Privacy
Effective 11 July 2026
HookFerret is an ephemeral webhook inspector: you mint a throwaway inbox URL, point a webhook sender at it, and inspect the captured requests. This page explains what we handle and for how long. In short — we keep as little as possible, for as short a time as possible, and we don't track you.
What we handle
-
Captured requests. When an HTTP request is sent to your inbox URL
(
/i/<inbox-id>), we store its method, path, query, headers, body, source IP, and time so you can inspect it. These are supplied by whoever calls your inbox and may contain personal data — you and your senders control what's in them. - No accounts. Using HookFerret requires no sign-up. We don't ask for or store your name, email, or password to use the tool.
- No tracking. No analytics, no advertising, no third-party trackers, and no cookies used to profile you.
- Signing secrets never reach us. The signature-detection feature runs entirely in your browser (Web Crypto). Any signing secret you paste stays in your browser tab and is never sent to, logged by, or stored on our servers.
How long we keep it
Captured data is ephemeral. Every inbox and its requests carry a short time-to-live (default 1 hour, maximum 24 hours) and are then automatically deleted. Large request bodies held in object storage expire on a 1-day lifecycle. We don't keep long-term copies or backups of your captured requests.
How it's protected
- Captured data is encrypted at rest (database and object-storage encryption).
- Request bodies and headers are never written to our application logs.
- Access is scoped by your unguessable inbox URL. There is no listing of inboxes — but anyone who has your inbox URL can view its requests, so treat the URL like a secret and don't share it more widely than you intend.
Sharing
We don't sell your data and we don't share captured requests with third parties. The service runs on cloud infrastructure (a hosting/cloud provider) that processes the data solely to operate HookFerret.
Your choices
- Captured requests auto-delete when their inbox expires — you don't have to do anything.
- You can delete an individual captured request from the dashboard.
- To dispose of everything, simply stop using an inbox and let it expire.
Changes & contact
We may update this policy; the effective date above reflects the latest version. Questions about privacy: privacy@hookferret.com.