Privacy Policy

Privacy Policy

Last updated: February 23, 2026

Version: 6.1

1. Information We Collect

We collect information you provide directly to us, such as when you create a profile, participate in events, or contact us for support. This may include:

• Name and contact information
• Profile information and photos
• Event participation data
• Communication preferences
• Age and gender identity (for matching purposes)
• Interests and preferences

OAuth Authentication

Account Creation: Hooked uses OAuth authentication via Google Sign-In, Apple Sign-In, or Facebook Login. When you sign in, we collect your email address from your chosen authentication provider.

Persistent User Accounts: Your user account persists across events and includes your email address, display name (which you can customize), and lifetime analytics. While your account is persistent, event-specific profiles (photos, bio, matches, messages) are automatically deleted 24-48 hours after each event expires.

Single Event Rule: You can only participate in one event at a time. To join a new event, you must leave your current event first.

Account Deletion: You can delete your entire account (including all user data and analytics) through Settings → Delete Account or by contacting us at contact@hooked-app.com.

User Analytics

Lifetime Statistics: We maintain lifetime analytics for your user account to improve platform efficiency and provide better admin dashboard functionality. These analytics include:

• Events Joined: List of event IDs you've participated in
• Total Events Count: Number of events you've joined
• Total Matches Count: Lifetime number of matches
• Total Messages Sent: Lifetime message count
• Total Likes Given: Lifetime likes count

Purpose: These analytics help us understand user engagement, improve our matching algorithms, and provide efficient user management in our admin dashboard (reducing database queries by 75%).

Retention: User analytics persist with your account until you delete your account. They are not deleted when event profiles are removed.

Privacy: Analytics are stored as numerical counts only. Individual match details, message content, and profile information are still deleted 24-48 hours after each event expires.

Biometric Data Processing

Facial Recognition Data: We perform temporary facial analysis for profile photo validation purposes only. AWS Rekognition processes facial features to detect face presence and count, but this facial data is not stored or retained after validation completes.

Device Permissions

We request the following device permissions to provide our services:

• Camera: For taking profile photos
• Photo Library: For selecting existing photos from your device
• Push Notifications: For receiving match and message notifications
• Network Access: For app functionality
• Microphone (Optional): For voice-to-text bio dictation. Audio is processed by your device's built-in speech recognition service (Apple Speech Framework on iOS, Google Speech Services on Android). Audio may be sent to Apple or Google servers depending on your device settings. This is handled by your device's operating system, not by Hooked directly

You can revoke these permissions at any time through your device settings. Some features may not work without required permissions.

Newsletter Subscriptions

If you subscribe to our newsletter via the website footer, we collect your email address. You can unsubscribe at any time via the link in each newsletter email. Unsubscribing marks your subscription as inactive; your email is retained for unsubscribe compliance purposes.

Contact Form Data

If you submit our contact form, we collect: full name, email address, phone number (optional), message, referral source, and SMS consent preference. This data is stored for business development purposes and protected by reCAPTCHA (see Third-Party Services section).

Bug Reports

If you submit a bug report through the app, we collect: device model, operating system, app version, screen name, bug description, and steps to reproduce. Bug reports are linked to your user ID for follow-up purposes.

Email Communication Preferences (Event Organizers)

Default Email Setting: When you create an event organizer account, your email preferences are set to receive all communications by default. This includes:

• Event updates and important notifications
• Event summaries and analytics
• Product updates and new features
• Promotional content and marketing emails

Managing Your Preferences: You can change your email preferences at any time through Settings in your organizer dashboard. Options include: receiving all emails, event-related emails only, or no promotional emails.

Payment and Billing Data (Event Organizers)

When event organizers purchase event tiers or upgrade capacity, we collect and process billing-related data:

• Billing Orders: We store transaction records including amount, currency (USD or ILS), payment status, and order type (event creation, tier upgrade, or auto-upgrade)
• Payment Method Metadata: Credit/debit card details (card number, CVV, expiry) are collected and processed directly by our payment processor (Stripe) and are NOT stored in our database. We only store a tokenized reference to the payment method
• Saved Payment Methods: If you opt in to automatic tier upgrades, a tokenized reference to your payment method is stored on your organizer account to enable future automatic charges. You can remove saved payment methods at any time
• Discount Codes: If you use a promotional discount code, we record the code used and discount amount for billing accuracy
• Receipts: Digital receipt URLs are stored for your billing history
• Refund Records: If you request a refund, we store the refund request, eligibility calculation, amount, and processing status
• Dispute Records: In the event of a payment dispute or chargeback, we store dispute details including amount, reason, status, and resolution for compliance purposes

