Privacy Policy

Privacy Policy

Last updated: November 16, 2025

Version: 5.0

1. Information We Collect

We collect information you provide directly to us, such as when you create a profile, participate in events, or contact us for support. This may include:

• Name and contact information
• Profile information and photos
• Event participation data
• Communication preferences
• Age and gender identity (for matching purposes)
• Interests and preferences

OAuth Authentication

Account Creation: Hooked uses OAuth authentication via Google Sign-In, Apple Sign-In, or Facebook Login. When you sign in, we collect your email address from your chosen authentication provider.

Persistent User Accounts: Your user account persists across events and includes your email address, display name (which you can customize), and lifetime analytics. While your account is persistent, event-specific profiles (photos, bio, matches, messages) are automatically deleted 24-48 hours after each event expires.

Single Event Rule: You can only participate in one event at a time. To join a new event, you must leave your current event first.

Account Deletion: You can delete your entire account (including all user data and analytics) through Settings → Delete Account or by contacting us at contact@hooked-app.com.

User Analytics

Lifetime Statistics: We maintain lifetime analytics for your user account to improve platform efficiency and provide better admin dashboard functionality. These analytics include:

• Events Joined: List of event IDs you've participated in
• Total Events Count: Number of events you've joined
• Total Matches Count: Lifetime number of matches
• Total Messages Sent: Lifetime message count
• Total Likes Given: Lifetime likes count

Purpose: These analytics help us understand user engagement, improve our matching algorithms, and provide efficient user management in our admin dashboard (reducing database queries by 75%).

Retention: User analytics persist with your account until you delete your account. They are not deleted when event profiles are removed.

Privacy: Analytics are stored as numerical counts only. Individual match details, message content, and profile information are still deleted 24-48 hours after each event expires.

Biometric Data Processing

Facial Recognition Data: We perform temporary facial analysis for profile photo validation purposes only. AWS Rekognition processes facial features to detect face presence and count, but this facial data is not stored or retained after validation completes.

Device Permissions

We request the following device permissions to provide our services:

• Camera: For taking profile photos
• Photo Library: For selecting existing photos from your device
• Push Notifications: For receiving match and message notifications
• Network Access: For app functionality

You can revoke these permissions at any time through your device settings. Some features may not work without required permissions.

2. How We Use Your Information

We use the information we collect to:

• Provide and maintain our services
• Facilitate connections at events
• Send you important updates and notifications
• Improve our platform and user experience
• Ensure the security of our services
• Provide customer support
• Comply with legal obligations
• Enforce our single-event participation policy (users can only participate in one event at a time)
• Validate profile photos for safety and community standards

2.1 Content Moderation

We use automated systems and manual review to:

• Monitor profile photos for compliance with community standards
• Detect inappropriate, explicit, or harmful content
• Ensure user safety and platform integrity
• Remove content that violates our Terms of Service

Users can report violations, and we investigate all reports within 24-48 hours.

2.2 Admin Access and Moderation

Platform Administration: Authorized administrators (moderators and super admins) may access your data for:

• Investigating reports of harassment, abuse, or Terms of Service violations
• Providing customer support and resolving account issues
• Ensuring platform safety and community standards
• Compliance with legal obligations (subpoenas, court orders)

Access Controls:

• All admin access requires justification and is logged in our audit system
• Email and phone numbers are masked by default
• Admins must provide a reason (Investigation, User Support, Legal, or Other) before viewing personally identifiable information (PII)
• PII access is logged with: admin ID, timestamp, justification reason, and notes
• Super admins can view audit logs of all admin actions

Admin Roles:

• Viewers: Can view user profiles but cannot take moderation actions
• Moderators: Can view profiles, access messages with justification, and take moderation actions (kick, suspend, ban)
• Super Admins: Full access including audit logs, GDPR data exports, and all moderation tools

Data Export and Evidence Packs:

• Moderators can generate evidence packs (profile + messages + reports) for investigations
• Super admins can export complete user data for GDPR compliance requests
• All exports and evidence pack generations are logged in our audit system

Your Rights:

• You can request a copy of your audit log to see who accessed your data
• You can contest admin decisions through our appeal process (contact@hookedapp.com)
• Admin access is limited to legitimate business purposes only

3. Data Retention and Deletion

Event Data

User Profiles: All user profiles, photos, and personal information are automatically deleted within 24-48 hours after the event expires. Our automated cleanup system runs at regular intervals to remove expired event data.

