HookJoltHookJolt← Back

Privacy Policy

Last updated: May 22, 2026

This Privacy Policy explains how HookJolt (“we”, “us”) collects, uses, and protects information about you when you use our service. We comply with Canada's PIPEDA, the EU GDPR for European users, and California's CCPA/CPRA for California residents.

1. Information We Collect

1.1 Account Information

  • Email address (from your chosen sign-in provider)
  • Firebase user ID (a non-reversible identifier)
  • Account creation date

1.2 Generation Data

  • Topics, niches, and formats you submit
  • Generated hook variations returned to you
  • Timestamps, latency, and token-usage metrics (for cost monitoring)
  • Events you trigger on hooks (e.g. clicking “copy”)

1.3 Payment Data

We do NOT store credit card numbers, CVVs, or full payment instruments. All payment processing is handled by Stripe. We receive only:

  • Stripe customer ID
  • Last 4 digits of card (from Stripe, for receipt display)
  • Transaction amounts, currency, and status
  • Country (for tax purposes)

1.4 Technical Data

  • IP address (for rate limiting and abuse prevention)
  • Browser and device type (User-Agent)
  • Approximate location derived from IP (country/region only)
  • Error logs and performance metrics

1.5 Cookies and Similar Technologies

We use:

  • Essential cookies for authentication (Firebase session)
  • Local storage for theme preference and UI state
  • No third-party advertising cookies
  • No cross-site tracking pixels

If we add analytics in the future (e.g. PostHog, Plausible), we will update this policy and notify users.

2. How We Use Information

  • Provide and operate the Service
  • Process payments and credit balances
  • Maintain your generation history
  • Prevent abuse, fraud, and security violations
  • Send transactional emails (receipts, account notices, refund confirmations)
  • Improve the Service through aggregate, anonymized analysis of generation patterns and quality

We do NOT:

  • Sell your personal information to anyone, ever
  • Share your topics or generated hooks with other users
  • Use your data to train AI models — Google Cloud's Vertex AI enterprise tier contractually excludes our prompts from being used for model training

3. Legal Basis for Processing (GDPR)

For users in the EU/EEA/UK, we process your data under:

  • Contract: providing the Service you signed up for
  • Legitimate interest: security, fraud prevention, product improvement
  • Consent: for any non-essential processing (we will ask explicitly)

4. Third-Party Subprocessors

Your data passes through these providers in the course of operating the Service:

ProviderPurposeRegion
Google Cloud — Cloud RunAPI request handling (compute)us-central1 (Iowa, USA)
Google Cloud — Cloud SQLUser accounts, generation history, credit ledger (storage)northamerica-northeast1 (Montreal, Canada)
Google Cloud — Vertex AI / GeminiAI hook generation (inference)northamerica-northeast1 (Montreal, Canada)
FirebaseAuthentication, web hostingCanada / global
StripePayment processingGlobal
CloudflareDNS, CDNGlobal

Each subprocessor is bound by data protection agreements compliant with their respective regulatory frameworks.

5. Data Retention

  • Account data: kept while your account is active
  • Generation history: kept while your account is active so you can access your past hooks
  • Payment records: retained for 7 years for tax and accounting compliance (Canada Revenue Agency requirements)
  • Logs and rate-limit data: 90 days
  • Deleted accounts: personal data deleted within 30 days of account deletion, except where retention is legally required

6. Your Rights

Depending on your jurisdiction, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your account and associated data (“right to be forgotten”)
  • Export your data in a portable format
  • Object to certain processing
  • Withdraw consent at any time (where consent is the basis)
  • Lodge a complaint with your local data protection authority

To exercise any right, email [email protected] from your account email. We respond within 30 days.

California residents (CCPA/CPRA)

You also have the right to:

  • Know what personal information we collect and how we use it (this policy)
  • Opt out of “sale” of personal information (we don't sell data)
  • Non-discrimination for exercising your rights

7. International Data Transfers

Your data crosses the Canada–US border during normal operation. We're explicit about this because it matters for some users:

  • Compute (request handling) runs on Google Cloud Run in us-central1 (Iowa, USA). Each API request — including the data inside it — is processed there for the seconds it takes to complete.
  • Data at rest — your account, generation history, and credit ledger — lives in Google Cloud SQL in northamerica-northeast1 (Montreal, Canada).
  • AI inference (Vertex AI / Gemini) also runs in northamerica-northeast1 (Montreal, Canada). Your topics and the generated hooks do not leave Canada for inference.
  • Stripe, Cloudflare, and some other subprocessors operate globally; the specific region depends on the request.

Google Cloud's standard Data Processing Agreement applies across both regions. For EU/UK users, transfers outside the EEA are protected by Standard Contractual Clauses (SCCs) where applicable, as established by Google Cloud's, Stripe's, and Cloudflare's published data processing agreements.

If single-region Canadian residency is a hard requirement for you, email [email protected] before signing up — we can advise on the current state of our infrastructure and our migration plans.

8. Security

We use industry-standard security practices:

  • All data transmitted over HTTPS/TLS 1.2+
  • Database access restricted to authenticated services in private network
  • Secrets stored in Google Secret Manager with audit logging
  • JWT-based authentication with short-lived tokens
  • Rate limiting and abuse detection

No system is perfectly secure. If we become aware of a data breach affecting your information, we will notify you and the appropriate regulators within 72 hours, as required by applicable law.

9. Children's Privacy

HookJolt is not directed at children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us information, contact [email protected] and we will delete it.

10. Changes to This Policy

We may update this policy. Material changes will be notified by email or in-product notice at least 14 days before taking effect. Continued use after the effective date constitutes acceptance.

11. Contact Us

Privacy questions or requests: [email protected]
HookJolt (Morteza Ebrahimi, sole proprietor)
[MAILING ADDRESS — available on request via [email protected]]
Ontario, Canada

For PIPEDA inquiries, you may also contact the Office of the Privacy Commissioner of Canada: priv.gc.ca