Payment Processor: All payments are processed exclusively by Stripe, Inc., regardless of event country or currency (USD, ILS, EUR, GBP). Stripe handles all credit/debit card payments, Apple Pay, Google Pay, refunds, and saved payment methods. For events held in Israel, we additionally use Green Invoice solely to generate Israeli tax-compliant documents (tax receipts and credit notes) — Green Invoice does not process payments or store card details. See the Third-Party Services section for details on each service's privacy practices.

Location Data and GPS Verification

Location Services: We may request access to your device's location to provide location-based features:

• Venue Discovery: If you grant location permission, your approximate location is used to show nearby venues on the discovery map. Location data is processed locally on your device and is not stored in our database
• Country Detection: We use reverse geocoding to detect your country for timezone and display purposes. Country information is cached locally on your device for up to 24 hours
• Event GPS Verification: Some events may require location verification to confirm you are physically present at the event venue. When enabled by the event organizer, the app may periodically check your location against the event venue to verify attendance. For events with continuous GPS verification, your GPS coordinates are transmitted to our servers and temporarily stored on your event profile for attendance verification. This location data is deleted along with your event profile within 24-48 hours after the event expires. You will be informed when an event requires GPS verification before joining

Your Control: Location permissions are optional and can be revoked at any time through your device settings. Some events that require GPS verification may not be joinable without location permission.

2. How We Use Your Information

We use the information we collect to:

• Provide and maintain our services
• Facilitate connections at events
• Send you important updates and notifications
• Improve our platform and user experience
• Ensure the security of our services
• Provide customer support
• Comply with legal obligations
• Enforce our single-event participation policy (users can only participate in one event at a time)
• Validate profile photos for safety and community standards
• Process payments and billing for event organizers
• Verify physical attendance at GPS-enforced events

2.1 Content Moderation

We use automated systems and manual review to:

• Monitor profile photos for compliance with community standards
• Detect inappropriate, explicit, or harmful content
• Ensure user safety and platform integrity
• Remove content that violates our Terms of Service

Users can report violations, and we investigate all reports within 24-48 hours.

2.2 Admin Access and Moderation

Platform Administration: Authorized administrators (moderators and super admins) may access your data for:

• Investigating reports of harassment, abuse, or Terms of Service violations
• Providing customer support and resolving account issues
• Ensuring platform safety and community standards
• Compliance with legal obligations (subpoenas, court orders)

Access Controls:

• All admin access requires justification and is logged in our audit system
• Email and phone numbers are masked by default
• Admins must provide a reason (Investigation, User Support, Legal, or Other) before viewing personally identifiable information (PII)
• PII access is logged with: admin ID, timestamp, justification reason, and notes
• Super admins can view audit logs of all admin actions

Admin Roles:

• Viewers: Can view user profiles but cannot take moderation actions
• Moderators: Can view profiles, access messages with justification, and take moderation actions (kick, suspend, ban)
• Super Admins: Full access including audit logs, GDPR data exports, and all moderation tools

Data Export and Evidence Packs:

• Moderators can generate evidence packs (profile + messages + reports) for investigations
• Super admins can export complete user data for GDPR compliance requests
• All exports and evidence pack generations are logged in our audit system

Your Rights:

• You can request a copy of your audit log to see who accessed your data
• You can contest admin decisions through our appeal process (contact@hooked-app.com)
• Admin access is limited to legitimate business purposes only

3. Data Retention and Deletion

Event Data

User Profiles: All user profiles, photos, and personal information are automatically deleted within 24-48 hours after the event expires. Our automated cleanup system runs at regular intervals to remove expired event data.

Chat Messages: All chat messages and conversations are permanently deleted within 24-48 hours after the event expires.

Match Data: Like/match information is deleted within 24-48 hours after the event expires.

Technical Deletion Process: Our primary cleanup system removes event data within 24-48 hours after expiration. Additionally, we maintain a Time-To-Live (TTL) backup mechanism that automatically removes any remaining data within 72 hours as a failsafe measure.

Leave Event Data Retention

When You Leave an Event Early: If you choose to leave an event before it expires (via Settings → Leave Event), your profile becomes hidden from other users immediately, but your data is preserved until the event expires.

