Privacy Policy
Effective: May 11, 2026
1. Introduction
Nahook ("Company", "we", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and share information when you use our webhook delivery platform ("Service"), visit our website, or interact with us.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Name and email address
- Password (stored using one-way hashing)
- Workspace and organization details
2.2 Billing Information
Payment processing is handled by Stripe. We do not store credit card numbers or full payment details on our servers. Stripe's handling of your data is governed by Stripe's Privacy Policy.
2.3 Usage Data
We automatically collect information about how you use the Service, including:
- API request metadata (timestamps, status codes, endpoints called)
- Delivery attempt logs (delivery status, response codes, latency)
- Dashboard usage and feature interactions
2.4 Customer Data
You may transmit webhook payloads through the Service ("Customer Data"). We process Customer Data solely to deliver webhooks on your behalf. We do not access, analyze, or use the content of webhook payloads for any purpose other than providing the Service.
2.5 Website Visitors
When you visit our website, we may collect standard web analytics data such as pages visited, referral source, and browser type.
3. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service
- Process payments and manage your subscription
- Send transactional communications (account verification, billing receipts, security alerts)
- Monitor and improve Service performance and reliability
- Detect and prevent fraud, abuse, and security incidents
- Respond to support requests
- Comply with legal obligations
We do not sell your personal information. We do not use Customer Data for advertising or marketing purposes.
4. Information Sharing
We share information only in the following circumstances:
4.1 Service Providers
We use third-party service providers to help operate the Service. These providers have access to personal information only as necessary to perform their functions and are obligated to protect it. See Section 9 for our current list of sub-processors.
4.2 Legal Requirements
We may disclose information if required by law, regulation, legal process, or governmental request.
4.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change.
5. Data Retention
- Account data: Retained for the duration of your account and deleted within 30 days of account termination.
- Webhook payloads: Retained temporarily for delivery and retry purposes, then deleted according to your plan's retention period.
- Usage analytics: Retained in aggregated, non-identifiable form for Service improvement.
- Billing records: Retained as required by applicable tax and accounting laws.
6. Data Security
We implement appropriate technical and organizational measures to protect your information, including:
- Encryption in transit (TLS/HTTPS) and at rest (AES-256-GCM for sensitive data such as webhook signing secrets)
- API key secrets stored as one-way hashes (SHA-256)
- Role-based access controls
- Regular security monitoring
No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
7. Your Rights
Depending on your location, you may have the following rights regarding your personal information:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate information.
- Deletion: Request deletion of your personal information, subject to legal retention requirements.
- Portability: Request your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Withdrawal of consent: Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
8. International Data Transfers
The Service currently operates in a United States region. Multi-region support (including EU and APAC) is planned. If data is transferred across borders, we ensure appropriate safeguards are in place, including Standard Contractual Clauses where required.
9. Sub-processors
We use the following third-party sub-processors:
| Provider | Purpose |
|---|---|
| Edge network, CDN & static hosting provider | CDN, edge proxy, static site hosting, and object storage |
| Cloud compute provider | Compute infrastructure and managed cache |
| Managed database provider | Managed database for accounts, configuration, and delivery records |
| Managed message-streaming provider | Message queue for the webhook delivery pipeline |
| Stripe | Payment processing |
| Transactional email provider | Transactional email delivery |
We also engage a small number of operational service providers (observability, error tracking, product analytics, and fraud-prevention tools) that may incidentally process limited personal data. A complete current list is available on request at [email protected].
We will notify customers of any changes to this list at least 14 days in advance.
10. Cookies
We use essential cookies for authentication and session management. We do not use third-party advertising cookies. Our website may use analytics cookies to understand visitor behavior; these can be disabled in your browser settings.
11. Children's Privacy
The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 7 days before they take effect.
13. Contact
For privacy-related questions or to exercise your rights, contact us at [email protected].