Privacy Policy

1. Who we are

This Privacy Policy explains how HOOKEM AI (PTY) LTD(“Hookem”, “we”, “us”, or “our”) collects, uses, discloses, and safeguards your personal information when you use the Hookem mobile application, the website at hookem.ai, and related services (collectively, the “Service”).

Hookem is the responsible party under South Africa’s Protection of Personal Information Act, 4 of 2013 (“POPIA”) and the data controller under the EU and UK General Data Protection Regulation (“GDPR”).

For privacy questions or to exercise your rights, contact our Information Officer at privacy@hookem.ai. Our postal address is in section 16.

2. Scope of this policy

This policy applies to the Hookem mobile app (iOS and Android), the Hookem website, and our API. It does not apply to third-party services or websites that we link to or that integrate with the Service. Those third parties have their own privacy policies, and we recommend you review them.

3. Information we collect

3.1 Account information

When you create an account, we collect your email address and authentication credentials. We do not store passwords in plain text; authentication is handled through a trusted third-party authentication provider.

3.2 Content you submit

You submit Instagram video URLs to the Service so we can analyse them. We store the URLs you submit and associate them with your account.

3.3 Content we fetch on your behalf

When you submit an Instagram video URL, we fetch the following on your behalf from Instagram’s publicly accessible sources:

• The video file itself
• Publicly visible engagement metadata (like count, comment count, share count)
• A sample of publicly visible top comments

We do not access private Instagram accounts, direct messages, or content that is not publicly available. We do not collect information about the original poster beyond what is publicly displayed on Instagram and reasonably necessary to analyse the hook.

3.4 Processed content

We generate and store the following artefacts from content you submit:

• An automated transcript of the video’s audio
• Sampled still frames extracted from the video, used for visual analysis
• AI-generated structured analysis of the video’s hook
• Text embeddings used to power semantic search of your library

3.5 Subscription and usage data

We maintain records of your subscription tier, credit balance, analyses performed, and chat interactions with the AI assistant for the purpose of providing and billing the Service.

3.6 Device and technical data

When you use the mobile app or website, we automatically collect technical data including device type, operating system version, app version, IP address, crash logs, and diagnostic information.

3.7 Payment information

Payments are processed by Stripe. We do not see, store, or process your full card number, CVV, or other payment credentials. We receive from Stripe only the information necessary to operate your subscription (such as the payment event, last four digits of the card, and billing country).

3.8 Communications

If you contact us by email, we retain your message and our response for support, audit, and legal purposes.

3.9 Cookies and local storage

We use functional browser storage (cookies and similar technologies) to keep you signed in and to remember basic preferences. We do not use advertising, tracking, or behavioural-profiling cookies.

4. How we use your information

We use your information for the following purposes:

• To provide the Service: authenticate you, run the analysis pipeline, display your hook library, power search and chat features.
• To process payments: manage subscriptions, credit balances, and billing events via Stripe.
• To communicate with you: send transactional messages about your account, subscription, or support requests.
• To improve the Service: debug errors, measure aggregate usage patterns, and improve reliability and performance.
• To prevent fraud and abuse: detect misuse, enforce our Terms, and comply with legal obligations.
• To comply with law: respond to lawful requests, enforce our rights, and meet regulatory obligations.

5. Legal bases for processing

Under POPIA and GDPR, we process your personal information on one or more of the following legal bases:

• Performance of a contract: to deliver the Service you signed up for.
• Legitimate interests: to secure, improve, and operate the Service, prevent fraud, and communicate with you about your account. These interests are balanced against your rights and freedoms.
• Consent: where we ask for it (e.g. optional features that process additional data).
• Legal obligation: where processing is required to comply with applicable law.

You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

6. AI processing

The Service relies on artificial intelligence to transcribe videos, analyse hooks, and generate chat responses. The content you submit and the artefacts we generate are sent to third-party AI and machine learning providers for processing (see section 7).

These providers process your data on our instructions to deliver the Service. We have contractual arrangements with each provider to prevent them from using your content to train their own foundational models except where strictly necessary to operate their services.

AI-generated analyses are probabilistic. They are insights, not facts, and may contain errors or omissions. Do not rely on them as professional, legal, medical, financial, or other regulated advice.

7. Service providers we work with

We use trusted third-party service providers to deliver the Service. Each provider processes your information on our instructions and is contractually required to maintain protections at least equivalent to those described in this policy. We describe them below by category.

We do not sell your personal information, and we do not share it for cross-context behavioural advertising.

