We appreciate your engagement with our "Services", whether you're visiting our website at https://hookdeck.com/ (the "Website") or utilizing our infrastructure to develop, test and monitor your integrations. At Hookdeck, safeguarding your privacy and protection of personal data is top priority.
This Privacy Policy (the "Policy") outlines essential information about who we are, the personal data we collect, and how we handle your information while you use our Services or engage with us. We are committed to transparency and respect for your rights under the law. Please take a moment to carefully read and understand this Policy.
Policy Scope
This Policy applies to: (a) visitors to hookdeck.com; and (b) customers using our Managed Cloud Services (Event Gateway and Managed Outpost). This Policy does not apply to data processed by Self-Hosted Outpost running on your own or a third party's infrastructure. For self-hosted deployments, you are the data controller and are solely responsible for applicable privacy compliance.
Key Elements of this Policy
Here are the critical aspects of our Privacy Policy to help you quickly understand how we handle your personal data. Your consent for the collection, use, and disclosure of your personal data is implied when you submit it to us. For detailed information, please refer to the complete Policy.
| Personal data we collect from you but only with your consent | What we do with it | Third parties we share it with |
|---|---|---|
| Contact information | Communicate with you | Companies that provide email services, such as Customer.io |
| Account Information | Create an account for you, communicate with you, and provide you with certain Services | Companies providing technical infrastructure for the Services, specifically Google Cloud Platform, Datadog, Lumu, Cloudflare, Vercel, Aiven and Clickhouse Cloud |
| Chat information | Communicate with you and respond to your inquiry | Companies providing chat and communication services, such as Crisp and Slack |
| Billing information | Allow you to pay for the fees for use of Services | Stripe, our payment processor |
Terms
Before delving into the details, familiarize yourself with these key terms:
- Data Protection Laws:
- Refers to laws designed to safeguard personal data and privacy, including:
- GDPR (General Data Protection Regulation): The European Data Protection Law outlined in Regulation (EU) 2016/679.
- PIPEDA (Personal Information Protection and Electronic Documents Act): Canadian Data Protection Law applicable to our activities in Canada.
- CCPA (California Consumer Privacy Act): Applies to our activities in the United States under certain circumstances.
- Refers to laws designed to safeguard personal data and privacy, including:
- Personal Data: Defined in the GDPR as "any information relating to an identified or identifiable natural person." Equivalent to "personal information" under PIPEDA and CCPA.
- Other Terms: Definitions used in this Policy can be found in our Terms of Use, maintaining consistent meaning across both documents.
About Hookdeck and How to Contact Us
Hookdeck Technologies Inc. ("Hookdeck"): A duly-incorporated company under the laws of Canada.
Definition: When this Policy mentions "Hookdeck," it encompasses Hookdeck Technologies Inc. and/or its various stakeholders, including shareholders, officers, directors, employees, agents, partners, principals, representatives, successors, and assigns, depending on the context.
Data Controller under GDPR: Hookdeck, under the General Data Protection Regulation (GDPR), is designated as a "data controller." This means that we directly collect personal data from you and determine the purpose and means of processing that data. "Processing" includes actions such as collection, use, storage, transfer, or any other activities related to your personal data.
Contact Us: If you have questions about this Policy, privacy, data-related matters, or wish to exercise your privacy rights, please reach out to our Privacy Officer.
Hookdeck Privacy Officer: privacy@hookdeck.com
Hookdeck Mailing address: Hookdeck Privacy Officer 465 Rue McGill, Suite 700, Montréal, Québec. H2Y 2H1 Canada
Your Privacy Rights
Your privacy is important, and you have specific rights regarding your personal data. These rights may vary based on the Data Protection Laws applicable to your location. Here are your privacy rights concerning your data held by Hookdeck:
- Right to Withdraw Consent: You can withdraw your consent for Hookdeck to process your personal data at any time.
- Right to Erasure: You have the right to request the removal of your personal data from Hookdeck's records.
- Right to Access: You can access your personal data, including information about its processing and use.
- Right to Data Portability: Receive a readable copy of your personal data for easy transfer to another data processor.
- Right to Rectification: If you believe your personal data is inaccurate or outdated, you have the right to correction or updates.
- Right to Opt-Out of Marketing Communications: You can opt out of marketing communications from Hookdeck at any time.
- Right to Information on Data Sharing: Know whether Hookdeck sells or shares your personal data and to whom. Refer to relevant sections in this Policy or contact our Privacy Officer for clarification.
- Right to Refuse Data Selling: You have the right to demand that Hookdeck does not sell your personal data.
