Privacy Policy
This policy covers the hosted Odyhook service at odyhook.dev (“Path 2”). If you self-host Odyhook(“Path 1”), your webhook data never touches our infrastructure and this policy does not apply — you are your own data controller.
Last updated: 7 June 2026.
Who we are
The hosted Odyhook instance is operated by an individual sole operator based in the EU. For any privacy question, data-access request, or deletion request, contact ngkdev93@gmail.com. Security vulnerabilities should instead be reported via our security policy.
What data we collect, and why
| Category | What | Why |
|---|---|---|
| Account | Your email address; if you sign in with GitHub, the name and avatar URL GitHub returns. | To authenticate you and send magic-link / operational email. |
| Webhook payloads | The full body, headers, source IP, and timestamp of every webhook you route through us, stored raw. | To deliver, retry, replay, and let you inspect events — the core function of the product. |
| Delivery metadata | Destination URLs, response codes, error messages, attempt counts. | To run retries, the circuit breaker, and your dashboards. |
| Secrets (encrypted) | Source signing secrets, destination headers, and your bring-your-own LLM provider key (Anthropic, OpenAI, Google, or OpenRouter). | To verify inbound signatures, authenticate to your destinations, and run AI features as you. Encrypted at rest with AES-256-GCM. |
Personal data in payloads. Webhook payloads frequently contain personal data belonging to your customers (emails, names, IDs). For that data you are the controller and we are your processor; you are responsible for having a lawful basis to send it to us. See our Terms and the DPA note below.
How long we keep it
Account data is kept while your account exists. Webhook events and their deliveries are kept for a retention window you configure per source(default 90 days, maximum 365); a daily purge job permanently deletes events older than that window. You can shorten the window or delete individual sources at any time. Deleting your account removes all of the above (see “Your rights”).
Who we share it with (sub-processors)
Running the service requires a small number of infrastructure providers. Your data may pass through or be stored by each of them for the purpose listed. The current list lives on a dedicated, versioned page:
We do not sell your data, and we do not use it for advertising. A Data Processing Agreement (DPA) is available on request for business users — email the address above.
Cookies
We use only strictly-necessary session cookies (the sign-in session token, a CSRF token, and a callback URL during login). We run no analytics, advertising, or trackingSDKs, so no consent banner is required. A dark-mode preference is stored in your browser’s localStorage, never sent to us.
Your rights
Under the GDPR you have the right to access, export, correct, and erase your personal data. We support these directly:
- Export— download a JSON copy of your account, sources, events, and deliveries from Settings → Account.
- Erasure— delete your account (and all associated data, by database cascade) from the same page.
- Any other request (correction, restriction, complaint) — email ngkdev93@gmail.com. You may also complain to your local data-protection authority.
Where data is stored
Primary storage is a server in Helsinki, Finland (EU). Off-site backups and error traces are processed by the sub-processors listed above, some of which operate globally; see that page for each provider’s role.
Changes
We may update this policy as the service evolves. The “last updated” date above always reflects the current version.