I would hope that they add a clarification in that page because if I did not contact them then I would not have know about the sync feature and also would not have thought anything about GDPR issue. This is just a reminder note, not saying that Postman is hiding about it.
So I guess the story here is: if you use postman for anything sensitive don't use an account as well, as the sync feature can no longer be disabled.
It's also worth pointing out that AFAICT Insomnia's equivalent feature may be more secure though I haven't dug into it: it sounds like all that data is encrypted by the client and not recoverable by the Insomnia team if you lose your password.
Update: This post is just a reminder that Postman collects your request data only when you're signed in. So please be aware of GDPR or similar legal requirements in your region.
Later I found out that they have a sync feature, so it is probably why they need to collect and store request data if you're signed in. This is just a reminder for those who are unaware about it, not saying that Postman is hiding anything about it.
This is their reply when I contacted them earlier asking if they collect HTTP request payload:
Thank you for writing in. Sure - If you do not create an account or use Postman without signing in then we will not collect any of the data. We will only store the actual requests that are sent when the user signs into the application. That said - the data is encrypted in rest and in transit using industry best standard encryption algorithms. Hope this clarifies!
Under "Information you provide to us":
Content you provide through our products: The Services include the Postman products you use, where we collect and store content that you post, send, receive and share. This content includes any information about you that you may choose to include: we collect feedback you provide directly to us through the product and we collect clickstream data about how you interact with and use features in the Services.
Like I said in my other post, I don't use postman. Your HN post reads like they are doing this without your permission and secretly: akin to say, finding out that facebook records your microphone to sell you ads or whatever. This is what I am reacting to, that they are doing it without your permission.
So what actually is going on then, is that postman has a feature that you don't have to use, that you know about, that you know requires it stores request / response data, and it is doing just that.
I'm not saying that they are hiding, but I believe most people saw this page and felt Postman does not collect request data under any circumstances. It felt like a sudden twist of story after I've contacted them and realized they have the sync feature. If I did not contact them then I would not have know they do collect request data when user is signed in.
I had a feeling of a twist just because initially I found https://support.getpostman.com/hc/en-us/articles/203815791-W... which gave me impression that they do not collect payload under any circumstances.
I would hope that they add a clarification in that page because if I did not contact them then I would not have know about the sync feature and also would not have thought anything about GDPR issue. This is just a reminder note, not saying that Postman is hiding about it.