How Hooklayer handles your data.

Hooklayer is a viral-content intelligence API and MCP server. We process the inputs you send us (TikTok handles, hook text, scripts, video URLs) through AI analysis pipelines and return structured results. We do not sell user data, we do not store your request content beyond the time it takes to return a response, and every tool is read-only.

• Account information: email address and password hash (bcrypt) on signup, or OAuth provider identifier (Google) if you sign in with Google.
• API keys you mint: the hashed value plus a human-readable label you set in your dashboard. The plaintext key is shown to you once at mint time and never stored.
• Request inputs: the content you send to each tool (handles, hooks, scripts, URLs, reference samples). Used once to produce the response, then discarded — see Retention.
• Credit ledger: how many credits you have, how many you've used, which tool consumed each credit. Required to bill correctly.
• OAuth state: if you connect Hooklayer via OAuth 2.1 (Claude.ai, custom client), we store the client_id, hashed client_secret, refresh-token hash, and access-token hash bound to your user account.
• Anonymous usage metrics: aggregated counts (calls per tool per day, error rates, cache-hit rates) used for capacity planning and product analytics. Not tied to your account identity.

• To run the tool you called (analyze a creator, score a hook, predict virality, etc.) and return the result.
• To deduct credits from your subscription or pay-as-you-go bucket.
• To rate-limit your account against the documented per-tier throughput cap.
• To improve the product: aggregate metrics inform which tools to optimize, which patterns to add to scoring rubrics, etc. We do not use your request content to train AI models.

Hooklayer runs on Vercel (US-East) with a Supabase Postgres database hosted in US-East-1 (AWS). All data is encrypted in transit (TLS) and at rest (Postgres-level encryption). Backups are managed by Supabase under their standard data-handling agreement.

We do not transfer your account data outside the US except where required by transient CDN delivery (cached static pages on Vercel's global edge network).

The following services receive subsets of your data during normal operation:

• Anthropic (Claude API): the request content you send is passed to Claude Sonnet for analysis. Anthropic's data policy applies; they do not train on API inputs by default.
• ScrapeCreators: TikTok handles you pass to analyze_account are forwarded to ScrapeCreators to fetch public TikTok profile data. They see the handle, nothing else.
• Stripe: if you subscribe to a paid plan, payment information is collected and stored by Stripe under their privacy policy. We receive the customer ID, subscription status, and last 4 digits of the card; we never see full card numbers.
• Supabase: our database and authentication provider. They process all account and ledger data on our behalf as a sub-processor.
• Vercel: our hosting and CDN provider. They process HTTP requests including IP addresses for delivery.

We do not sell your data to anyone. We do not share data with advertisers or data brokers.

• Request content: hook text, scripts, URLs, reference samples — discarded immediately after the response is returned. Not logged, not stored.
• Cached analysis results: for determinism, we cache responses by an SHA-256 hash of the input for up to 24 hours. The cache key is the hash; the cached value is the response JSON. The original input text is not stored — only its hash. Cache entries auto-expire after 24 hours.
• Account data: retained while your account is active. Deletion request via support@hooklayer.dev removes your account and all associated data within 30 days.
• Anonymous metrics: retained indefinitely; cannot be tied back to your identity.
• OAuth tokens: access tokens expire per OAuth spec (default 1 hour). Refresh tokens revoked on logout or account deletion.

You can, at any time:

• Export your data (request via support email)
• Delete your account and all associated data
• Revoke any API key from your dashboard
• Revoke OAuth tokens via the same dashboard
• Cancel your subscription at any time (Stripe-managed)

Under GDPR, CCPA, and similar regulations, you have the right to access, correct, port, and delete your data. Email support@hooklayer.dev for any of these requests.

We use a single session cookie (set on sign-in) to keep you logged into the dashboard. We do not use third-party tracking cookies. We do not use cross-site advertising pixels.

Hooklayer is a developer tool. We do not knowingly collect data from anyone under 16. If you believe a minor has signed up, email us and we will delete the account.

We will update the “last updated” date above when this policy changes. Material changes (e.g. new third parties, data sale, retention changes) will be announced to active users by email at least 14 days before they take effect.

Questions or requests about this policy:

• General privacy: support@hooklayer.dev
• Security disclosures: security@hooklayer.dev
• GitHub Issues for the public repo: github.com/khan-ashifur/hooklayer/issues