Privacy Policy
How Hook0 collects, uses, and protects your personal data, in compliance with GDPR Article 13.
1. Data Controller
The data controller responsible for processing your personal data in connection with the Hook0 service is:
Director of publication: David Sferruzza.
Privacy contact: [email protected]
Hook0 is a 100% B2B SaaS platform. We do not intentionally collect data from individuals acting in a personal capacity.
2. Purposes and Legal Bases
The following table sets out each processing activity, the data involved, and the legal basis under Article 6 GDPR.
| Purpose | Data categories | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Service provision Account creation, authentication, API access, webhook delivery |
Email address, name, API keys, webhook payloads, IP address, usage logs | Art. 6(1)(b) - Performance of a contract |
| Billing and payment Subscription management, invoicing, tax records |
Name, email, billing address, payment instrument data (processed by Stripe), subscription history | Art. 6(1)(b) - Performance of a contract Art. 6(1)(c) - Legal obligation (French fiscal law, 10-year retention) |
| Website analytics Understanding how visitors use our site via Matomo (self-hosted) |
Anonymised IP address, pages visited, referrer, device type, session duration | Art. 6(1)(a) - Consent (cookie banner) |
| Conversion tracking (server-side) Google Ads conversion measurement, server-side via the click identifier (gclid) only. No email, no IP, no User-Agent transmitted to Google. Right to object at [email protected]. |
Click identifier (gclid), pseudonymous identifier issued by Google during the ad click | Art. 6(1)(f) - Legitimate interests (measuring advertising ROI) Right to object: Art. 21(2) GDPR |
| Customer support, live chat Crisp widget (loaded only after consent) |
Name, email, chat messages, browser metadata | Art. 6(1)(a) - Consent |
| Customer support, email Handling support requests sent to [email protected] or [email protected] |
Name, email, content of exchanges | Art. 6(1)(f) - Legitimate interests (responding to customer requests) |
| Security and monitoring Error tracking, uptime monitoring, DDoS protection, incident response |
IP address, error stack traces, request metadata, uptime check results | Art. 6(1)(f) - Legitimate interests (ensuring service integrity and security) |
| Commercial communications Product updates, release notes, newsletters |
Email address, first name | Art. 6(1)(a) - Consent |
3. Categories of Personal Data
-
Identity data: first name, last name, professional email address
-
Account data: username, encrypted password, API keys
-
Payment data: billing address, last 4 digits of card and expiry date (Stripe stores full card data, Hook0 never has access to full card numbers)
-
Technical data: IP address, browser user-agent, connection timestamps, error logs
-
Usage data: webhook events sent and received, API call volume, feature usage metrics
-
Communications: content of support exchanges, chat transcripts
Hook0 does not process special categories of personal data (Article 9 GDPR) and does not perform automated decision-making or profiling with legal or similarly significant effects.
4. Recipients and Subprocessors
We share data with our subprocessors strictly as needed to provide the Service. The complete and up-to-date list is maintained at /gdpr-subprocessors. A summary is provided below.
Infrastructure
| Subprocessor | Country | Purpose |
|---|---|---|
| Clever Cloud SAS | France (EU) | Database, API, web application hosting |
| Cloudflare, Inc. | USA | DNS and DDoS protection |
Service operation
| Subprocessor | Country | Purpose |
|---|---|---|
| Clever Cloud SAS | France (EU) | Workers calling webhook subscription endpoints |
| Scaleway SAS | France (EU) | Private dedicated workers (selected plans) |
| Stripe, Inc. | USA | Subscription and payment management |
| Brevo (Sendinblue) | France (EU) | Automated transactional emails |
| Postmark (ActiveCampaign) | USA | Automated transactional emails |
| BetterUptime | Czech Republic (EU) | Uptime monitoring and status page |
| Sentry, Inc. | USA | Application error tracking |
| Crisp | France (EU) | Customer support chat (consent-gated) |
| Google LLC (Gmail) | USA | Support inbox |
Marketing measurement (legitimate interest, server-side)
| Subprocessor | Country | Purpose |
|---|---|---|
| Google LLC (Google Ads) | USA | Server-side conversion measurement (gclid only). See Section 9b. |
Analytics (consent-gated)
| Service | Country | Purpose |
|---|---|---|
| Matomo (self-hosted on matomo.hook0.com) | France (EU) | Website analytics |
A Data Processing Agreement (DPA) is in place with each subprocessor. For transfers outside the EU, see Section 5.
5. Transfers Outside the European Union
Several subprocessors are established in the United States: Cloudflare, Stripe, Postmark, Sentry, Gmail (Google), and Google Ads. These transfers are governed by the Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) and a documented Transfer Impact Assessment, and where applicable by the EU-US Data Privacy Framework (Cloudflare, Stripe and Google LLC are DPF-certified). Together these mechanisms provide an adequate level of protection for personal data.