Data Preserved: Your matches, messages, and profile information remain stored (but hidden) until the event expires. If you rejoin the same event, your matches and conversations can be restored.

Automatic Deletion: All event data (profiles, matches, messages) is permanently deleted within 24-48 hours after the event expires, regardless of whether you left early or stayed until the end.

Joining New Events: You can join a different event immediately after leaving, even though your old event data is still stored. Your old profile remains hidden and will be deleted when that event expires.

User Account Data Retention

Distinction Between User Accounts and Event Profiles: It's important to understand the difference between your user account and your event-specific profiles:

• User Account (Persistent): Your user account includes your email address, authentication provider (Google/Apple/Facebook), display name, and lifetime analytics. This account persists across events and is NOT automatically deleted.
• Event Profiles (Temporary): Each time you join an event, you create an event-specific profile with photos, bio, matches, and messages. These event profiles are automatically deleted 24-48 hours after the event expires.

User Account Retention Period: Your user account (email, provider, display name, lifetime analytics) persists indefinitely until you manually delete your account. You can delete your account at any time through:

• App Settings → Delete Account
• Email request to contact@hooked-app.com
• GDPR/CCPA data deletion request

What is Deleted with Your User Account: When you delete your user account, we permanently delete:

• Email address and authentication provider
• Display name and preferences
• Lifetime analytics (events joined, total matches count, etc.)
• Any active event profiles
• Audit logs of admin access to your data (retained only as legally required)

Account Deletion Timeline: Account deletion requests are processed within 30 days (GDPR) or 45 days (CCPA). Audit logs may be retained for up to 2 years as required by GDPR Article 30 (Records of Processing Activities) even after account deletion.

Analytics Preservation

Anonymous Event Snapshots: Before deleting event data, we create anonymous statistical snapshots for business analytics purposes. These snapshots contain only aggregated counts and statistics (e.g., total number of users, total likes, total messages, total matches) without any personally identifiable information (PII).

What is Preserved: Only numerical counts and event metadata (event name, date, location) are preserved. No user names, photos, messages, profile information, or any data that could identify individual users is included in these snapshots.

K-Anonymity Protection: We enforce k-anonymity requirements to ensure snapshots cannot be used to identify individuals. Events with very small participant counts may not have snapshots created to protect user privacy.

Purpose: These anonymous snapshots help us understand platform usage, improve our services, and provide event organizers with high-level analytics about event success.

Backup and Recovery Data

Backup Retention: Any backup copies of event data are retained for a maximum of 7 days for disaster recovery purposes, after which they are permanently deleted.

System Logs: Technical logs and system data are retained for up to 30 days for security and debugging purposes.

Audit Logs: Admin action logs (moderation actions, PII access requests, evidence pack generation) are retained for 2 years minimum for compliance with GDPR Article 30 (Records of Processing Activities) and regulatory requirements.

Analytics and Usage Data

Aggregated Analytics: Anonymous, aggregated usage statistics are retained for up to 2 years to improve our services. This data cannot be used to identify individual users.

Performance Metrics: App performance and error data are retained for up to 90 days for service improvement.

Admin and Business Data

Event Information: Event details, locations, and administrative information are retained for up to 3 years for business records and legal compliance.

Client Information: Business client contact information and event history are retained for up to 5 years for business relationship management.

Admin Accounts: Administrator account information is retained until the account is deleted or the administrator requests deletion.

Survey and Event Feedback Data

Post-Event Surveys: If you complete a post-event survey, your responses (ratings, improvement suggestions, NPS scores) persist after event cleanup for service improvement purposes.

On Account Deletion: Survey data is anonymized (your user ID is replaced with "deleted_user") rather than fully deleted, to preserve aggregate feedback quality.

Terms Acceptance Records

Records of your acceptance of our Terms of Service and Privacy Policy (including timestamp, version accepted, IP address, and browser user agent) are retained for legal compliance purposes, even after account deletion.

Moderation Records

If you are removed from an event (kicked, suspended, or banned), the record of this action is retained for platform safety and abuse prevention purposes. These records persist even after account deletion to prevent repeat abuse.

Evidence Packs

Evidence packs generated by administrators during investigations (containing profile data, messages, and reports) are stored in our secure cloud storage. These are not automatically deleted when you delete your account but may be removed upon request, subject to legal retention requirements.