- Right to Restrict Processing: If your data is inaccurate or its processing violates the law, you can restrict its processing.
- Right to Refuse Targeted Marketing: Refuse any marketing or advertising targeted at you by Hookdeck.
To exercise any of these rights, contact our Privacy Officer using the information provided above or refer to relevant sections in this Policy. Your rights can be exercised without affecting the cost of the Services, but note that certain actions may impact your use of some or all Services. Your privacy matters, and we're here to help you protect it.
Your US State Privacy Rights
In addition to the rights described above, residents of certain US states have additional privacy rights under their state's consumer privacy law. This section applies to residents of California (CCPA/CPRA), Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and any other state with an applicable comprehensive privacy law.
Your Rights: Subject to applicable law, you may have the right to: (a) confirm whether we process your personal data; (b) access your personal data; (c) correct inaccuracies; (d) delete your personal data; (e) obtain a portable copy of your data; (f) opt out of the sale or sharing of your personal data (Hookdeck does not sell personal data); (g) opt out of targeted advertising; and (h) opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.
Right to Appeal: If we decline a privacy request, you have the right to appeal our decision. To submit an appeal, contact our Privacy Officer at privacy@hookdeck.com with the subject line "Privacy Rights Appeal." We will respond to appeals within forty-five (45) days (or sixty (60) days with notice of extension where reasonably necessary).
Non-Discrimination: We will not discriminate against you for exercising your privacy rights. We do not deny services, charge different prices, or provide a different quality of service based on the exercise of privacy rights.
Authorized Agents: You may designate an authorized agent to exercise your rights on your behalf. We may require the agent to provide proof of authorization and may verify your identity directly.
Sensitive Data: Hookdeck does not knowingly collect or process sensitive personal data (as defined under applicable state laws) unless you voluntarily provide it.
Personal Data Collected from You and What We Use It For
In the table below, you will find a summary of the personal data we may collect from you directly, its purpose, and the legal basis under the GDPR for us having and processing this personal data. Under PIPEDA, the legal basis is your informed consent, and by submitting this personal data you acknowledge having granted this consent to Hookdeck.
| Personal data processed | Certain Google or GitHub |
| Who we get the data from | Certain Google or GitHub |
| What we use it for (the "purpose" of processing) | To provide you with the Services |
| Legal basis for processing under the GDPR | Your consent and performance of a contract |
If you have provided personal data as part of the contract between you and us, failure to provide such data or withdrawal of your consent to use such data may result in our inability to provide certain services to you.
We do not collect any sensitive personal data under the GDPR unless you voluntarily submit it, either through the Website's chat function or via email. We encourage you not to provide sensitive personal information through these channels.
Legal Basis for Processing (GDPR)
| Processing Purpose | Legal Basis |
|---|---|
| Providing the Cloud Services to you | Performance of a contract (Art. 6(1)(b)) |
| Account creation and authentication | Performance of a contract (Art. 6(1)(b)) |
| Payment processing and billing | Performance of a contract (Art. 6(1)(b)) |
| Technical support and customer communications | Performance of a contract (Art. 6(1)(b)) / Legitimate interest (Art. 6(1)(f)) |
| Product analytics and service improvement | Legitimate interest (Art. 6(1)(f)) — improving service reliability and performance |
| Marketing emails | Consent (Art. 6(1)(a)) |
| Fraud prevention and security | Legitimate interest (Art. 6(1)(f)) — protecting our infrastructure and users |
| Legal compliance (tax records, law enforcement requests) | Legal obligation (Art. 6(1)(c)) |
Who We Transfer Your Personal Data To
We routinely share certain types of your personal data with specific third parties, identified in the table below along with their respective purposes. Some of these third-party recipients may operate outside your home jurisdiction. If you are in the European Economic Area, please see the "Transfer of Your Personal Data Outside of the European Economic Area" further down in this Policy for more information including on how we safeguard your personal data in such cases.
We share personal data with law enforcement or public authorities if required by applicable law, including lawful requests related to national security or law enforcement. We may also share data to investigate, prevent illegal activities, fraud, or threats to safety, or violations of Hookdeck's Terms of Use.
