Privacy Policy

At sender sign-up: via Google OAuth we collect your email, name, profile picture URL, and Google account subject ID. No passwords are stored.

For reviewer visits we collect no name or email. Instead we store the `viewer_session_{reviewId}` cookie (32-byte random Base64URL) and the SHA256 hash of a visitor ID generated by the open-source FingerprintJS. IP addresses are stored only as SHA256-hashed /24 (IPv4) or /64 (IPv6) subnets, and the raw User-Agent is never stored (only the parsed browser/os plus a SHA256 hash).

We use the collected data to: (a) identify and authenticate accounts, (b) distinguish reviewer sessions (detect the same device returning), (c) filter bots and scrapers, (d) compute the review signals (page dwell, outcomes) we surface back to senders, and (e) respond to security incidents.

Under GDPR Recital 26, anonymized reviewer data (cookie ID + fingerprint hash + subnet hash) is treated as re-identification-resistant statistical data. We do not sell data to third parties for marketing without explicit consent.

HookDoc does not use any third-party analytics SDK of any kind. Page dwell, clicks, scroll, and other review signals are written directly to our own event log (`document_events`), and — where relevant — an rrweb-based session replay is stored in our Cloudflare R2 bucket and shown only to the sender.

As a result, reviewer data never leaves to a third-party domain, and all data stays in the storage locations named in §4.

Uploaded PDFs, page images, thumbnails, and annotated PDF derivatives are stored in Cloudflare R2. Storage and processing locations follow the Cloudflare R2 bucket configuration and Cloudflare's data location policy. Database records (users, document metadata, comments, event log) are stored in Supabase Postgres, with the actual region determined by the operational Supabase project configuration.

Original PDFs are never used for third-party AI training, and only the HookDoc operator has direct access.

Documents deleted via the Danger Zone are hard-deleted from R2 immediately (not recoverable). Database rows are soft-deleted for 30 days for audit, then background cleanup fully removes them.

Account deletion applies the same policy to every document and workspace you own. The event log (`document_events`) is the basis of review outcome evidence and is removed together with the document's hard delete.

You have the right to access, correct, delete, restrict, and object to processing of your data. The fastest path is the "Permanently delete account" button in `/app/settings`.

For anything not supported by self-service — a data copy request (Right to Access), correcting specific fields, or deleting reviewer sessions for a specific document — email us and we will reply within 7 business days with the outcome.

Essential cookies: `viewer_session_{reviewId}` (reviewer session), `sb-*` (Supabase sign-in session), `NEXT_LOCALE` (language preference). These are required for the Service to function and are used regardless of consent.

Optional cookies and third-party analytics cookies are not used at this time. The Cookie Policy page contains the full inventory.

During the beta period, HookDoc does not enable paid billing. If a paid plan is introduced in the future, payments will be processed through a PCI DSS compliant Merchant of Record (MoR) such as Polar.sh, and HookDoc servers will not store credit card numbers or payment details.

This policy will be updated in advance once a payment processor is confirmed.

The Service does not permit users under 14. Accounts suspected of belonging to a user under 14 will be removed after prior notice.

We notify you at least 7 days in advance by email or in-service notice when this policy changes. Material changes (new collection categories, third-party recipients) trigger a 30-day notice period and re-consent.