We appreciate your engagement with our "Services", whether you're visiting our website at https://hookdeck.com/ (the "Website") or utilizing our infrastructure to develop, test and monitor your integrations. At Hookdeck, safeguarding your privacy and protection of personal data is top priority.

This Privacy Policy (the "Policy") outlines essential information about who we are, the personal data we collect, and how we handle your information while you use our Services or engage with us. We are committed to transparency and respect for your rights under the law. Please take a moment to carefully read and understand this Policy.

Policy Scope

This Policy applies to: (a) visitors to hookdeck.com; and (b) customers using our Managed Cloud Services (Event Gateway and Managed Outpost). This Policy does not apply to data processed by Self-Hosted Outpost running on your own or a third party's infrastructure. For self-hosted deployments, you are the data controller and are solely responsible for applicable privacy compliance.

Key Elements of this Policy

Here are the critical aspects of our Privacy Policy to help you quickly understand how we handle your personal data. Your consent for the collection, use, and disclosure of your personal data is implied when you submit it to us. For detailed information, please refer to the complete Policy.

Personal data we collect from you but only with your consentWhat we do with itThird parties we share it with
Contact informationCommunicate with youCompanies that provide email services, such as Customer.io
Account InformationCreate an account for you, communicate with you, and provide you with certain ServicesCompanies providing technical infrastructure for the Services, specifically Google Cloud Platform, Datadog, Lumu, Cloudflare, Vercel, Aiven and Clickhouse Cloud
Chat informationCommunicate with you and respond to your inquiryCompanies providing chat and communication services, such as Crisp and Slack
Billing informationAllow you to pay for the fees for use of ServicesStripe, our payment processor

Terms

Before delving into the details, familiarize yourself with these key terms:

  • Data Protection Laws:
    • Refers to laws designed to safeguard personal data and privacy, including:
      • GDPR (General Data Protection Regulation): The European Data Protection Law outlined in Regulation (EU) 2016/679.
      • PIPEDA (Personal Information Protection and Electronic Documents Act): Canadian Data Protection Law applicable to our activities in Canada.
      • CCPA (California Consumer Privacy Act): Applies to our activities in the United States under certain circumstances.
  • Personal Data: Defined in the GDPR as "any information relating to an identified or identifiable natural person." Equivalent to "personal information" under PIPEDA and CCPA.
  • Other Terms: Definitions used in this Policy can be found in our Terms of Use, maintaining consistent meaning across both documents.

About Hookdeck and How to Contact Us

Hookdeck Technologies Inc. ("Hookdeck"): A duly-incorporated company under the laws of Canada.

Definition: When this Policy mentions "Hookdeck," it encompasses Hookdeck Technologies Inc. and/or its various stakeholders, including shareholders, officers, directors, employees, agents, partners, principals, representatives, successors, and assigns, depending on the context.

Data Controller under GDPR: Hookdeck, under the General Data Protection Regulation (GDPR), is designated as a "data controller." This means that we directly collect personal data from you and determine the purpose and means of processing that data. "Processing" includes actions such as collection, use, storage, transfer, or any other activities related to your personal data.

Contact Us: If you have questions about this Policy, privacy, data-related matters, or wish to exercise your privacy rights, please reach out to our Privacy Officer.

Hookdeck Privacy Officer: privacy@hookdeck.com

Hookdeck Mailing address: Hookdeck Privacy Officer 465 Rue McGill, Suite 700, Montréal, Québec. H2Y 2H1 Canada

Your Privacy Rights

Your privacy is important, and you have specific rights regarding your personal data. These rights may vary based on the Data Protection Laws applicable to your location. Here are your privacy rights concerning your data held by Hookdeck:

  1. Right to Withdraw Consent: You can withdraw your consent for Hookdeck to process your personal data at any time.
  2. Right to Erasure: You have the right to request the removal of your personal data from Hookdeck's records.
  3. Right to Access: You can access your personal data, including information about its processing and use.
  4. Right to Data Portability: Receive a readable copy of your personal data for easy transfer to another data processor.
  5. Right to Rectification: If you believe your personal data is inaccurate or outdated, you have the right to correction or updates.
  6. Right to Opt-Out of Marketing Communications: You can opt out of marketing communications from Hookdeck at any time.
  7. Right to Information on Data Sharing: Know whether Hookdeck sells or shares your personal data and to whom. Refer to relevant sections in this Policy or contact our Privacy Officer for clarification.
  8. Right to Refuse Data Selling: You have the right to demand that Hookdeck does not sell your personal data.
  9. Right to Restrict Processing: If your data is inaccurate or its processing violates the law, you can restrict its processing.
  10. Right to Refuse Targeted Marketing: Refuse any marketing or advertising targeted at you by Hookdeck.