Billing and Payment Data

Billing Orders: Payment transaction records (amount, currency, status, receipt URLs) are retained for up to 7 years as required by financial record-keeping regulations.

Refund Records: Refund requests and processing records are retained alongside the associated billing order for the same period.

Dispute Records: Payment dispute and chargeback records are retained for up to 7 years for compliance with financial regulations and dispute resolution.

Saved Payment Methods: Tokenized payment method references are retained until the organizer removes them or deletes their account. Actual card details are stored by Stripe according to their retention policy.

Legal Compliance and Data Retention

Legal Requirements: We may retain certain data for longer periods when required by law, regulation, or legal proceedings.

GDPR Compliance: Under GDPR, you have the right to request deletion of your personal data. We will process deletion requests within 30 days.

CCPA Compliance: California residents have the right to know what personal information is collected and request deletion. We will respond to CCPA requests within 45 days.

Data Subject Rights: You may request information about your data, request corrections, or request deletion by contacting us at contact@hooked-app.com.

4. Information Sharing

We do not sell, trade, or otherwise transfer your personal information to third parties except:

• With your explicit consent
• To comply with legal obligations
• To protect our rights and safety
• With service providers who assist in our operations (see Third-Party Services section)

SMS/Text Messaging Data: All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

5. Data Security

We implement appropriate security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. This includes:

• SSL/TLS encryption for all data transmission
• Encryption of data at rest
• Regular security audits and assessments
• Access controls and authentication measures
• Secure data centers and infrastructure

6. Your Rights

You have the right to:

• Access your personal information
• Correct inaccurate information
• Request deletion of your data
• Opt out of certain communications
• Lodge a complaint with supervisory authorities
• Data portability (receive your data in a structured format)
• Object to processing of your data
• Contest automated decisions and request human review

6.1 Automated Decision-Making

We use automated decision-making technology powered by AWS Rekognition to analyze profile photos for content moderation purposes. This includes:

• Face Detection: AI determines whether a photo contains exactly one clearly visible face
• Content Moderation: AI analyzes photos for inappropriate content including explicit material, violence, hate symbols, and drugs
• Rejection Reasons: Photos may be automatically rejected for no face detected, multiple faces, low quality, or inappropriate content

Your Rights: You have the right to contest automated photo rejections and request human review. These automated decisions do not produce legal or similarly significant effects. You may resubmit photos or contact support at contact@hooked-app.com to appeal a decision.

7. Cookies and Tracking

We use cookies and similar technologies to improve your experience, analyze usage, and provide personalized content. You can control cookie settings through your browser.

8. Third-Party Services and Data Processors

Our app uses the following third-party services to provide our functionality. Each service has its own privacy policy and data handling practices:

AWS Rekognition (Amazon Web Services)

We use AWS Rekognition for automated photo validation and content moderation:

• Face Detection: Analyzing photos to detect and count faces
• Content Moderation: Detecting inappropriate content (explicit material, violence, hate symbols, drugs)
• Real-Time Processing: Photos analyzed in real-time and not stored by AWS
• Data Transmission: Photos temporarily sent to AWS servers for analysis only

AWS privacy policy can be found at: https://aws.amazon.com/privacy/

Firebase (Google LLC)

We use Firebase services for:

• Firebase Authentication: Processing OAuth tokens and managing user sessions
• Firestore Database: Storage of event data, user profiles, and messages
• Cloud Storage: Storage of user profile photos
• Cloud Functions: Backend processing and automation
• Firebase Crashlytics: Collecting crash reports including device model, OS version, app version, stack traces, and user ID for debugging purposes
• Firebase Performance Monitoring: Collecting app startup times, HTTP request durations, and custom performance traces
• Firebase Analytics: Logging app usage events (screen views, profile interactions, match events, message events) for service improvement

Firebase's privacy policy can be found at: https://firebase.google.com/support/privacy

Google Analytics 4 (Google LLC)

We use Google Analytics for website analytics:

• Page Analytics: Tracking page views and user engagement
• Event Tracking: Monitoring user interactions and conversions
• User Behavior: Understanding how users navigate our website
• IP Anonymization: IP addresses are anonymized for privacy protection

Google's privacy policy can be found at: https://policies.google.com/privacy

Sentry (Functional Software, Inc.)

