Privacy Policy

Last updated May 8, 2026

At a glance

HookRescue is a webhook reliability proxy. Shopify sends webhooks to us, we persist them, and we forward them to your backend with HMAC SHA-256 signatures generated using a per-source secret you control. This page describes the data we handle to make that work, who we share it with, and what rights you have over it.

What	Where	How long
Account data (email, hashed password, plan, account name)	Heroku Postgres (US)	While your account is active, plus 30 days after cancellation
Webhook payloads and headers	Heroku Postgres (US), encrypted column for secrets	Your plan's retention window (14 days during private beta)
Delivery attempts, retry state, DLQ entries	Heroku Postgres + Redis (US)	Same window as the underlying payload
Audit log (replays, secret rotations, DLQ resolutions)	Heroku Postgres (US)	12 months minimum
Billing data (card numbers, billing address)	Held by LemonSqueezy — we never see card numbers	See LemonSqueezy's policy

We do not sell your data, we do not train AI models on customer payloads, and we do not share data with marketing partners. The rest of this document is the long version.

Information we collect

Account-level data. When you sign up we collect the email address you register with, a salted bcrypt hash of your password (we never store the plaintext), an account or organization name, your plan tier, and metadata like sign-in timestamps and IP address of recent sessions. If you connect a Shopify store or app, we store the shop domain and the OAuth tokens or API credentials needed to reconcile against the Shopify Admin API. These tokens are encrypted at rest using AES-GCM via Rails 7.1 ActiveRecord encryption.

Operational data — webhook payloads. The core of HookRescue is receiving webhooks from Shopify on your behalf. For every webhook we receive on a source you've configured, we store:

The raw request body, as bytes (bytea in Postgres), exactly as Shopify sent it
The full set of HTTP headers, including the X-Shopify-Hmac-Sha256 header we use for verification
A topic and shop identifier extracted from the headers
A timestamp of receipt
The state of every forward attempt to your endpoint: status code, response body excerpt, latency, and the next retry time if applicable
DLQ entries when delivery exhausts the 7-day retry window

Webhook bodies can contain customer-of-customer personal data — order shipping addresses, customer email addresses, line item details. From our perspective this data is processed on your behalf; you are the controller and we are the processor. We only handle it to deliver, retry, reconcile, and let you triage failed deliveries.

Per-source signing secrets. When HookRescue forwards a webhook to your backend, we sign the request with HMAC SHA-256 using a secret you provide or that we generate for you. These secrets are encrypted at rest using AES-GCM and are decrypted only in-process at signing time.

Audit log. Every replay, secret rotation, and DLQ resolution is recorded with the actor (user ID), timestamp, source, and the affected event ID. This is mandatory; you cannot disable it, because it is how we make trust claims about what happened.

Communications. If you email us, we keep the thread for as long as we need it to support you and to maintain a record of past issues.

No analytics SDKs. We do not embed third-party analytics, advertising pixels, or session replay tools in the dashboard.

How we use information

We use the data above for the following purposes:

Service delivery. Receiving, storing, signing, forwarding, retrying, and reconciling webhooks. This is the contract — without this processing, there is no product.
Security. Detecting abuse, rate-limiting, investigating suspected unauthorized access, and protecting our infrastructure. Legal basis under GDPR: legitimate interest.
Debugging. When a delivery fails or a customer files a support ticket, our engineers may inspect specific events to diagnose the issue. Access is logged.
Billing. Plan tier and usage counters are sent to LemonSqueezy to generate invoices.
Communication. Transactional email about your account — incident notices, security alerts, billing receipts, material policy changes. We do not send marketing email without separate opt-in.

What we don't do

To be explicit:

We do not sell your data or your customers' data to anyone, under any definition of "sell" used by CCPA, CPRA, or any other law.
We do not use customer webhook payloads to train, fine-tune, or evaluate AI or machine learning models — ours or anybody else's.
We do not share data with advertising networks, data brokers, or marketing partners.
We do not read webhook bodies in aggregate to build product analytics. Internal metrics are derived from delivery counts, latencies, and error rates — not payload contents.

Sharing and subprocessors

HookRescue uses the following subprocessors. We require each to provide security and confidentiality protections at least as strong as those described in this policy.

Subprocessor	Purpose	Location	Data handled
Heroku (Salesforce)	Application hosting, Postgres, Redis	United States	All operational and account data
Cloudflare	CDN, TLS termination, edge protection	Global edge, US contracting entity	Request metadata, IPs in transit
LemonSqueezy	Merchant of record, billing, card processing	United States / EU	Billing email, address, payment method
Postmark (or equivalent transactional provider)	Transactional email delivery	United States	Recipient email, message contents

We do not process credit card numbers ourselves — LemonSqueezy is the merchant of record and handles all PCI scope. If we add or replace a subprocessor, we will update this list and notify customers on plans that include subprocessor change notice.

International transfers

HookRescue is hosted in the United States by default. If you are in the EU, the UK, or another jurisdiction with cross-border transfer rules, your data will be transferred to and processed in the US.

