Skip to main content
Legal

Privacy Policy

How Hook0 collects, uses, and protects your personal data, in compliance with GDPR Article 13.

Last updated: June 27, 2026

1. Data Controller

The data controller responsible for processing your personal data in connection with the Hook0 service is:

FGRibreau SARL, a French limited liability company (Societe a Responsabilite Limitee) with a share capital of 2,000 EUR, registered with the Trade and Companies Register of La Roche-sur-Yon under number 850 824 350, VAT FR27850824350, with its registered office at 3 rue de l'Aubepine, 85110 Chantonnay, France.
Director of publication: David Sferruzza.
Privacy contact: [email protected]

Hook0 is a 100% B2B SaaS platform. We do not intentionally collect data from individuals acting in a personal capacity.

2. Purposes and Legal Bases

The following table sets out each processing activity, the data involved, and the legal basis under Article 6 GDPR.

Purpose Data categories Legal basis (Art. 6 GDPR)
Service provision
Account creation, authentication, API access, webhook delivery
Email address, name, API keys, webhook payloads, IP address, usage logs Art. 6(1)(b) - Performance of a contract
Billing and payment
Subscription management, invoicing, tax records
Name, email, billing address, payment instrument data (processed by Stripe), subscription history Art. 6(1)(b) - Performance of a contract
Art. 6(1)(c) - Legal obligation (French fiscal law, 10-year retention)
Website analytics
Understanding how visitors use our site via Matomo (self-hosted)
Anonymised IP address, pages visited, referrer, device type, session duration Art. 6(1)(a) - Consent (cookie banner)
Conversion tracking (server-side)
Google Ads conversion measurement, server-side via the click identifier (gclid) only. No email, no IP, no User-Agent transmitted to Google. Right to object at [email protected].
Click identifier (gclid), pseudonymous identifier issued by Google during the ad click Art. 6(1)(f) - Legitimate interests (measuring advertising ROI)
Right to object: Art. 21(2) GDPR
Customer support, live chat
Crisp widget (loaded only after consent)
Name, email, chat messages, browser metadata Art. 6(1)(a) - Consent
Customer support, email
Handling support requests sent to [email protected] or [email protected]
Name, email, content of exchanges Art. 6(1)(f) - Legitimate interests (responding to customer requests)
Security and monitoring
Error tracking, uptime monitoring, DDoS protection, incident response
IP address, error stack traces, request metadata, uptime check results Art. 6(1)(f) - Legitimate interests (ensuring service integrity and security)
Commercial communications
Product updates, release notes, newsletters
Email address, first name Art. 6(1)(a) - Consent

3. Categories of Personal Data

  • Identity data: first name, last name, professional email address
  • Account data: username, encrypted password, API keys
  • Payment data: billing address, last 4 digits of card and expiry date (Stripe stores full card data, Hook0 never has access to full card numbers)
  • Technical data: IP address, browser user-agent, connection timestamps, error logs
  • Usage data: webhook events sent and received, API call volume, feature usage metrics
  • Communications: content of support exchanges, chat transcripts

Hook0 does not process special categories of personal data (Article 9 GDPR) and does not perform automated decision-making or profiling with legal or similarly significant effects.

4. Recipients and Subprocessors

We share data with our subprocessors strictly as needed to provide the Service. The complete and up-to-date list is maintained at /gdpr-subprocessors. A summary is provided below.

Infrastructure

Subprocessor Country Purpose
Clever Cloud SAS France (EU) Database, API, web application hosting
Cloudflare, Inc. USA DNS and DDoS protection

Service operation

Subprocessor Country Purpose
Clever Cloud SAS France (EU) Workers calling webhook subscription endpoints
Scaleway SAS France (EU) Private dedicated workers (selected plans)
Stripe, Inc. USA Subscription and payment management
Brevo (Sendinblue) France (EU) Automated transactional emails
Postmark (ActiveCampaign) USA Automated transactional emails
BetterUptime Czech Republic (EU) Uptime monitoring and status page
Sentry, Inc. USA Application error tracking
Crisp France (EU) Customer support chat (consent-gated)
Google LLC (Gmail) USA Support inbox

Marketing measurement (legitimate interest, server-side)

Subprocessor Country Purpose
Google LLC (Google Ads) USA Server-side conversion measurement (gclid only). See Section 9b.

Analytics (consent-gated)

Service Country Purpose
Matomo (self-hosted on matomo.hook0.com) France (EU) Website analytics

A Data Processing Agreement (DPA) is in place with each subprocessor. For transfers outside the EU, see Section 5.

5. Transfers Outside the European Union

Several subprocessors are established in the United States: Cloudflare, Stripe, Postmark, Sentry, Gmail (Google), and Google Ads. These transfers are governed by the Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) and a documented Transfer Impact Assessment, and where applicable by the EU-US Data Privacy Framework (Cloudflare, Stripe and Google LLC are DPF-certified). Together these mechanisms provide an adequate level of protection for personal data.