We use Sentry for:

• Error Monitoring: Tracking and fixing app crashes and errors
• Performance Monitoring: Monitoring app performance and user experience
• Session Replay: When an app error occurs, a screen recording of the error session may be captured and sent to Sentry for debugging. Session replay is only triggered on errors, not during normal app usage
• Data Included with Error Reports: Error reports may include your IP address, device information, and app state at the time of the error

Sentry's privacy policy can be found at: https://sentry.io/privacy/

OneSignal (OneSignal, Inc.)

We use OneSignal for push notifications:

• Push Notifications: Sending match and message alerts to your device
• Device Tokens: OneSignal manages device tokens automatically
• Multi-Device Support: Notifications delivered to all your logged-in devices
• Data Transmission: User ID and notification content sent to OneSignal servers

OneSignal's privacy policy: https://onesignal.com/privacy_policy

Development Environment: App ID 5d2b0d34-1602-4edc-890c-82b243b1f9a0
Production Environment: App ID a1c6aaa8-916d-4950-b1ae-25c147f54015

Expo (Expo, Inc.)

We use Expo services for:

• App Development: Cross-platform app development framework
• Image Picker: Camera and photo library access
• Over-the-Air Updates: The app checks Expo's EAS Update servers for code updates. Device information, app version, and runtime version are sent to Expo's servers during update checks

Expo's privacy policy can be found at: https://expo.dev/privacy

Google Places API (Google LLC)

We use Google Places API for city autocomplete on our EventForm page:

• City Selection: Autocomplete suggestions when event organizers enter city names
• Data Transmission: City search queries sent to Google servers
• No Personal Data: Only city names are processed; no user identification data is sent

Google's privacy policy can be found at: https://policies.google.com/privacy

Stripe (Stripe, Inc.)

We use Stripe as our exclusive payment processor for all transactions globally, regardless of event country or currency:

• Payment Processing: Processing all credit/debit card payments, Apple Pay, and Google Pay for event creation and tier upgrades
• Multi-Currency Support: USD, ILS, EUR, and GBP
• Tax Calculation: Stripe Tax for automatic tax computation where applicable
• Card Storage: Securely storing payment method tokens for automatic tier upgrades (if opted in by the organizer)
• Refund Processing: Handling all refund transactions to original payment methods
• Data Collected by Stripe: Card details, billing address, IP address, and device information are collected directly by Stripe and subject to their privacy policy

Stripe's privacy policy can be found at: https://stripe.com/privacy

Green Invoice (Greeninvoice Ltd.)

We use Green Invoice solely for generating Israeli tax-compliant documents for events held in Israel. Green Invoice does NOT process payments or store card details:

• Tax Receipt Generation: Creating Type 320 tax receipts for Israeli event payments (triggered automatically after Stripe processes the payment)
• Credit Note Generation: Creating Type 330 credit notes for refunds on Israeli events
• Data Transmitted to Green Invoice: Transaction details only (amount, currency, description, and event information) — no card numbers, CVVs, or payment method details are sent to Green Invoice
• No Payment Processing: All payments are processed by Stripe. Green Invoice receives only the information needed to generate tax-compliant documents

Green Invoice's privacy policy can be found at: https://www.greeninvoice.co.il/privacy-policy

Mapbox (Mapbox, Inc.)

We use Mapbox for the venue discovery map feature:

• Map Rendering: Displaying interactive maps showing venues and events near you
• Location Processing: If location permission is granted, your approximate position is sent to Mapbox for map centering
• Venue Display: Rendering venue locations and event markers on the map

Mapbox's privacy policy can be found at: https://www.mapbox.com/legal/privacy

SendGrid (Twilio Inc.)

We use SendGrid for transactional email delivery:

• Organizer Notifications: Sending event creation confirmations, payment receipts, and upgrade notifications
• Refund Notifications: Communicating refund approvals and processing updates
• Account Alerts: Delivering important account-related communications
• Data Transmitted: Recipient email address, email content, and delivery metadata

Twilio's privacy policy can be found at: https://www.twilio.com/en-us/legal/privacy

Google reCAPTCHA (Google LLC)

We use Google reCAPTCHA v2 and v3 on our website forms (contact form, partner inquiry, organizer application) to protect against automated abuse and spam:

• Bot Detection: reCAPTCHA analyzes user behavior patterns and browser signals to distinguish humans from bots
• Data Processed: Browser fingerprint data, interaction patterns, cookies, and IP address are processed by Google
• No Personal Form Data: Your form content (name, email, message) is not sent to reCAPTCHA — only behavioral signals

Google's privacy policy: https://policies.google.com/privacy. reCAPTCHA terms: https://policies.google.com/terms

Vercel (Vercel Inc.)

