This Privacy Policy explains how Brady Cusack Sole Proprietorship (“Hookie,” “we,” “us”) collects, uses, discloses, and protects personal information in connection with the Hookie webhook platform (the “Service”). It applies to our websites, the marketing site, the console, and the API.
1. Two roles: controller and processor
Hookie plays two different privacy roles, and it matters which data we are talking about:
- Controller — account data. For information about our customers and website visitors (names, emails, billing details, usage analytics), we decide how and why it is processed, so we are the controller.
- Processor — your event data. For the event payloads you ingest and route through the Service — which may contain personal data about your end users — we act only as a processor on your instructions. You are the controller of that data and are responsible for its lawful collection and use. If you require a Data Processing Agreement, contact privacy@hookie.ai.
This Policy focuses on data for which we are the controller. Our handling of your event data as a processor is governed by these Terms, our security practices, and any DPA between us.
2. Information we collect
You provide:
- Account information — name, email address, password (stored only as a secure hash by our authentication provider), and organization details.
- Billing information — plan selection and PayPal subscription identifiers. We do not receive or store your full payment-card details; those are handled by PayPal.
- Support and communications — messages you send us.
Collected automatically:
- Usage and log data — API requests, ingest and delivery metadata, event counts, IP addresses, timestamps, and error/observability traces used to operate, secure, and improve the Service.
- Cookies — a session cookie for authentication (SameSite=Lax, HttpOnly, Secure). We use only cookies necessary to provide the Service and do not use third-party advertising cookies.
Event data you route (processor role): payloads you ingest may contain personal data about your end users. We process it only to provide the Service (store, route, deliver, stream, and — if you enable it — run AI triggers).
3. How we use information
We use controller data to:
- provide, operate, secure, and maintain the Service and your account;
- process subscriptions and payments (via PayPal);
- enforce quotas, prevent abuse, and investigate security incidents;
- communicate with you about your account, changes, and support; and
- comply with legal obligations and enforce our Terms.
We do not sell your personal information, and we do not use your event data to train AI models.
4. Legal bases (EEA/UK)
Where the GDPR or UK GDPR applies, we rely on: performance of a contract (to provide the Service), legitimate interests (to secure and improve the Service and prevent abuse), consent (where required, e.g., certain communications), and legal obligation (e.g., tax and accounting).
5. How we share information
We share information with:
- Service providers (subprocessors) who process data on our behalf, including:
- Cloudflare — hosting, compute (Workers), storage (D1, Durable Objects, Queues), and AI inference (Workers AI);
- PayPal — subscription and payment processing;
- Google — only if you choose “Sign in with Google.”
- Legal and safety — when required by law, to enforce our Terms, or to protect the rights, property, or safety of Hookie, our users, or the public.
- Business transfers — in connection with a merger, acquisition, or sale of assets, subject to this Policy.
We do not sell personal information or share it for cross-context behavioral advertising.
6. Data retention
- Account data is retained while your account is active and for a reasonable period afterward as needed for legal, tax, and dispute-resolution purposes.
- Event data (records and raw submissions) is retained according to your plan’s retention window (currently 7 days on Free and 30 days on Standard) and is automatically pruned after that period.
- Secrets (destination signing secrets, ingest signing secrets, and source connection configs) are encrypted at rest and never returned by the API; ingest keys are stored only as hashes.
7. Security
We implement technical and organizational measures appropriate to the risk, including: AES-256-GCM encryption of secrets at rest, SHA-256 hashing of ingest keys (plaintext shown once), HMAC-signed outbound deliveries, per-tenant isolation on every read and write, IP allowlists, edge rate limiting, a strict Content-Security-Policy, CSRF protections, and an append-only audit log. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
8. International transfers
The Service runs on Cloudflare’s global network, so data may be processed in countries other than yours. Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the Standard Contractual Clauses.
9. Your rights
Depending on where you live, you may have rights to access, correct, delete, port, restrict, or object to the processing of your personal data, and to withdraw consent. Under the GDPR/UK GDPR and CCPA/CPRA, these include the rights to know, access, delete, correct, and to non-discrimination for exercising your rights; we do not sell or “share” (as defined by the CCPA) your personal information.
To exercise rights over controller data, contact privacy@hookie.ai. For rights concerning event data we process on a customer’s behalf, please contact that customer (the controller); we will assist them as their processor. We may need to verify your identity before responding, and we will respond within the timeframes required by law.
10. Children
The Service is not directed to children under 16, and we do not knowingly collect their personal information. If you believe a child has provided us personal information, contact privacy@hookie.ai and we will delete it.
11. Changes to this Policy
We may update this Policy from time to time. Material changes will be signaled by updating the “Last updated” date and, where appropriate, by additional notice. Your continued use of the Service after changes take effect constitutes acceptance.
12. Contact
Privacy questions or requests: privacy@hookie.ai · Brady Cusack Sole Proprietorship, 1606 Headway Cir #9318, Austin, TX 78754. If you are in the EEA or UK and have a concern we cannot resolve, you also have the right to lodge a complaint with your local supervisory authority.