I've contacted them earlier and they admitted that they collect the HTTP payload that you send and receive with it and it is stated in their privacy policy. You probably shouldn't be using it to test API with credentials or sensitive data because it might be a GDPR or other legal violation in your region.
So then, if you create a postman account so that you can sync data between different computers you use, it will do exactly that, including request and response history.
If you don't create a postman account it doesn't do that.
They are NOT collecting your payloads unless you ask them to, and they are NOT doing it secretly as might be implied by the phrasing OP used with "they admitted".
I would hope that they add a clarification in that page because if I did not contact them then I would not have know about the sync feature and also would not have thought anything about GDPR issue. This is just a reminder note, not saying that Postman is hiding about it.
So I guess the story here is: if you use postman for anything sensitive don't use an account as well, as the sync feature can no longer be disabled.
It's also worth pointing out that AFAICT Insomnia's equivalent feature may be more secure though I haven't dug into it: it sounds like all that data is encrypted by the client and not recoverable by the Insomnia team if you lose your password.
This is their reply when I contacted them earlier asking if they collect HTTP request payload:
Thank you for writing in. Sure - If you do not create an account or use Postman without signing in then we will not collect any of the data. We will only store the actual requests that are sent when the user signs into the application. That said - the data is encrypted in rest and in transit using industry best standard encryption algorithms. Hope this clarifies!
Under "Information you provide to us":
Content you provide through our products: The Services include the Postman products you use, where we collect and store content that you post, send, receive and share. This content includes any information about you that you may choose to include: we collect feedback you provide directly to us through the product and we collect clickstream data about how you interact with and use features in the Services.
Like I said in my other post, I don't use postman. Your HN post reads like they are doing this without your permission and secretly: akin to say, finding out that facebook records your microphone to sell you ads or whatever. This is what I am reacting to, that they are doing it without your permission.
So what actually is going on then, is that postman has a feature that you don't have to use, that you know about, that you know requires it stores request / response data, and it is doing just that.
I'm not saying that they are hiding, but I believe most people saw this page and felt Postman does not collect request data under any circumstances. It felt like a sudden twist of story after I've contacted them and realized they have the sync feature. If I did not contact them then I would not have know they do collect request data when user is signed in.
I've been trying to reproduce this since I saw this post without any luck. The only data I see going out is generic usage data (when you have the "anonymous usage data" enabled) - however I'm not logged into Postman.
I suspect it only sends data to them server if you are logged in so you can use the functionality such as "sync between devices", which kind of makes sense.
Yeah I'm going to need to some evidence of this one.
I don't use Postman, but it's the default name in this space, and if they were actually keeping and collecting all requests passed through it that would kill it as a product instantly.
Update: This post is just a reminder that Postman collects your request data only when you're signed in. So please be aware of GDPR or similar legal requirements in your region.
Later I found out that they have a sync feature, so it is probably why they need to collect and store request data if you're signed in. This is just a reminder for those who are unaware about it, not saying that Postman is hiding anything about it.
https://learning.postman.com/docs/postman/launching-postman/...
So then, if you create a postman account so that you can sync data between different computers you use, it will do exactly that, including request and response history.
If you don't create a postman account it doesn't do that.
They are NOT collecting your payloads unless you ask them to, and they are NOT doing it secretly as might be implied by the phrasing OP used with "they admitted".
It's also worth mentioning it sounds like Insomnia has the exact same feature: https://support.insomnia.rest/category/31-cloud-account