Chat Messages: All chat messages and conversations are permanently deleted within 24-48 hours after the event expires.

Match Data: Like/match information is deleted within 24-48 hours after the event expires.

Technical Deletion Process: Our primary cleanup system removes event data within 24-48 hours after expiration. Additionally, we maintain a Time-To-Live (TTL) backup mechanism that automatically removes any remaining data within 72 hours as a failsafe measure.

Leave Event Data Retention

When You Leave an Event Early: If you choose to leave an event before it expires (via Settings → Leave Event), your profile becomes hidden from other users immediately, but your data is preserved until the event expires.

Data Preserved: Your matches, messages, and profile information remain stored (but hidden) until the event expires. If you rejoin the same event, your matches and conversations can be restored.

Automatic Deletion: All event data (profiles, matches, messages) is permanently deleted within 24-48 hours after the event expires, regardless of whether you left early or stayed until the end.

Joining New Events: You can join a different event immediately after leaving, even though your old event data is still stored. Your old profile remains hidden and will be deleted when that event expires.

User Account Data Retention

Distinction Between User Accounts and Event Profiles: It's important to understand the difference between your user account and your event-specific profiles:

• User Account (Persistent): Your user account includes your email address, authentication provider (Google/Apple/Facebook), display name, and lifetime analytics. This account persists across events and is NOT automatically deleted.
• Event Profiles (Temporary): Each time you join an event, you create an event-specific profile with photos, bio, matches, and messages. These event profiles are automatically deleted 24-48 hours after the event expires.

User Account Retention Period: Your user account (email, provider, display name, lifetime analytics) persists indefinitely until you manually delete your account. You can delete your account at any time through:

• App Settings → Delete Account
• Email request to contact@hooked-app.com
• GDPR/CCPA data deletion request

What is Deleted with Your User Account: When you delete your user account, we permanently delete:

• Email address and authentication provider
• Display name and preferences
• Lifetime analytics (events joined, total matches count, etc.)
• Any active event profiles
• Audit logs of admin access to your data (retained only as legally required)

Account Deletion Timeline: Account deletion requests are processed within 30 days (GDPR) or 45 days (CCPA). Audit logs may be retained for up to 2 years as required by GDPR Article 30 (Records of Processing Activities) even after account deletion.

Analytics Preservation

Anonymous Event Snapshots: Before deleting event data, we create anonymous statistical snapshots for business analytics purposes. These snapshots contain only aggregated counts and statistics (e.g., total number of users, total likes, total messages, total matches) without any personally identifiable information (PII).

What is Preserved: Only numerical counts and event metadata (event name, date, location) are preserved. No user names, photos, messages, profile information, or any data that could identify individual users is included in these snapshots.

K-Anonymity Protection: We enforce k-anonymity requirements to ensure snapshots cannot be used to identify individuals. Events with very small participant counts may not have snapshots created to protect user privacy.

Purpose: These anonymous snapshots help us understand platform usage, improve our services, and provide event organizers with high-level analytics about event success.

Backup and Recovery Data

Backup Retention: Any backup copies of event data are retained for a maximum of 7 days for disaster recovery purposes, after which they are permanently deleted.

System Logs: Technical logs and system data are retained for up to 30 days for security and debugging purposes.

Audit Logs: Admin action logs (moderation actions, PII access requests, evidence pack generation) are retained for 2 years minimum for compliance with GDPR Article 30 (Records of Processing Activities) and regulatory requirements.

Analytics and Usage Data

Aggregated Analytics: Anonymous, aggregated usage statistics are retained for up to 2 years to improve our services. This data cannot be used to identify individual users.

