Privacy Policy
Last updated: April 2026
1. Data Controller
Juan Manuel Ríos Guerrero, domiciled in Málaga, Spain. Tax ID available upon request. Contact email: contact@hookalyze.com. Hookalyze is a platform operated as a self-employed professional activity in Spain.
2. Data Collected
We collect the following categories of personal data: (a) Account data: email address, encrypted password (registration via Supabase Auth), name and avatar (if you sign in via Google OAuth). (b) TikTok data (via OAuth with your explicit consent): username, display name, avatar, bio, verification status, profile link, follower count, following count, likes count, and video count; for each video: identifier, title, description, cover image, duration, dimensions, publication date, and performance metrics (views, likes, comments, shares). (c) Payment data: managed entirely by Lemon Squeezy as Merchant of Record — Hookalyze does not store credit card or banking information. (d) Technical data: IP address, browser type, preferred language, and anonymized usage data (only with analytics cookie consent).
3. Use of TikTok Data (Official API)
Hookalyze accesses your TikTok data exclusively through the official TikTok API, with your explicit authorization via OAuth 2.0. The permissions (scopes) requested and their justification are: (1) user.info.basic — we obtain your unique identifier (open_id), display name, and avatar to identify you within the platform and display your connected profile. (2) user.info.profile — we obtain your username, bio, profile link, and verification status to contextualize your content analysis and personalize recommendations. (3) user.info.stats — we obtain your follower count, following count, total likes, and video count to calculate relative performance metrics and classify your creator profile. (4) video.list — we access your public video list with metadata (title, description, cover image, duration, dimensions, date) and engagement metrics (views, likes, comments, shares) to generate your Creator Profile (DNA) through artificial intelligence analysis. All TikTok data is used exclusively to provide the contracted analysis service. OAuth access tokens are stored encrypted with AES-256 in our database. We never sell, transfer, or share your TikTok data with third parties for advertising or marketing purposes. You can revoke Hookalyze's access to your TikTok account at any time from your TikTok account settings (Settings > Security > Authorized Apps) or by contacting contact@hookalyze.com. Upon revoking access, we will delete your tokens and associated TikTok data from our systems. Hookalyze fully complies with the TikTok Developer Terms of Service and the platform's data usage guidelines.
4. Legal Basis for Processing
We process your personal data based on the following GDPR legal bases: (a) Consent (Art. 6.1.a): for the installation of analytics cookies (Google Analytics, TikTok Pixel) and for accessing your TikTok data via OAuth. (b) Performance of a contract (Art. 6.1.b): for providing the content analysis service, generating the Creator Profile (DNA), managing your account, and billing. (c) Legitimate interest (Art. 6.1.f): for platform security, fraud prevention, and service improvement.
5. Purpose of Processing
Your data is used for the following specific purposes: (a) TikTok content analysis: we process your videos (visual content, audio, and text) using artificial intelligence to identify success patterns in your content. (b) Creator Profile (DNA) generation: from individual analyses, we build a cumulative profile that identifies your most effective visual, auditory, and scripting patterns, using time-weighted decay analysis. (c) Performance metrics: we collect engagement metrics from your TikTok videos to correlate content patterns with performance results. (d) Hook generation: we use your Creator Profile to generate personalized hook recommendations for future videos. (e) Pre-publication audit: we analyze video drafts before publication to provide improvement recommendations. (f) Account management and billing: we process your account data to manage your subscription and communicate with you. (g) Service improvement: we use anonymized and aggregated data to improve our analysis algorithms.
6. Recipients and Data Processors
Your data may be processed by the following data processors, with whom we maintain data protection agreements: (a) Supabase Inc. (database and authentication, EU region servers) — stores account data and analysis metadata. (b) Lemon Squeezy (Merchant of Record) — manages payments and billing independently. (c) Google Cloud / Gemini (LLM for AI analysis) — processes video content to generate analyses; data is processed in accordance with Google Cloud's applicable privacy policies and contractual agreements. (d) OpenAI (backup LLM) — only used as a fallback if the primary service is unavailable; data is processed in accordance with OpenAI's applicable privacy policies and contractual agreements. (e) Hetzner Online GmbH (VPS in Germany, EU) — hosts our backend server. (f) Vercel Inc. (frontend hosting, USA) — serves the web application. (g) Google Analytics (web analytics, only with consent) — collects anonymized browsing data. (h) TikTok Pixel (campaign measurement, only with consent) — measures advertising campaign effectiveness. Hookalyze uses API configurations designed to minimize data retention by artificial intelligence providers.