We use Vercel to host our website (hooked-app.com):

• Website Hosting: All website requests are processed through Vercel's infrastructure, including IP addresses and request metadata
• IP Geolocation: We use Vercel's IP geolocation to detect your country for locale and language preferences

Vercel's privacy policy can be found at: https://vercel.com/legal/privacy-policy

Firebase App Check (Google LLC)

We use Firebase App Check to verify that requests to our services come from our genuine app:

• iOS: Uses Apple's App Attest to verify device integrity
• Android: Uses Google Play Integrity API to verify device integrity
• No Personal Data: Device attestation tokens are sent to Apple or Google respectively, but no personal data is included — only device integrity verification

TinyURL (TinyURL, LLC)

Event organizers can generate shortened URLs for sharing event promotion links. The full event promotion URL is sent to TinyURL for shortening. No personal user data is included in the URLs.

TinyURL's privacy policy can be found at: https://tinyurl.com/app/privacy

Google Gmail SMTP (Google LLC)

We use Gmail's SMTP service as a secondary email delivery channel for bug reports, user reports, and venue suggestions submitted through the app. Data transmitted includes sender/recipient email addresses and email content.

Google's privacy policy can be found at: https://policies.google.com/privacy

OAuth Authentication Providers

Hooked uses OAuth authentication via third-party providers. When you sign in, we receive your email address from your chosen provider:

• Google Sign-In (Google LLC): OAuth authentication and email collection. Privacy policy: https://policies.google.com/privacy
• Apple Sign-In (Apple Inc.): OAuth authentication and email collection. Privacy policy: https://www.apple.com/legal/privacy/
• Facebook Login (Meta Platforms, Inc.): OAuth authentication and email collection. Privacy policy: https://www.facebook.com/privacy/policy/

Data Collected: We only collect your email address from these providers. We do not access your contacts, friends lists, or other social media data.

Account Linking: Your Hooked account is linked to your chosen OAuth provider. You can delete your Hooked account at any time, which does not affect your provider account.

Data Processing Agreements

We have data processing agreements with these third-party services to ensure they handle your data in compliance with applicable privacy laws and our privacy standards.

Third-Party Websites

Our platform may contain links to third-party websites or services. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

9. Children's Privacy

Our services are not intended for children under 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure that such transfers comply with applicable data protection laws and that your data receives adequate protection.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the new policy on our website and updating the "Last updated" date. We encourage you to review this policy periodically.

12. Contact Us

If you have any questions about this privacy policy or our data practices, please contact us at:

13. Administrator Accountability and Transparency

We maintain a comprehensive audit system to ensure accountability for all administrative actions involving your personal data.

Audit Trail

Every administrative action is logged with the following information:

• Admin Identity: Email and role of the admin who performed the action
• Action Type: Type of action (view PII, access messages, kick, suspend, ban, export data)
• Timestamp: Exact date and time of the action
• User Affected: The user whose data was accessed or affected
• Justification: Required reason code (Investigation, User Support, Legal, Other)
• Notes: Detailed explanation provided by the admin

Data Access Logging

When an admin accesses your personally identifiable information (PII), we log:

• Email Access: Viewing your email address (normally masked)
• Phone Access: Viewing your phone number (normally masked)
• Message Access: Viewing your private conversations
• Evidence Pack Generation: Exporting your profile, messages, and reports
• GDPR Export: Exporting your complete data for compliance requests

Your Audit Rights

You have the right to:

• Request Your Audit Log: See who accessed your data, when, and why
• Challenge Access: Contest admin actions you believe were unjustified
• Appeal Decisions: Appeal moderation decisions through contact@hooked-app.com
• File Complaints: Report concerns to data protection authorities

Legal Basis for Admin Access

We process your data for administrative purposes under the following legal bases (GDPR Article 6):

• Legitimate Interest (Article 6(1)(f)): Platform safety, fraud prevention, and community standards enforcement
• Legal Obligation (Article 6(1)(c)): Compliance with court orders, subpoenas, and regulatory requirements
• Contract Performance (Article 6(1)(b)): Providing customer support and resolving account issues

Audit Log Retention

All audit logs are retained for a minimum of 2 years as required by GDPR Article 30 (Records of Processing Activities). This ensures we can demonstrate compliance and provide you with your access history upon request.

14. Privacy Policy Version History