Performance Metrics: App performance and error data are retained for up to 90 days for service improvement.

Admin and Business Data

Event Information: Event details, locations, and administrative information are retained for up to 3 years for business records and legal compliance.

Client Information: Business client contact information and event history are retained for up to 5 years for business relationship management.

Admin Accounts: Administrator account information is retained until the account is deleted or the administrator requests deletion.

Legal Compliance and Data Retention

Legal Requirements: We may retain certain data for longer periods when required by law, regulation, or legal proceedings.

GDPR Compliance: Under GDPR, you have the right to request deletion of your personal data. We will process deletion requests within 30 days.

CCPA Compliance: California residents have the right to know what personal information is collected and request deletion. We will respond to CCPA requests within 45 days.

Data Subject Rights: You may request information about your data, request corrections, or request deletion by contacting us at contact@hookedapp.com.

4. Information Sharing

We do not sell, trade, or otherwise transfer your personal information to third parties except:

• With your explicit consent
• To comply with legal obligations
• To protect our rights and safety
• With service providers who assist in our operations (see Third-Party Services section)

5. Data Security

We implement appropriate security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. This includes:

• SSL/TLS encryption for all data transmission
• Encryption of data at rest
• Regular security audits and assessments
• Access controls and authentication measures
• Secure data centers and infrastructure

6. Your Rights

You have the right to:

• Access your personal information
• Correct inaccurate information
• Request deletion of your data
• Opt out of certain communications
• Lodge a complaint with supervisory authorities
• Data portability (receive your data in a structured format)
• Object to processing of your data
• Contest automated decisions and request human review

6.1 Automated Decision-Making

We use automated decision-making technology powered by AWS Rekognition to analyze profile photos for content moderation purposes. This includes:

• Face Detection: AI determines whether a photo contains exactly one clearly visible face
• Content Moderation: AI analyzes photos for inappropriate content including explicit material, violence, hate symbols, and drugs
• Rejection Reasons: Photos may be automatically rejected for no face detected, multiple faces, low quality, or inappropriate content

Your Rights: You have the right to contest automated photo rejections and request human review. These automated decisions do not produce legal or similarly significant effects. You may resubmit photos or contact support at contact@hookedapp.com to appeal a decision.

7. Cookies and Tracking

We use cookies and similar technologies to improve your experience, analyze usage, and provide personalized content. You can control cookie settings through your browser.

8. Third-Party Services and Data Processors

Our app uses the following third-party services to provide our functionality. Each service has its own privacy policy and data handling practices:

AWS Rekognition (Amazon Web Services)

We use AWS Rekognition for automated photo validation and content moderation:

• Face Detection: Analyzing photos to detect and count faces
• Content Moderation: Detecting inappropriate content (explicit material, violence, hate symbols, drugs)
• Real-Time Processing: Photos analyzed in real-time and not stored by AWS
• Data Transmission: Photos temporarily sent to AWS servers for analysis only

AWS privacy policy can be found at: https://aws.amazon.com/privacy/

Firebase (Google LLC)

We use Firebase services for:

• Firestore Database: Storage of event data, user profiles, and messages
• Cloud Storage: Storage of user profile photos
• Cloud Functions: Backend processing and automation

Firebase's privacy policy can be found at: https://firebase.google.com/support/privacy

Google Analytics 4 (Google LLC)

We use Google Analytics for website analytics:

• Page Analytics: Tracking page views and user engagement
• Event Tracking: Monitoring user interactions and conversions
• User Behavior: Understanding how users navigate our website
• IP Anonymization: IP addresses are anonymized for privacy protection

Google's privacy policy can be found at: https://policies.google.com/privacy

Sentry (Functional Software, Inc.)

We use Sentry for:

• Error Monitoring: Tracking and fixing app crashes and errors
• Performance Monitoring: Monitoring app performance and user experience

Sentry's privacy policy can be found at: https://sentry.io/privacy/

OneSignal (OneSignal, Inc.)