For transfers from the EEA and UK, we rely on the Standard Contractual Clauses (SCCs) approved by the European Commission, and on the EU-US Data Privacy Framework where our subprocessors are certified. We will execute a Data Processing Addendum incorporating the SCCs on request — email legal@hookrescue.com.

We will tell you before changing the hosting region in a way that affects where customer data lives.

Data retention

Webhook payloads, headers, delivery attempts. Retained for the window your plan allows. During private beta, the default is 14 days from receipt. After the window expires, the row is hard-deleted, not soft-deleted. Plan tiers post-beta will configure longer windows.
DLQ entries. Retained on the same schedule as the underlying payload, unless you resolve them sooner.
Audit log. Minimum 12 months, regardless of webhook retention. This is so we can answer "who replayed what, when" after the underlying payload is gone.
Account data. Kept while your account is active. After cancellation, we retain account metadata for 30 days to support reactivation, then delete it. You can request immediate deletion at cancellation time.
Backups. Heroku Postgres takes routine backups. Backup snapshots roll off on Heroku's schedule (typically up to 30 days). Deletion requests are honored from primary storage immediately and from backups as snapshots cycle out.
Export. At any time you can export every event we hold for your account as NDJSON from the dashboard or via API.

Security

Encryption in transit. All connections to HookRescue use TLS 1.2 or higher. Webhook forwards to your endpoint use TLS unless you have explicitly configured an HTTP target.
Encryption at rest. Sensitive columns — including per-source signing secrets and Shopify API credentials — are encrypted with AES-GCM via Rails 7.1 ActiveRecord encryption. Disk-level encryption is provided by Heroku Postgres.
HMAC verification. We verify the X-Shopify-Hmac-Sha256 header on inbound webhooks before persisting and forwarding. We then re-sign outbound forwards with your per-source secret so your backend can verify the request came from HookRescue.
Access control. Access to production data is limited to engineering staff who need it for incident response or support. Access is logged. We follow principle of least privilege.
Secrets management. Per-source secrets are decrypted only in-memory at signing time and are never logged.
Audit. SOC 2 Type II is on the roadmap once private beta concludes; we will update this section when the audit begins.

If you believe you have found a vulnerability, please email security@hookrescue.com. We will not pursue legal action against good-faith security research that respects user privacy and gives us reasonable time to remediate.

Your rights

Depending on where you are, you have some or all of the following rights over personal data we hold about you:

Access — a copy of what we have
Rectification — correction of inaccurate data
Deletion — removal of your data, subject to legal retention obligations
Portability — export in a machine-readable format (NDJSON is available from the dashboard)
Objection / restriction — to certain processing based on legitimate interest
Opt out of sale or sharing — not applicable, because we do neither
Limit use of sensitive personal information — under CPRA; not applicable in the same way because we do not use sensitive PI for inferential or advertising purposes

These rights are recognized under the EU GDPR, UK GDPR, California CCPA/CPRA, Brazil's LGPD, and Canada's PIPEDA. The exact scope depends on your jurisdiction.

To exercise any of these rights, email privacy@hookrescue.com from the address on your account, or open a request from the dashboard. We will respond within 30 days for GDPR/UK GDPR/LGPD/PIPEDA requests and within 45 days for CCPA/CPRA requests, with one extension permitted by law where applicable.

For data your customers (the end shoppers whose data appears in webhook payloads) want to exercise rights over, you are the controller — please direct them to your own process. We will support you in fulfilling those requests as your processor.

We will not retaliate against you for exercising any of these rights. EU and UK customers have the right to lodge a complaint with their local supervisory authority; for GDPR, our DPO contact is legal@hookrescue.com.

Children

HookRescue is a B2B developer tool. It is not directed at, marketed to, or intended for use by children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has created an account, email privacy@hookrescue.com and we will delete it.

Cookies and tracking

The dashboard sets a single first-party session cookie used to keep you signed in. We do not embed third-party analytics, advertising pixels, or cross-site trackers. Cloudflare may set short-lived cookies for bot mitigation and edge security; these do not leave the hookrescue.com origin and are not used for advertising.

We do not share dashboard usage data with anyone outside the subprocessors listed above.

Changes to this policy

If we make material changes — new subprocessors that handle customer payload data, changes to retention windows that shorten what you've already paid for, changes to where data is hosted — we will notify account owners by email and via a banner in the dashboard at least 30 days before the change takes effect. Non-material changes (typo fixes, clarifications, contact address updates) take effect when posted, and the "Last updated" date at the top of this page will reflect that.

The current version of this policy is always available at https://hookrescue.com/privacy.

Contact

Privacy questions, data subject requests, and DPA requests: privacy@hookrescue.com

Data Protection Officer and EU/UK representative inquiries: legal@hookrescue.com

Security disclosures: security@hookrescue.com

General support: support@hookrescue.com

We aim to respond to privacy email within 5 business days, and always within the statutory deadlines described under "Your rights."