Terms & Conditions

Last updated: April 2026

1. The service

Webhook Debounce ("the service") sits between a webhook source and a target URL, absorbing repeated hits and firing your target once per configured window. The service is provided as-is with no uptime guarantee. Delayed job delivery depends on third-party infrastructure (Upstash QStash) and may be affected by outages outside our control.

2. Your responsibilities

You are responsible for ensuring your use of the service complies with all applicable laws. You must not use the service to relay illegal content, circumvent security systems, or cause harm to third parties. You are responsible for keeping your incoming secret URLs confidential — anyone with the URL can trigger your configured timer.

3. Acceptable use

The service is intended for legitimate webhook orchestration use cases. Abuse, including deliberate flooding of the receive endpoint, attempting to access other users' configs, or using the service to attack third-party systems, will result in immediate account termination.

4. Billing

Paid plans are billed monthly. Cancellation takes effect at the end of the current billing period. We do not offer refunds for partial months. Prices may change with 30 days notice.

5. Limitation of liability

To the maximum extent permitted by law, Webhook Debounce is not liable for any indirect, incidental, or consequential damages arising from use of the service, including missed deploys, delayed webhook delivery, or data loss. Our total liability in any circumstance is limited to the amount you paid us in the 30 days preceding the claim.

6. Changes

We may update these terms at any time. Continued use of the service after changes are posted constitutes acceptance.

Privacy Policy

Last updated: April 2026

What we collect

Your email address (for login and account management)
Webhook configuration data you create (outgoing URLs, settings)
Incoming webhook payloads — temporarily, for forwarding to your target
Outgoing event logs — retained for 24 hours for debugging purposes
Aggregate, anonymous usage data via Google Analytics (page views, feature usage)

Lawful basis for processing

We process your personal data under the following lawful bases:

Contract — your email and configuration data are necessary to provide the service you have signed up for.
Legitimate interests — anonymous analytics data to understand how the service is used and improve it.
Legal obligation — retaining billing records as required by law.

Payload data

Incoming webhook payloads are stored temporarily so they can be forwarded to your target URL. The most recent payload is held until the timer fires, then deleted. Event logs (containing payloads) are automatically purged after 24 hours.

Do not route webhooks containing passwords, private keys, or sensitive personal data through this service.

How we use your data

We use your data solely to provide and improve the service. We do not sell or share your personal data with third parties for advertising purposes. We use Google Analytics to collect anonymous, aggregated data about how visitors use the website — this does not identify you personally.

Data retention

Account data — retained while your account is active, deleted within 30 days of account deletion request.
Webhook event logs — automatically purged after 24 hours.
Billing records — retained for 7 years as required by UK financial regulations.
Analytics data — retained by Google Analytics per their own retention policy (default 14 months).

Third-party data processors

We use the following third-party processors to operate the service. Each acts as a data processor under our instruction and is bound by their own data processing agreements:

Supabase — database and authentication. Data stored on AWS in West EU (Ireland). Privacy policy.
Upstash — job scheduling (QStash). Used to queue delayed webhook delivery. Privacy policy.
Stripe — payment processing. Card data is handled entirely by Stripe and never touches our servers. Privacy policy.
Google Analytics — anonymous usage analytics. Data is anonymised before transmission and does not include personal data. Privacy policy.
Vercel — hosting and edge delivery. May process request metadata (IP addresses, user agents) as part of serving the application. Privacy policy.

We are not responsible for the privacy practices of these third parties. In the event that a third-party processor suffers a data breach, we will notify affected users as required under UK GDPR.

Data breaches

In the event of a personal data breach, we will notify the Information Commissioner's Office (ICO) within 72 hours where required under UK GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay. We maintain security measures including encryption at rest and in transit, access controls, and regular dependency updates to minimise breach risk.

Your rights

Under UK GDPR you have the right to:

Access the personal data we hold about you
Correct inaccurate data
Request deletion of your data ("right to be forgotten")
Restrict or object to processing
Data portability
Withdraw consent at any time (where processing is based on consent)

To exercise any of these rights, contact us at . We will respond within 30 days. You also have the right to lodge a complaint with the ICO at ico.org.uk.

Cookies

We use the following cookies:

_ga, _ga_* — set by Google Analytics to distinguish users and sessions. These are analytics cookies and persist for up to 2 years.
sb-* (Supabase) — set for authentication session management. These are strictly necessary for the service to function.

You can opt out of Google Analytics cookies by installing the Google Analytics opt-out browser add-on, or by disabling cookies in your browser settings.

Contact

For privacy requests or questions, contact us at .

Cookie preferences

We use analytics cookies (Google Analytics) to understand how the service is used. Strictly necessary cookies for authentication are always active. Learn more