We use OneSignal for push notifications:

• Push Notifications: Sending match and message alerts to your device
• Device Tokens: OneSignal manages device tokens automatically
• Multi-Device Support: Notifications delivered to all your logged-in devices
• Data Transmission: User ID and notification content sent to OneSignal servers

OneSignal's privacy policy: https://onesignal.com/privacy_policy

Development Environment: App ID 5d2b0d34-1602-4edc-890c-82b243b1f9a0
Production Environment: App ID a1c6aaa8-916d-4950-b1ae-25c147f54015

Expo (Expo, Inc.)

We use Expo services for:

• App Development: Cross-platform app development framework
• Image Picker: Camera and photo library access

Expo's privacy policy can be found at: https://expo.dev/privacy

Google Places API (Google LLC)

We use Google Places API for city autocomplete on our EventForm page:

• City Selection: Autocomplete suggestions when event organizers enter city names
• Data Transmission: City search queries sent to Google servers
• No Personal Data: Only city names are processed; no user identification data is sent

Google's privacy policy can be found at: https://policies.google.com/privacy

OAuth Authentication Providers

Hooked uses OAuth authentication via third-party providers. When you sign in, we receive your email address from your chosen provider:

• Google Sign-In (Google LLC): OAuth authentication and email collection. Privacy policy: https://policies.google.com/privacy
• Apple Sign-In (Apple Inc.): OAuth authentication and email collection. Privacy policy: https://www.apple.com/legal/privacy/
• Facebook Login (Meta Platforms, Inc.): OAuth authentication and email collection. Privacy policy: https://www.facebook.com/privacy/policy/

Data Collected: We only collect your email address from these providers. We do not access your contacts, friends lists, or other social media data.

Account Linking: Your Hooked account is linked to your chosen OAuth provider. You can delete your Hooked account at any time, which does not affect your provider account.

Data Processing Agreements

We have data processing agreements with these third-party services to ensure they handle your data in compliance with applicable privacy laws and our privacy standards.

Third-Party Websites

Our platform may contain links to third-party websites or services. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

9. Children's Privacy

Our services are not intended for children under 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure that such transfers comply with applicable data protection laws and that your data receives adequate protection.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the new policy on our website and updating the "Last updated" date. We encourage you to review this policy periodically.

12. Contact Us

If you have any questions about this privacy policy or our data practices, please contact us at:

13. Administrator Accountability and Transparency

We maintain a comprehensive audit system to ensure accountability for all administrative actions involving your personal data.

Audit Trail

Every administrative action is logged with the following information:

• Admin Identity: Email and role of the admin who performed the action
• Action Type: Type of action (view PII, access messages, kick, suspend, ban, export data)
• Timestamp: Exact date and time of the action
• User Affected: The user whose data was accessed or affected
• Justification: Required reason code (Investigation, User Support, Legal, Other)
• Notes: Detailed explanation provided by the admin

Data Access Logging

When an admin accesses your personally identifiable information (PII), we log:

• Email Access: Viewing your email address (normally masked)
• Phone Access: Viewing your phone number (normally masked)
• Message Access: Viewing your private conversations
• Evidence Pack Generation: Exporting your profile, messages, and reports
• GDPR Export: Exporting your complete data for compliance requests

Your Audit Rights

You have the right to:

• Request Your Audit Log: See who accessed your data, when, and why
• Challenge Access: Contest admin actions you believe were unjustified
• Appeal Decisions: Appeal moderation decisions through contact@hookedapp.com
• File Complaints: Report concerns to data protection authorities

Legal Basis for Admin Access

We process your data for administrative purposes under the following legal bases (GDPR Article 6):

• Legitimate Interest (Article 6(1)(f)): Platform safety, fraud prevention, and community standards enforcement
• Legal Obligation (Article 6(1)(c)): Compliance with court orders, subpoenas, and regulatory requirements
• Contract Performance (Article 6(1)(b)): Providing customer support and resolving account issues

Audit Log Retention

All audit logs are retained for a minimum of 2 years as required by GDPR Article 30 (Records of Processing Activities). This ensures we can demonstrate compliance and provide you with your access history upon request.

14. Privacy Policy Version History