Privacy Policy

Last updated: April 7, 2026

ThunderHooks ("we", "our", or "us") is operated from Kenya and is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our webhook management, monitoring, and API testing platform.

1. Information We Collect

Information You Provide

• Account Information: Email address and password when you register, or profile information provided through OAuth sign-in
• Payment Information: Processed securely through Lemon Squeezy; we do not store credit card numbers
• Webhook Capture Data: HTTP requests sent to your ThunderHooks endpoints for inspection and debugging, including headers, body content, query parameters, and metadata
• Webhook Relay Configuration: Forwarding rules you configure to route incoming webhooks to your local or remote destinations
• Outbound Delivery Data: Webhook payloads you send through ThunderHooks to your customers' endpoints, including destination URLs, headers, body content, and delivery status
• Uptime Monitoring Configuration: URLs, check intervals, and alert settings for endpoints you monitor
• Heartbeat Monitoring Configuration: Expected check-in schedules and alert settings for your cron jobs and background processes
• API Test Definitions: Request configurations, assertions, and test results for your API testing workflows
• Status Page Configuration: Service names, descriptions, and component groupings you configure for your public status pages
• Customer Portal Settings: Portal configuration and tokens you create for embedding endpoint management into your own applications

Information Collected Automatically

• Usage Data: Pages visited, features used, timestamps
• Device Information: Browser type, operating system, IP address
• Analytics Data: Anonymized usage statistics collected through Google Analytics (see Section 8)
• Cookies: Session cookies for authentication, security, and preferences

2. How We Use Your Information

We use collected information to:

• Provide and maintain the ThunderHooks service, including webhook capture, inspection, replay, relay, and outbound delivery
• Operate uptime monitoring, heartbeat monitoring, and API testing on your behalf
• Host public status pages displaying the health of your configured services
• Facilitate customer portal access for your end customers' endpoint management
• Process transactions and send related information
• Send administrative emails (service updates, security alerts)
• Respond to customer support requests
• Analyze usage to improve our service
• Detect and prevent fraud or abuse

Legal Bases for Processing (GDPR):

• Contract Performance: Processing necessary to provide the service you signed up for
• Legitimate Interests: Analytics, security, and service improvement
• Consent: Marketing communications and analytics cookies (where applicable)

3. Data Retention

• Account Data: Retained while your account is active, deleted within 30 days of account deletion
• Webhook Capture Data: Retained according to your plan (7-365 days), then automatically purged
• Outbound Delivery Logs: Webhook payloads sent via outbound delivery are processed and stored temporarily for delivery logging and retry purposes, then purged according to your plan's retention period
• Monitoring & API Test Data: Check results, heartbeat logs, and API test history are retained according to your plan's retention period, then automatically purged
• Status Page History: Incident and uptime history retained according to your plan's retention period
• Payment Records: Retained for 7 years for legal/tax compliance

4. Data Sharing

We do not sell your personal information. We share data only with:

• Service Providers: As listed in the subprocessors table below
• Legal Requirements: When required by law or to protect our rights
• Business Transfers: In connection with a merger or acquisition

Subprocessors

Provider	Purpose	Location
Lemon Squeezy	Payment processing	USA
Turso	Database hosting	EU/USA
Resend	Transactional email	EU
Google Analytics	Usage analytics	USA
LightningPDFs VPS	Application hosting	Kenya

5. Your Rights (GDPR & CCPA)

You have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Receive your data in a portable format
• Object: Object to processing based on legitimate interests
• Withdraw Consent: Where processing is based on consent

To exercise these rights, email connect@munyala.pro or use the account deletion feature in Settings.

Response Time: We respond to all requests within 30 days.

6. Data Security

We implement appropriate technical and organizational measures:

• HTTPS encryption for all data in transit
• Encrypted database storage
• Regular security audits
• Access controls and authentication
• Automatic session expiration
• CSRF protection on all state-changing operations

7. International Transfers

ThunderHooks is operated from Kenya. If you are located in the EU/EEA or other regions with data protection laws, your data may be transferred to and processed in Kenya and the United States where our infrastructure providers operate. We ensure appropriate safeguards through:

• Standard Contractual Clauses (SCCs) where applicable
• Data Processing Agreements with subprocessors
• Compliance with the Kenya Data Protection Act, 2019

8. Cookies

We use the following categories of cookies:

Essential Cookies

These cookies are necessary for the service to function and cannot be disabled:

• Authentication: Session tokens for maintaining your logged-in state
• CSRF Protection: Tokens to prevent cross-site request forgery attacks
• Dark Mode Preference: Storing your selected theme preference

Analytics Cookies

We use Google Analytics (measurement ID: G-KK7HFJTF6Z) to collect anonymized usage statistics. This helps us understand how visitors interact with the service so we can improve it. Google Analytics may set cookies to distinguish users and throttle request rates. Data collected through Google Analytics is anonymized and aggregated.

You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on or by disabling cookies in your browser settings.

We do not use advertising or third-party tracking cookies.

Managing Cookies: You can disable cookies in your browser settings, but disabling essential cookies may affect service functionality.

9. Customer Portal Data

ThunderHooks allows users to create customer portal tokens that grant limited access to endpoint management features. Portal tokens provide your end customers with the ability to manage webhook endpoints without requiring a ThunderHooks account. Data accessed or modified through portal tokens is governed by the same retention and security policies described in this Privacy Policy. You are responsible for communicating your own privacy practices to your end customers who access the portal.

10. Children's Privacy

ThunderHooks is not intended for users under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact us for removal.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or service notification. Continued use after changes constitutes acceptance.

12. Governing Law

This Privacy Policy is governed by the laws of Kenya, including the Kenya Data Protection Act, 2019. We also comply with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) where applicable.

13. Contact Us

For privacy-related questions or to exercise your rights:

• Email: connect@munyala.pro
• GitHub: github.com/meaLuda

14. Data Protection Officer

For EU residents with unresolved concerns, you may contact your local Data Protection Authority.