To exercise any of these rights, contact our Privacy Officer using the information provided above or refer to relevant sections in this Policy. Your rights can be exercised without affecting the cost of the Services, but note that certain actions may impact your use of some or all Services. Your privacy matters, and we're here to help you protect it.

Your US State Privacy Rights

In addition to the rights described above, residents of certain US states have additional privacy rights under their state's consumer privacy law. This section applies to residents of California (CCPA/CPRA), Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and any other state with an applicable comprehensive privacy law.

Your Rights: Subject to applicable law, you may have the right to: (a) confirm whether we process your personal data; (b) access your personal data; (c) correct inaccuracies; (d) delete your personal data; (e) obtain a portable copy of your data; (f) opt out of the sale or sharing of your personal data (Hookdeck does not sell personal data); (g) opt out of targeted advertising; and (h) opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.

Right to Appeal: If we decline a privacy request, you have the right to appeal our decision. To submit an appeal, contact our Privacy Officer at privacy@hookdeck.com with the subject line "Privacy Rights Appeal." We will respond to appeals within forty-five (45) days (or sixty (60) days with notice of extension where reasonably necessary).

Non-Discrimination: We will not discriminate against you for exercising your privacy rights. We do not deny services, charge different prices, or provide a different quality of service based on the exercise of privacy rights.

Authorized Agents: You may designate an authorized agent to exercise your rights on your behalf. We may require the agent to provide proof of authorization and may verify your identity directly.

Sensitive Data: Hookdeck does not knowingly collect or process sensitive personal data (as defined under applicable state laws) unless you voluntarily provide it.

Personal Data Collected from You and What We Use It For

In the table below, you will find a summary of the personal data we may collect from you directly, its purpose, and the legal basis under the GDPR for us having and processing this personal data. Under PIPEDA, the legal basis is your informed consent, and by submitting this personal data you acknowledge having granted this consent to Hookdeck.

Personal data processedCertain Google or GitHub
Who we get the data fromCertain Google or GitHub
What we use it for (the "purpose" of processing)To provide you with the Services
Legal basis for processing under the GDPRYour consent and performance of a contract

If you have provided personal data as part of the contract between you and us, failure to provide such data or withdrawal of your consent to use such data may result in our inability to provide certain services to you.

We do not collect any sensitive personal data under the GDPR unless you voluntarily submit it, either through the Website's chat function or via email. We encourage you not to provide sensitive personal information through these channels.

Processing PurposeLegal Basis
Providing the Cloud Services to youPerformance of a contract (Art. 6(1)(b))
Account creation and authenticationPerformance of a contract (Art. 6(1)(b))
Payment processing and billingPerformance of a contract (Art. 6(1)(b))
Technical support and customer communicationsPerformance of a contract (Art. 6(1)(b)) / Legitimate interest (Art. 6(1)(f))
Product analytics and service improvementLegitimate interest (Art. 6(1)(f)) — improving service reliability and performance
Marketing emailsConsent (Art. 6(1)(a))
Fraud prevention and securityLegitimate interest (Art. 6(1)(f)) — protecting our infrastructure and users
Legal compliance (tax records, law enforcement requests)Legal obligation (Art. 6(1)(c))

Who We Transfer Your Personal Data To

We routinely share certain types of your personal data with specific third parties, identified in the table below along with their respective purposes. Some of these third-party recipients may operate outside your home jurisdiction. If you are in the European Economic Area, please see the "Transfer of Your Personal Data Outside of the European Economic Area" further down in this Policy for more information including on how we safeguard your personal data in such cases.

We share personal data with law enforcement or public authorities if required by applicable law, including lawful requests related to national security or law enforcement. We may also share data to investigate, prevent illegal activities, fraud, or threats to safety, or violations of Hookdeck's Terms of Use.

Additionally, we may share personal data with: (1) parent companies, subsidiaries, or joint ventures under common control (requiring them to adhere to this Policy); (2) in the event of a merger, corporate reorganization, or business sale or transfer (with the new entity assuming our obligations under this Policy or informing you of a new privacy policy).

