect minimal data (connection logs for 14 days, anonymous analytics, and essential cookies). Webhook payloads are never stored—they exist only in memory during transmission to your browser. You are responsible for any personal data you send through webhooks. For questions, contact [email protected].