OK top level post to highlight something lower level. sbtmuller (OP) points out this feature:

https://learning.postman.com/docs/postman/launching-postman/...

So then, if you create a postman account so that you can sync data between different computers you use, it will do exactly that, including request and response history.

If you don't create a postman account it doesn't do that.

They are NOT collecting your payloads unless you ask them to, and they are NOT doing it secretly as might be implied by the phrasing OP used with "they admitted".

It's also worth mentioning it sounds like Insomnia has the exact same feature: https://support.insomnia.rest/category/31-cloud-account

My apologies and I should have used a different word and my point is just to remind people that data is synced when signed in.

I had a feeling of a twist just because initially I found https://support.getpostman.com/hc/en-us/articles/203815791-W... which gave me impression that they do not collect payload under any circumstances.

I would hope that they add a clarification in that page because if I did not contact them then I would not have know about the sync feature and also would not have thought anything about GDPR issue. This is just a reminder note, not saying that Postman is hiding about it.

Yah, understandable.

It sounds like they have moved some stuff around recently too, because you can no longer disable sync: https://support.getpostman.com/hc/en-us/articles/203492852-H...

So I guess the story here is: if you use postman for anything sensitive don't use an account as well, as the sync feature can no longer be disabled.

It's also worth pointing out that AFAICT Insomnia's equivalent feature may be more secure though I haven't dug into it: it sounds like all that data is encrypted by the client and not recoverable by the Insomnia team if you lose your password.

Their Privacy Policy would seem to contradict that: https://www.postman.com/licenses/privacy/

As would their help center: https://support.getpostman.com/hc/en-us/articles/203815791-W...

Not saying that negates what you are saying, but some proof would be useful, as it is a pretty serious claim.

This is their reply when I contacted them earlier asking if they collect HTTP request payload:

Thank you for writing in. Sure - If you do not create an account or use Postman without signing in then we will not collect any of the data. We will only store the actual requests that are sent when the user signs into the application. That said - the data is encrypted in rest and in transit using industry best standard encryption algorithms. Hope this clarifies!

https://www.postman.com/licenses/privacy/

Under "Information you provide to us": Content you provide through our products: The Services include the Postman products you use, where we collect and store content that you post, send, receive and share. This content includes any information about you that you may choose to include: we collect feedback you provide directly to us through the product and we collect clickstream data about how you interact with and use features in the Services.

I think you need to read their reply more carefully, because when I read:

> We will only store the actual requests that are sent when the user signs into the application.

It seems obvious to me that they are talking about your request that results from you logging into your postman account, that's why they say:

> If you do not create an account or use Postman without signing in then we will not collect any of the data

They are NOT saying "we record every REST request you generate from postman and send it to our servers".

How are they able to make this feature work if they do not store your request/response data?

https://learning.postman.com/docs/postman/launching-postman/...

Like I said in my other post, I don't use postman. Your HN post reads like they are doing this without your permission and secretly: akin to say, finding out that facebook records your microphone to sell you ads or whatever. This is what I am reacting to, that they are doing it without your permission.

So what actually is going on then, is that postman has a feature that you don't have to use, that you know about, that you know requires it stores request / response data, and it is doing just that.

I'm not saying that they are hiding, but I believe most people saw this page and felt Postman does not collect request data under any circumstances. It felt like a sudden twist of story after I've contacted them and realized they have the sync feature. If I did not contact them then I would not have know they do collect request data when user is signed in.

https://support.getpostman.com/hc/en-us/articles/203815791-W...

I'm surprised to see their claim in that help center post.

"Postman does not track any content of your requests/responses."

That post was 2 years ago, so it's probably outdated.

I've been trying to reproduce this since I saw this post without any luck. The only data I see going out is generic usage data (when you have the "anonymous usage data" enabled) - however I'm not logged into Postman.

I suspect it only sends data to them server if you are logged in so you can use the functionality such as "sync between devices", which kind of makes sense.

See my reply to coderintherye

How about disabling Send anonymous usage data to Postman? Does it still collect HTTP payload that which is sent and received?

Link to privacy policy? Bug report? Statement by Postman devs? Anything to back this up?

See my reply to coderintherye

Yeah I'm going to need to some evidence of this one.

I don't use Postman, but it's the default name in this space, and if they were actually keeping and collecting all requests passed through it that would kill it as a product instantly.

Update: This post is just a reminder that Postman collects your request data only when you're signed in. So please be aware of GDPR or similar legal requirements in your region.

When I first try to find information about it, I did a search and found this: https://support.getpostman.com/hc/en-us/articles/203815791-W...

Later I found out that they have a sync feature, so it is probably why they need to collect and store request data if you're signed in. This is just a reminder for those who are unaware about it, not saying that Postman is hiding anything about it.

https://learning.postman.com/docs/postman/launching-postman/...

Is there an open-source alternative that anyone can recommend?

Insomnia is good.

https://insomnia.rest/

Does Insomniac also do this?