Personal data categoryWho we transfer it toWhat they do with it
Account InformationCompanies providing technical infrastructure for the Services, specifically Google Cloud Platform, Datadog, Lumu, Cloudflare, Vercel, Segment and AivenControl your logging in to the Services so they can be provided to you, and record-keeping
Contact informationCompanies that provide email services, specifically Customer.io, as detailed more fully in the Email Communications section belowSend you emails
Chat informationCompanies providing chat and communication services, such as https://crisp.chat/en/ and https://slack.com/intl/en-ca/Operate the chat service on the Website and allow us to communicate with one another using Slack
Billing informationhttps://stripe.com/en-ca, our payment processorProcess your payments for the fees you pay for the Services
Analytics identifiers (including your IP address)Companies that provide data analytics, specifically https://www.google.com/analytics/, https://posthog.com/Provide us with analytics as to how the Services are used and to trace fraudulent activities

When you first visit our Website, we ask for your consent before placing non-essential cookies or similar tracking technologies on your device. You can accept or reject non-essential cookies through the consent banner presented on your first visit. Essential cookies required for the basic operation of the Website are placed without consent as permitted by law.

Cookies, which are small text files, are placed on your computer or device when you visit the Website or use the Services. They track your site or service usage, aiming to enhance the user experience by storing specific data on your device.

We employ cookies and related technologies for the following purposes:

  • Facilitating your sign-in to the Services.
  • Providing internal and user analytics on the Website, conducting research to enhance Service content using analytics programs outlined in this Policy.
  • Assisting in identifying potential fraudulent activities.

You can configure your browser to reject or delete cookies after storage. Instructions for commonly-used browsers and operating systems are provided below:

Note: Deleting or blocking certain cookies might impact your user experience, requiring re-entry of specific information. It may also prevent certain functions or the entire Services from working properly.

Email Communications and Compliance with Anti-Spam Laws

Hookdeck utilizes Customer.io (the "Email Service Provider") to manage our mailing list and to send out emails related to various Services functions, including transactional, operational, and promotional emails. Personal data is transferred to the Email Service Provider in order to manage the mailing list and facilitate proper email dispatch. Your Contact Information is only used to send out emails; the Email Service Provider does not use this Personal Information for any other purpose and will not transfer or sell your Personal Information to any other third party. For more information, please refer to Customer.io's Privacy Policy.

To unsubscribe from Hookdeck's mailing list, use the link at the bottom of all Hookdeck emails. Note that certain emails, such as transactional and relational ones related to the Services, won't have an opt-out option, as they are necessary for Service use.

Hookdeck ensures email practices comply with anti-spam laws, particularly Canada's Anti-Spam Law (CASL), S.C. 2010, c. 23. If you believe you've received an email violating these laws, please contact us using the information provided earlier in this Policy.

How We Protect Your Personal Data

We have implemented stringent technical and organizational procedures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed by us. These procedures safeguard your personal data from loss, unauthorized use, or access.

In the event of a suspected data security breach, our established procedures include notifying you and any relevant supervisory authority, complying with the time frames dictated by applicable Data Protection Laws.

Hookdeck adheres to industry best practices, employing physical, electronic, and procedural measures to secure all collected data, including personal data. Our reliance on third-party vendors and hosting partners, such as Google Cloud Platform, Netlify, Cloudflare, and Vercel, ensures robust security standards in data hosting and storage, including personal data.

All information, including personal data, is transferred with encryption through Secure Sockets Layer ("SSL") or Transport Layer Security ("TLS") — widely recognized security standards for Internet data transfer and transactions. You can verify Hookdeck's valid SSL security certificate using your browser.

Transfer of Your Personal Data Outside of the European Economic Area (EEA)

For our European users, we strive to keep your personal data inside the EEA. However, certain of our data processors (and Hookdeck) are located in other countries where your personal data may be transferred. These countries meet specific criteria ensuring your data protection:

  • Canada: Considered to have an "adequate level of protection" for your personal data under European data protection law.
  • The European Union–United States Data Privacy Framework (DPF): For EEA-to-US transfers, Hookdeck relies on the EU-US DPF adopted July 10, 2023. Where a sub-processor is not DPF-certified, we rely on the European Commission's Standard Contractual Clauses (SCCs, 2021 version).
  • UK Extension to the EU-US DPF: For transfers from the United Kingdom, Hookdeck relies on the UK Extension to the EU-US Data Privacy Framework, effective October 12, 2023. Where a sub-processor is not covered by the UK Extension, we rely on the UK International Data Transfer Addendum to the EU SCCs.
  • Swiss-US Data Privacy Framework: For transfers from Switzerland, Hookdeck relies on the Swiss-US Data Privacy Framework, recognized by the Swiss Federal Data Protection and Information Commissioner (FDPIC) effective September 15, 2024.

