Privacy Policy

This page explains the personal data we collect when you use hookin.id, what we use it for, and the rights you have over it. The policy is drafted in line with Law No. 27 of 2022 on Personal Data Protection (UU PDP).

Last updated: May 15, 2026

1. Data controller

The Personal Data Controller is the independent operator running hookin.id, based in Jakarta, Indonesia. For privacy communications, use the email halo@hookin.id with the subject [DATA REQUEST].

2. Data we collect

When you use hookin.id, we collect the following categories of data:

  • Account data: email address, password (stored as a one-way hash), optional display name.
  • Content you create: inputs to scripts, carousels, and voiceovers, plus the outputs the model returns.
  • Third-party API keys (BYOK): if you store an ElevenLabs API key, we keep it encrypted (AES-GCM) and only decrypt it when you call the voice endpoint. The master key never lives in the browser.
  • Payment data: transaction metadata (order id, amount, status, payment method) returned by Midtrans. We do not store credit card numbers, account numbers, or any payment credentials.
  • Technical data: IP address (hashed with a salt for analytics without direct identification), user agent, request timestamp, and which API route was hit.
  • Communications: the contents of emails you send to hookin.id and our replies.

3. How we use data

  • Operating the service: authentication, authorization, billing, and running content generation workflows.
  • Transactional communication: email verification, password reset, payment notifications, and important service emails.
  • Aggregate analytics: understanding feature usage patterns to prioritize development. Analytics run at aggregate level and are never exported with direct identifiers. Axiom is an operational observability platform (logging + metrics), not an ad-tracking tool.
  • Security: abuse detection, rate limiting, and incident investigation.

We do not sell your personal data, do not show third-party ads, and do not install marketing tracking pixels.

4. Third parties that process data

To run the service, we share limited data with the processors below. Vendor selection is based on their privacy policies and security controls:

  • Anthropic (Claude API) — runs script, listing, and caption generation. Inputs are sent as prompts; Anthropic's separate retention policy is on anthropic.com.
  • ElevenLabs — voiceover text-to-speech. Only the text to be spoken is sent, no user account metadata.
  • Resend — transactional email (verification, password reset).
  • Midtrans — payment processor. We send the order id, amount, and user email; they handle payment credentials.
  • Axiom — observability and logging. Request logs are sent without the content you generate.
  • VPS hosting (Contabo) — the server infrastructure that runs the hookin.id application. Application data and the database live in the VPS provider's data center; operational server access is performed by the hookin.id operator via SSH key.

5. Data retention

  • Active accounts: data is kept while the account is active.
  • Deleted accounts: data is permanently deleted 30 days after the deletion request, with a grace period for recovery within that window.
  • Technical logs: 90 days, then rotated.
  • Database backups: 30 days max, then deleted.

6. Your rights as a data subject

Under UU PDP 27/2022, you have the following rights over the personal data we process:

  • Right to access: request a copy of the personal data we hold about you.
  • Right to correction: request that inaccurate data be fixed.
  • Right to deletion: request deletion of your account and personal data.
  • Right to portability: use the "Download my data" button in Settings for an instant JSON export covering account profile, credit balance and ledger, every generation output (scripts, carousels, voice, listings, ideas, captions, text overlays), affiliate links with click aggregates, product favorites, feedback, admin credit-grant history, and BYOK provider metadata (without the encrypted keys themselves). Email halo@hookin.id for other structured formats.
  • Right to withdraw consent: revoke consent at any time.
  • Right to object: object to specific processing, especially aggregate analytics.
  • Right to compensation: claim damages caused by violations in processing your personal data (UU PDP art. 12).
  • Right to lodge a complaint: report suspected personal data protection violations to the competent Personal Data Protection Authority (UU PDP art. 11).

To exercise these rights, email halo@hookin.id with the subject [DATA REQUEST]. We respond within 30 calendar days.

7. Security

  • Passwords are stored as a hash (Argon2id) with a unique salt per user.
  • BYOK API keys are encrypted with AES-GCM. The master key never lives in the browser and is stored separately from the database.
  • All web communication uses HTTPS with TLS 1.2+.
  • Session cookies are marked HttpOnly and Secure.
  • Database server access is SSH key only, no password login.

Even so, no system is 100% safe. If you suspect your account is compromised, reset your password immediately and let us know via [SECURITY] to halo@hookin.id.

8. Cookies

We only use functional cookies needed for session and authentication. No marketing tracking pixels, no third-party profiling cookies, and no selling device IDs to advertisers. A consent banner appears on your first visit; your preference is stored in browser localStorage.

9. Underage users

hookin.id is intended for users 18 or older. We do not knowingly collect data from minors. If you are a parent or guardian and find your child registered, contact us so we can delete the account.

10. Cross-border transfers

Some processors (Anthropic, ElevenLabs, Resend, Axiom) are based outside Indonesia. Transfers to them rely on contractual safeguards comparable to UU PDP standards (per UU PDP art. 56), and are limited to the minimum data needed to run the service.

11. Policy changes

We may update this policy as the service and regulation evolve. Material changes will be announced via email to registered users at least 30 days before they take effect. The latest version is always on this page with the update date.

Privacy Policy · hookin.id