Additionally, we may share personal data with: (1) parent companies, subsidiaries, or joint ventures under common control (requiring them to adhere to this Policy); (2) in the event of a merger, corporate reorganization, or business sale or transfer (with the new entity assuming our obligations under this Policy or informing you of a new privacy policy).
| Personal data category | Who we transfer it to | What they do with it |
|---|---|---|
| Account Information | Companies providing technical infrastructure for the Services, specifically Google Cloud Platform, Datadog, Lumu, Cloudflare, Vercel, Segment and Aiven | Control your logging in to the Services so they can be provided to you, and record-keeping |
| Contact information | Companies that provide email services, specifically Customer.io, as detailed more fully in the Email Communications section below | Send you emails |
| Chat information | Companies providing chat and communication services, such as https://crisp.chat/en/ and https://slack.com/intl/en-ca/ | Operate the chat service on the Website and allow us to communicate with one another using Slack |
| Billing information | https://stripe.com/en-ca, our payment processor | Process your payments for the fees you pay for the Services |
| Analytics identifiers (including your IP address) | Companies that provide data analytics, specifically https://www.google.com/analytics/, https://posthog.com/ | Provide us with analytics as to how the Services are used and to trace fraudulent activities |
Tracking Technology ("Cookies" and Related Technologies)
When you first visit our Website, we ask for your consent before placing non-essential cookies or similar tracking technologies on your device. You can accept or reject non-essential cookies through the consent banner presented on your first visit. Essential cookies required for the basic operation of the Website are placed without consent as permitted by law.
Cookies, which are small text files, are placed on your computer or device when you visit the Website or use the Services. They track your site or service usage, aiming to enhance the user experience by storing specific data on your device.
We employ cookies and related technologies for the following purposes:
- Facilitating your sign-in to the Services.
- Providing internal and user analytics on the Website, conducting research to enhance Service content using analytics programs outlined in this Policy.
- Assisting in identifying potential fraudulent activities.
You can configure your browser to reject or delete cookies after storage. Instructions for commonly-used browsers and operating systems are provided below:
Note: Deleting or blocking certain cookies might impact your user experience, requiring re-entry of specific information. It may also prevent certain functions or the entire Services from working properly.
Email Communications and Compliance with Anti-Spam Laws
Hookdeck utilizes Customer.io (the "Email Service Provider") to manage our mailing list and to send out emails related to various Services functions, including transactional, operational, and promotional emails. Personal data is transferred to the Email Service Provider in order to manage the mailing list and facilitate proper email dispatch. Your Contact Information is only used to send out emails; the Email Service Provider does not use this Personal Information for any other purpose and will not transfer or sell your Personal Information to any other third party. For more information, please refer to Customer.io's Privacy Policy.
To unsubscribe from Hookdeck's mailing list, use the link at the bottom of all Hookdeck emails. Note that certain emails, such as transactional and relational ones related to the Services, won't have an opt-out option, as they are necessary for Service use.
Hookdeck ensures email practices comply with anti-spam laws, particularly Canada's Anti-Spam Law (CASL), S.C. 2010, c. 23. If you believe you've received an email violating these laws, please contact us using the information provided earlier in this Policy.
How We Protect Your Personal Data
We have implemented stringent technical and organizational procedures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed by us. These procedures safeguard your personal data from loss, unauthorized use, or access.
In the event of a suspected data security breach, our established procedures include notifying you and any relevant supervisory authority, complying with the time frames dictated by applicable Data Protection Laws.
Hookdeck adheres to industry best practices, employing physical, electronic, and procedural measures to secure all collected data, including personal data. Our reliance on third-party vendors and hosting partners, such as Google Cloud Platform, Netlify, Cloudflare, and Vercel, ensures robust security standards in data hosting and storage, including personal data.
All information, including personal data, is transferred with encryption through Secure Sockets Layer ("SSL") or Transport Layer Security ("TLS") — widely recognized security standards for Internet data transfer and transactions. You can verify Hookdeck's valid SSL security certificate using your browser.
Transfer of Your Personal Data Outside of the European Economic Area (EEA)
For our European users, we strive to keep your personal data inside the EEA. However, certain of our data processors (and Hookdeck) are located in other countries where your personal data may be transferred. These countries meet specific criteria ensuring your data protection:
- Canada: Considered to have an "adequate level of protection" for your personal data under European data protection law.
- The European Union–United States Data Privacy Framework (DPF): For EEA-to-US transfers, Hookdeck relies on the EU-US DPF adopted July 10, 2023. Where a sub-processor is not DPF-certified, we rely on the European Commission's Standard Contractual Clauses (SCCs, 2021 version).
- UK Extension to the EU-US DPF: For transfers from the United Kingdom, Hookdeck relies on the UK Extension to the EU-US Data Privacy Framework, effective October 12, 2023. Where a sub-processor is not covered by the UK Extension, we rely on the UK International Data Transfer Addendum to the EU SCCs.