6. Retention Periods
| Data category | Retention period | Justification |
|---|---|---|
| Account data | Duration of the contract + 30 days after account deletion | Contractual necessity; 30-day grace period to allow data export |
| Billing and invoicing records | 10 years from the date of the transaction | Legal obligation, French General Tax Code, Art. L102 B of the Tax Procedures Book |
| Webhook event logs | Developer 7 days, Startup 14 days, Pro 30 days, Enterprise custom | Service delivery; configurable per subscription plan |
| Website analytics (Matomo) | 25 months | CNIL recommendation for analytics data |
| Support communications | 3 years from the last exchange | Legitimate interests; statutory limitation period for contractual claims |
| Consent records | 5 years from the date of consent | Ability to demonstrate compliance (Art. 7(1) GDPR) |
| Server logs | 30 days minimum, then automatic rotation and deletion | Service operation, security and incident response |
7. Your Rights
Under the GDPR, you have the following rights with respect to your personal data:
-
Right of access (Art. 15), obtain a copy of the personal data we hold about you
-
Right to rectification (Art. 16), correct inaccurate or incomplete data
-
Right to erasure (Art. 17), request deletion of your data, subject to legal retention obligations
-
Right to restriction (Art. 18), request that we restrict processing in certain circumstances
-
Right to data portability (Art. 20), receive your data in a structured, machine-readable format, where processing is based on consent or contract
-
Right to object (Art. 21), object to processing based on legitimate interests or for direct marketing purposes
-
Right to withdraw consent (Art. 7(3)), withdraw consent at any time without affecting the lawfulness of prior processing
8. Right to Lodge a Complaint with the CNIL
If you consider that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the French data protection authority:
3 Place de Fontenoy, TSA 80715
75334 Paris Cedex 07, France
Website: www.cnil.fr
You may also contact any EU supervisory authority in the Member State of your habitual residence or place of work.
9. Cookies and Trackers
Hook0 uses a consent management mechanism on its website. The following services are only loaded after you have given explicit consent:
-
Matomo Analytics (self-hosted), website usage analytics, anonymised by default
-
Crisp, live chat widget
-
hook0_gclid cookie (Domain
.hook0.com, 30-day TTL), bridges the Google Ads click identifier between www.hook0.com and app.hook0.com so a deferred signup can still be attributed. Set only after consent and only when an ad click brought you here. Cleared when consent is withdrawn. See Section 9b for details.
Your consent on www.hook0.com covers all hook0.com subdomains (including app.hook0.com). Consent preferences are stored in localStorage with a validity of 13 months, in line with CNIL guidelines. You can change your preferences at any time:
9b. Server-Side Conversion Measurement (Google Ads)
When you reach our service by clicking on a Google Ads advertisement, Google Ads automatically appends a click identifier ("gclid") to the destination URL. This gclid is forwarded to our backend during your account creation and uploaded server-side to Google Ads to measure the effectiveness of our advertising campaigns.
-
Purpose: measure cost-per-acquisition of our paid campaigns to allocate marketing budget.
-
Legal basis: Art. 6(1)(f) GDPR, legitimate interests. Documented balance test available on request.
-
Data transmitted to Google: gclid, conversion type, conversion date/time. No email, IP address, or User-Agent is transmitted to Google in this context.
-
Joint Controller: Google LLC, under the Customer Data Processing Terms (Art. 26 GDPR). Transfer to the USA is governed by Standard Contractual Clauses (Decision 2021/914) and, where applicable, the EU-US Data Privacy Framework (Google LLC is DPF-certified).
-
Retention: the gclid is processed in memory during the registration HTTP request and is not persisted in our databases after transmission to Google Ads.
-
Right to object (Art. 21(2) GDPR): you may object to this processing at any time by emailing [email protected]. We will mark your account so the gclid is not transmitted to Google Ads. Your registration is not affected.
Note: this server-side measurement does not rely on cookies, gtag.js, or any client-side tracker. Article 82 of the French Data Protection Act (transposing Article 5(3) of the e-Privacy Directive) does not apply to this processing.
10. Security
Hook0 implements appropriate technical and organisational measures to protect personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction. These include encryption in transit (TLS 1.2+), encryption at rest, access controls, and regular security reviews.
Details of our security practices are available on our Security page.
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours (Art. 33 GDPR) and affected individuals without undue delay where required (Art. 34 GDPR). If you discover a potential data exposure, please report it immediately to [email protected].
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify you by email to the address associated with your account or by a prominent notice on the website at least 30 days before the change takes effect.