If you need the specific identities of our current subprocessors — for example, for a due-diligence review or a data processing agreement — contact privacy@hookem.ai and we will provide them.

8. International data transfers

Because we use service providers located outside South Africa, your personal information may be transferred to, stored in, and processed in countries including the United States and the European Union. When we transfer personal information out of South Africa, the UK, or the European Economic Area, we rely on appropriate safeguards permitted by POPIA and GDPR, including standard contractual clauses and adequacy decisions where applicable.

9. Data retention

We retain personal information for as long as necessary to provide the Service and for the purposes set out in this policy. Specifically:

• Account data — when you request account deletion your account is deactivated immediately and permanently deleted after a 30-day grace period. During the grace period you can sign back in to cancel. Data deleted includes your Instagram connection, profile data, sync history, chat threads, projects, and usage logs.
• Hook analyses — permanently deleted along with all associated video files, thumbnails, and engagement data.
• Submitted video files — permanently deleted when your account is deleted.
• Billing records — retained for the period required by applicable tax and accounting law (typically at least 5 years in South Africa).
• Error logs and diagnostics — retained for up to 90 days.
• Communications — retained for up to 3 years for audit and support purposes.

10. Data security

We use industry-standard technical and organisational measures to protect your personal information, including encryption in transit (TLS), encryption at rest where supported by the underlying service, role-based access controls, and time-limited access tokens for video retrieval.

No method of transmission or storage is completely secure. While we take reasonable precautions, we cannot guarantee absolute security.

If we become aware of a data breach that affects your personal information, we will notify you and the relevant regulator (the Information Regulator of South Africa and, where applicable, EU supervisory authorities) as required by law.

11. Your rights

Depending on where you live, you have specific rights over your personal information. We honour these rights globally to the extent permitted by law.

11.1 Rights under POPIA (South Africa)

• Right to confirm whether we hold your personal information
• Right of access to your personal information
• Right to correction or deletion of inaccurate, outdated, or unlawfully obtained information
• Right to object to processing
• Right to object to direct marketing
• Right to lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za

11.2 Rights under GDPR / UK GDPR

• Right of access
• Right to rectification
• Right to erasure (“right to be forgotten”)
• Right to restriction of processing
• Right to data portability
• Right to object to processing based on legitimate interests or direct marketing
• Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects
• Right to lodge a complaint with a supervisory authority in your country of residence

11.3 Rights under CCPA / CPRA (California residents)

• Right to know what categories of personal information we collect and how we use and disclose it
• Right to request a copy of the specific personal information we have collected
• Right to request deletion of your personal information
• Right to correct inaccurate personal information
• Right to limit our use of sensitive personal information
• Right not to be discriminated against for exercising your rights

We do not sell or share personal information as defined by the CCPA. We have not sold or shared personal information in the preceding 12 months.

12. How to exercise your rights

To exercise any of the rights above, email privacy@hookem.ai. We will respond within 30 days (or within the timeframe required by applicable law, whichever is shorter). We may need to verify your identity before actioning your request.

You may also authorise an agent to make a request on your behalf, subject to us being able to verify their authority.

13. Account deletion

You can delete your Hookem account at any time:

• In the mobile app: Settings → Delete account.
• On the web: account deletion is managed through the mobile app settings.

When you request deletion your account is deactivated immediately and enters a 30-day grace period. Sign back in at any time within 30 days to cancel. After 30 days deletion is permanent and cannot be reversed.

What happens on permanent deletion:

• Deleted: your Instagram connection and profile data, chat threads and conversation history, projects, usage logs, your email address, and your authentication credentials.
• Deleted: hook analyses you submitted, including all associated video files, thumbnails, and engagement data.
• Retained by law: billing records are kept for the period required by applicable tax and accounting law (typically at least 5 years in South Africa).
• Cancelled: any active subscription is cancelled and unused credits are forfeited.

After deletion your email address is released and can be used to create a new Hookem account. Your previous data will not be restored.

14. Children’s privacy

The Service is intended for users aged 16 and older. We do not knowingly collect personal information from anyone under 16. If you believe a minor has provided us with personal information, please contact privacy@hookem.ai and we will take steps to delete it.

15. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Effective date” at the top of this page. For material changes, we will notify you by email or through a prominent notice in the Service before the change takes effect.

16. Contact us

Questions, requests, or concerns about this policy or our handling of your personal information can be directed to:

HOOKEM AI (PTY) LTD
Information Officer
11 Gail Road, Sandton, 2196, South Africa
privacy@hookem.ai