Should you wish to refuse the transfer of your data outside the EEA, please contact our Privacy Officer. Note that this request may impact your ability to use certain or all Services.

Supervisory Authorities and Complaints

If you are in the EEA, under the GDPR you have the right to make a complaint to the appropriate supervisory authority. If you are not satisfied with the response received or the actions taken by our Privacy Officer, or if you would like to make a complaint directly about Hookdeck's data practices, we invite you to contact the supervisory authority in your country. If you are in the U.K., you should contact the Information Commissioner's Office who is the supervisory authority. You can reach them in a variety of ways, including by phone (0303 123 1113 in the UK) and mail (Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF). If you are in France, you should contact the Commission Nationale de l'Informatique et des Libertés who is the supervisory authority there. Their contact information can be found here.

The full listing of all Data Protection Authorities (the supervisory authorities) across the EEA can be found here.

Data Retention

Your personal data will only be kept for as long as it is necessary for the purpose needed for that processing. For example, we will only retain your Account Information for as long as you have an account with us.

Specifically, we apply the following retention periods:

  • Account Information: Retained indefinitely.
  • Event and webhook data (Cloud Services): Retained according to your payment plan settings, with a maximum of thirty-one (31) days for event payloads and delivery logs.
  • Billing data: Retained for the duration of your account plus the period required by applicable tax and accounting laws (typically seven (7) years).
  • Usage analytics: Product analytics data is retained for seven (7) years; aggregated and anonymized data may be retained indefinitely.
  • Support communications: Retained for the duration of your account, or until you request deletion.
  • Backups: Customer Data is purged from backups within sixty (60) days of deletion from production systems.

Upon request, we will delete your personal data in accordance with the timelines above, unless retention is required by applicable law.

Automated Decision-Making

Hookdeck does not use any automated decision-making processes in providing the Services.

Hookdeck's artificial intelligence features (described below) do not constitute automated decision-making within the meaning of GDPR Article 22, as they do not produce legal or similarly significant effects on individuals.

Artificial Intelligence Features & Data Processing

Hookdeck offers the following artificial intelligence features. These features do not use Customer Data (event payloads, webhook content, or account data) for model training, and Hookdeck does not retain Customer Data beyond what is necessary to fulfill each real-time request.

AI-Assisted Filters and Transformations

Hookdeck offers AI assistance to help you write event filters in the dashboard, and will offer the same assistance for event transformations shortly. These features help you author filter rules or transformation code quickly by generating suggestions based on a sample of your event payload.

  • Triggering: AI-assisted generation is never automatic. It runs only when you take a specific, deliberate action in the dashboard. Hookdeck does not silently or proactively send event payloads to AI subprocessors.
  • Data Sharing: When you invoke the feature, a sample of the event payload and your prompt are sent to a third-party AI subprocessor (listed on the Sub-Processors page) for the sole purpose of generating the suggestion.
  • Disclaimer: Each time you invoke the feature, Hookdeck displays a disclaimer. You must confirm and proceed before any data is sent.
  • No Training / Profiling: Hookdeck does not use payload samples, prompts, or suggestions for training or improving models. We contractually require AI subprocessors to apply the same restrictions.
  • Control: You decide on a per-filter and per-transformation basis whether to use AI assistance. You can also disable AI assistance at the account level in your settings.

Skills (Open-Source)

Hookdeck publishes open-source Skills — structured knowledge files enabling AI coding agents (Claude Code, Cursor, GitHub Copilot, and others) to implement webhook integrations correctly.

  • Data Processing: These are static reference files. Hookdeck does not process or receive any data through this feature.

MCP Server

Hookdeck provides a Model Context Protocol (MCP) server that allows AI agents to interact with your Hookdeck account via the standard API (e.g., to inspect event deliveries, manage endpoints, or replay failed events).

  • Data Processing: These interactions use your existing API credentials and are subject to standard API log retention only. No data is passed to third-party AI providers as a result of MCP usage.

Children's Privacy Statement

The Services are not intended for children under the age of 16. We do not knowingly collect any personal data from a child under 16. If we become aware that we have inadvertently received personal data from a person under the age of 16 through the Services, we will delete such information from our records.

Changes to This Privacy Policy

The date at the top of this page indicates when this Policy was last updated. Periodically, we will have to update this Policy, and we will update it no less than once every 12 months. You can always find the most updated version at this URL, and we will always post a notice on the Services. If you have a Hookdeck account, we will also send you an email to inform you of the Policy updates and highlight any important changes.