Webhook Trader

Privacy Policy

Last updated: 2026-05-20

This policy explains what data Webhook Trader (the “Service”) collects, why, and what we do with it.

What we collect

  • Account data - your email address and a hashed password. We never store your password in plain text.
  • Exchange API keys - the keys you connect for each broker. These are encrypted at rest with a key that is held separately from the database and only decrypted in memory for the instant it takes to place an order.
  • Webhook configurations - the names, default symbols, default sizes, and secret tokens for the webhooks you create.
  • Order history - for every order placed via the Service we keep the action, symbol, quantity, status, and any error message returned by the exchange.
  • Aggregate usage analytics - pageviews, referrers, and Core Web Vitals provided by Vercel Web Analytics and Vercel Speed Insights. These are aggregated and do not include personal identifiers.
  • Session cookies - a signed cookie used to keep you logged in. No third-party tracking cookies are set.

What we do not collect

  • We do not collect names, addresses, or phone numbers.
  • We do not collect payment information.
  • We do not sell your data to anyone, ever.

How we use it

Your data is used exclusively to:

  • Authenticate you when you log in.
  • Forward orders to the exchanges you have connected, on your behalf, when your webhooks fire.
  • Show you a history of orders placed on your account.
  • Communicate with you about your account (security notices, service updates).

Service providers

We rely on the following third parties to operate the Service:

  • Vercel - hosting and analytics.
  • Neon - encrypted Postgres database storage.
  • Your chosen exchange (Binance, Bybit, OKX, Coinbase, Kraken, KuCoin) - we send orders to their API on your behalf.

Data retention

We keep account data and order history for as long as your account is active. You may delete a broker connection or a webhook at any time. To request full account deletion, contact us at the address below.

Security

Passwords are hashed with bcrypt. Exchange API keys are encrypted with AES-256 using a key stored separately from the database. Transport is TLS-only. No system is perfectly secure; you can minimise risk by giving your exchange API keys trading permissions only, never withdrawal permissions.

Your rights

You can request a copy of your data, correction of inaccuracies, or deletion of your account at any time by emailing the address below. If you are in the EEA or UK, you have additional rights under the GDPR including the right to object to processing and to lodge a complaint with a supervisory authority.

Contact

Privacy questions can be sent to homer.isaak@gmail.com.