7. International Transfers
Some data processors are located outside the European Economic Area (EEA): OpenAI (USA), Vercel (USA), and Google (USA). These transfers are carried out pursuant to Article 46 of the GDPR through Standard Contractual Clauses (SCCs) approved by the European Commission, and where applicable, under the EU-U.S. Data Privacy Framework pursuant to the European Commission's Adequacy Decision. You may request additional information about the applicable safeguards by contacting us at contact@hookalyze.com.
8. Data Retention Period
We apply the following retention periods: (a) Account data: as long as your account remains active. After cancellation, data is deleted within a maximum of 30 days, unless legally required to retain it. (b) TikTok data and Creator Profile: as long as your account is active and you maintain the OAuth connection. If you revoke TikTok access, associated data is deleted within a maximum of 30 days. (c) TikTok OAuth tokens: deleted immediately upon access revocation. (d) Processed video files: automatically deleted from temporary storage after completing the analysis (maximum 24 hours). (e) Billing data: retained for the legally required period (5 years under Spanish tax law). (f) Analytics data (cookies): according to each provider's retention periods (Google Analytics: 14 months; TikTok Pixel: 13 months).
9. Security Measures
We implement appropriate technical and organizational measures to protect your personal data: (a) Encryption: TikTok OAuth tokens are encrypted with AES-256 before storage. All communications are conducted via HTTPS/TLS. (b) Access control: the database implements Row Level Security (RLS), ensuring each user can only access their own data. (c) Privilege separation: user endpoints use scoped access keys; administrative keys are only used in automated internal processes. (d) Secure storage: servers are located in certified data centers (Hetzner, Germany; Supabase, EU region). (e) Monitoring: we use error detection systems to ensure service integrity.
10. Data Deletion and Account Removal
You can request complete deletion of your account and all associated data by sending an email to contact@hookalyze.com. The process includes: (a) Immediate deletion of TikTok OAuth tokens. (b) Deletion of your Creator Profile (DNA) and all associated analyses. (c) Deletion of video metadata and stored metrics. (d) Deletion of your user account. (e) Complete processing within a maximum of 30 days. Billing data will be retained exclusively for the legally required period. You will receive email confirmation once deletion is complete.
11. Data Subject Rights
Under the GDPR, you may exercise the following rights by sending an email to contact@hookalyze.com: (a) Access: obtain a copy of your personal data. (b) Rectification: correct inaccurate or incomplete data. (c) Erasure: request the deletion of your data. (d) Objection: object to the processing of your data. (e) Portability: receive your data in a structured, machine-readable format. (f) Restriction: request restriction of processing in certain circumstances. (g) Withdrawal of consent: withdraw your consent at any time, without retroactive effect. You may also file a complaint with the Spanish Data Protection Agency (AEPD) at https://www.aepd.es.
12. Minors
Use of Hookalyze requires a minimum age of 14 years (Spain) or 16 years (rest of the EU), in accordance with applicable regulations. If you are a minor (between the applicable minimum age and 18 years), you declare that you have the authorization of your parents or legal guardians to use the service. Hookalyze reserves the right to request proof of such authorization. We do not intentionally collect data from minors below the stated minimum ages. If we detect that a minor has registered without the corresponding authorization, we will delete their account and data immediately.
13. Automated Decisions and Profiling
The Creator Profile (DNA) is generated automatically using artificial intelligence based on the analysis of your TikTok videos. This profile is used exclusively to provide personalized analysis and content improvement recommendations. No decisions with legal effects are made based on this automated profile. You may request additional information about the logic applied, contest the generated profile, or request human intervention by contacting us at contact@hookalyze.com.