Privacy Policy

Last updated: 12 January 2026

This policy explains what HookCastle collects, why, and how to exercise the rights you have under the EU General Data Protection Regulation (GDPR). It is written in plain language on purpose; if you need the GDPR-compliance-officer translation, email privacy@hookcastle.com.

Data controller

HookCastle is operated from Italy. The data controller for the purposes of GDPR can be reached at privacy@hookcastle.com; we will identify the responsible party in writing on request.

What we collect

• Account data — name, email, hashed password, billing address (for Pro/Enterprise). Provided by you at sign-up or in the dashboard.
• Event payloads & headers — submitted by you via the API. These are the actual webhook bodies you want delivered.
• Delivery metadata — destination URL, attempt timestamps, response codes, response headers, response bodies (truncated to 8 KiB).
• Operational logs — IP addresses of API callers, user agents, request rates, for abuse prevention and rate limiting.
• Dashboard analytics — page views and clicks within the dashboard. Self-hosted, no third-party trackers, no cookies sent to external domains.

Why we process it

• To deliver the Service you asked for (legal basis: contract performance, GDPR Art. 6(1)(b)).
• To bill you (legal basis: contract performance + legal obligation, Art. 6(1)(b) and (c)).
• To keep the Service secure (legal basis: legitimate interest, Art. 6(1)(f)).
• To respond when you email us (legal basis: contract / legitimate interest).

How long we keep it

• Event payload bodies: 7 days (Free), 30 days (Pro), or contractual on Enterprise.
• Event metadata (id, destination, status, timestamps): 18 months for billing reconciliation.
• Account data: while the account is active, plus 24 months after closure for tax/legal records (Italian law: 10 years for invoices specifically).
• Operational logs: 30 days.

Subprocessors

We rely on a small number of categorised subprocessors. The current named list is provided to customers on request (email privacy@hookcastle.com), and Pro/Enterprise accounts can see it in the dashboard:

• EU VPS hosting — primary infrastructure, Sofia (BG) region.
• Encrypted off-site backups — separate EU region, 14-day rolling retention.
• Card payment processor — for Pro plans only, PCI-DSS compliant, EU-based. Enterprise customers pay by invoice and are out of scope.
• Transactional email — EU-based, used for account and billing notifications only (no marketing).

All subprocessors are based in the EU/EEA. We notify customers by email at least 30 days before adding or replacing a subprocessor.

International transfers

None at the moment. All processing happens within the EU/EEA. If we ever change this we will give 30 days' notice and provide the appropriate safeguards (Standard Contractual Clauses or adequacy decision).

Your rights

Under GDPR you have the right to:

• Access your personal data (and a copy of it).
• Correct inaccurate data.
• Delete your data (subject to legal retention obligations, e.g. invoices).
• Object to processing based on legitimate interest.
• Lodge a complaint with the Italian Garante per la protezione dei dati personali (gpdp.it).

To exercise any of these, email privacy@hookcastle.com. We aim to respond within 7 working days; the legal maximum is 30.

Cookies

We use one functional cookie on the dashboard for session authentication. We do not use third-party analytics, marketing, or advertising cookies. The marketing site (hookcastle.com) currently sets no cookies at all.

Security incidents

If a security incident affects your data, we will notify you within 72 hours of discovery and detail what happened, what data was affected, and what we are doing about it. The first notification may be incomplete and followed by updates as we learn more.

← Back to HookCastle