CLOUD Act notice: US-established providers may be subject to the CLOUD Act (Clarifying Lawful Overseas Use of Data Act), which may allow US authorities to require access to data held by those providers, even when stored outside the US. Hook0 applies a data minimisation approach and limits the personal data shared with US-based subprocessors to what is strictly necessary.

6. Retention Periods

Data category Retention period Justification
Account data Duration of the contract + 30 days after account deletion Contractual necessity; 30-day grace period to allow data export
Billing and invoicing records 10 years from the date of the transaction Legal obligation, French General Tax Code, Art. L102 B of the Tax Procedures Book
Webhook event logs Developer 7 days, Startup 14 days, Pro 30 days, Enterprise custom Service delivery; configurable per subscription plan
Website analytics (Matomo) 25 months CNIL recommendation for analytics data
Support communications 3 years from the last exchange Legitimate interests; statutory limitation period for contractual claims
Consent records 5 years from the date of consent Ability to demonstrate compliance (Art. 7(1) GDPR)
Server logs 30 days minimum, then automatic rotation and deletion Service operation, security and incident response

7. Your Rights

Under the GDPR, you have the following rights with respect to your personal data:

  • Right of access (Art. 15), obtain a copy of the personal data we hold about you
  • Right to rectification (Art. 16), correct inaccurate or incomplete data
  • Right to erasure (Art. 17), request deletion of your data, subject to legal retention obligations
  • Right to restriction (Art. 18), request that we restrict processing in certain circumstances
  • Right to data portability (Art. 20), receive your data in a structured, machine-readable format, where processing is based on consent or contract
  • Right to object (Art. 21), object to processing based on legitimate interests or for direct marketing purposes
  • Right to withdraw consent (Art. 7(3)), withdraw consent at any time without affecting the lawfulness of prior processing
To exercise any of these rights, send a request to [email protected]. We will respond within 30 days. We may ask you to verify your identity before processing your request.

8. Right to Lodge a Complaint with the CNIL

If you consider that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the French data protection authority:

Commission Nationale de l'Informatique et des Libertes (CNIL)
3 Place de Fontenoy, TSA 80715
75334 Paris Cedex 07, France
Website: www.cnil.fr

You may also contact any EU supervisory authority in the Member State of your habitual residence or place of work.

9. Cookies and Trackers

Hook0 uses a consent management mechanism on its website. The following services are only loaded after you have given explicit consent:

  • Matomo Analytics (self-hosted), website usage analytics, anonymised by default
  • Crisp, live chat widget
  • hook0_gclid cookie (Domain .hook0.com, 30-day TTL), bridges the Google Ads click identifier between www.hook0.com and app.hook0.com so a deferred signup can still be attributed. Set only after consent and only when an ad click brought you here. Cleared when consent is withdrawn. See Section 9b for details.

Your consent on www.hook0.com covers all hook0.com subdomains (including app.hook0.com). Consent preferences are stored in localStorage with a validity of 13 months, in line with CNIL guidelines. You can change your preferences at any time:

9b. Server-Side Conversion Measurement (Google Ads)

When you reach our service by clicking on a Google Ads advertisement, Google Ads automatically appends a click identifier ("gclid") to the destination URL. This gclid is forwarded to our backend during your account creation and uploaded server-side to Google Ads to measure the effectiveness of our advertising campaigns.

  • Purpose: measure cost-per-acquisition of our paid campaigns to allocate marketing budget.
  • Legal basis: Art. 6(1)(f) GDPR, legitimate interests. Documented balance test available on request.
  • Data transmitted to Google: gclid, conversion type, conversion date/time. No email, IP address, or User-Agent is transmitted to Google in this context.
  • Joint Controller: Google LLC, under the Customer Data Processing Terms (Art. 26 GDPR). Transfer to the USA is governed by Standard Contractual Clauses (Decision 2021/914) and, where applicable, the EU-US Data Privacy Framework (Google LLC is DPF-certified).
  • Retention: the gclid is processed in memory during the registration HTTP request and is not persisted in our databases after transmission to Google Ads.
  • Right to object (Art. 21(2) GDPR): you may object to this processing at any time by emailing [email protected]. We will mark your account so the gclid is not transmitted to Google Ads. Your registration is not affected.

Note: this server-side measurement does not rely on cookies, gtag.js, or any client-side tracker. Article 82 of the French Data Protection Act (transposing Article 5(3) of the e-Privacy Directive) does not apply to this processing.

10. Security

Hook0 implements appropriate technical and organisational measures to protect personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction. These include encryption in transit (TLS 1.2+), encryption at rest, access controls, and regular security reviews.

Details of our security practices are available on our Security page.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours (Art. 33 GDPR) and affected individuals without undue delay where required (Art. 34 GDPR). If you discover a potential data exposure, please report it immediately to [email protected].

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify you by email to the address associated with your account or by a prominent notice on the website at least 30 days before the change takes effect.