- Swiss-US Data Privacy Framework: For transfers from Switzerland, Hookdeck relies on the Swiss-US Data Privacy Framework, recognized by the Swiss Federal Data Protection and Information Commissioner (FDPIC) effective September 15, 2024.
Should you wish to refuse the transfer of your data outside the EEA, please contact our Privacy Officer. Note that this request may impact your ability to use certain or all Services.
Supervisory Authorities and Complaints
If you are in the EEA, under the GDPR you have the right to make a complaint to the appropriate supervisory authority. If you are not satisfied with the response received or the actions taken by our Privacy Officer, or if you would like to make a complaint directly about Hookdeck's data practices, we invite you to contact the supervisory authority in your country. If you are in the U.K., you should contact the Information Commissioner's Office who is the supervisory authority. You can reach them in a variety of ways, including by phone (0303 123 1113 in the UK) and mail (Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF). If you are in France, you should contact the Commission Nationale de l'Informatique et des Libertés who is the supervisory authority there. Their contact information can be found here.
The full listing of all Data Protection Authorities (the supervisory authorities) across the EEA can be found here.
Data Retention
Your personal data will only be kept for as long as it is necessary for the purpose needed for that processing. For example, we will only retain your Account Information for as long as you have an account with us.
Specifically, we apply the following retention periods:
- Account Information: Retained indefinitely.
- Event and webhook data (Cloud Services): Retained according to your payment plan settings, with a maximum of thirty-one (31) days for event payloads and delivery logs.
- Billing data: Retained for the duration of your account plus the period required by applicable tax and accounting laws (typically seven (7) years).
- Usage analytics: Product analytics data is retained for seven (7) years; aggregated and anonymized data may be retained indefinitely.
- Support communications: Retained for the duration of your account, or until you request deletion.
- Backups: Customer Data is purged from backups within sixty (60) days of deletion from production systems.
Upon request, we will delete your personal data in accordance with the timelines above, unless retention is required by applicable law.
Automated Decision-Making
Hookdeck does not use any automated decision-making processes in providing the Services.
Hookdeck's artificial intelligence features (described below) do not constitute automated decision-making within the meaning of GDPR Article 22, as they do not produce legal or similarly significant effects on individuals.
Artificial Intelligence Features & Data Processing
Hookdeck offers the following artificial intelligence features. These features do not use Customer Data (event payloads, webhook content, or account data) for model training, and Hookdeck does not retain Customer Data beyond what is necessary to fulfill each real-time request.
AI-Assisted Filters and Transformations
Hookdeck offers AI assistance to help you write event filters in the dashboard, and will offer the same assistance for event transformations shortly. These features help you author filter rules or transformation code quickly by generating suggestions based on a sample of your event payload.
- Triggering: AI-assisted generation is never automatic. It runs only when you take a specific, deliberate action in the dashboard. Hookdeck does not silently or proactively send event payloads to AI subprocessors.
- Data Sharing: When you invoke the feature, a sample of the event payload and your prompt are sent to a third-party AI subprocessor (listed on the Sub-Processors page) for the sole purpose of generating the suggestion.
- Disclaimer: Each time you invoke the feature, Hookdeck displays a disclaimer. You must confirm and proceed before any data is sent.
- No Training / Profiling: Hookdeck does not use payload samples, prompts, or suggestions for training or improving models. We contractually require AI subprocessors to apply the same restrictions.
- Control: You decide on a per-filter and per-transformation basis whether to use AI assistance. You can also disable AI assistance at the account level in your settings.
Skills (Open-Source)
Hookdeck publishes open-source Skills — structured knowledge files enabling AI coding agents (Claude Code, Cursor, GitHub Copilot, and others) to implement webhook integrations correctly.
- Data Processing: These are static reference files. Hookdeck does not process or receive any data through this feature.
MCP Server
Hookdeck provides a Model Context Protocol (MCP) server that allows AI agents to interact with your Hookdeck account via the standard API (e.g., to inspect event deliveries, manage endpoints, or replay failed events).
- Data Processing: These interactions use your existing API credentials and are subject to standard API log retention only. No data is passed to third-party AI providers as a result of MCP usage.
Children's Privacy Statement
The Services are not intended for children under the age of 16. We do not knowingly collect any personal data from a child under 16. If we become aware that we have inadvertently received personal data from a person under the age of 16 through the Services, we will delete such information from our records.
Changes to This Privacy Policy
The date at the top of this page indicates when this Policy was last updated. Periodically, we will have to update this Policy, and we will update it no less than once every 12 months. You can always find the most updated version at this URL, and we will always post a notice on the Services. If you have a Hookdeck account, we will also send you an email to inform you of the Policy updates and highlight any important changes.