Hook Inspo

Sub-processor list

Hook Inspo – Hookify Platform
Last Updated: November 1, 2025
Next Review: February 1, 2026

INTRODUCTION

Hook Inspo uses carefully selected third-party service providers (“Sub-processors”) to help deliver the Hookify platform. This page provides complete transparency about who these Sub-processors are, what services they provide, and what data they process.

We are committed to:

  • ✅ Working only with reputable, security-conscious Sub-processors
  • ✅ Ensuring all Sub-processors comply with GDPR and data protection laws
  • ✅ Giving you 30 days’ notice before adding or changing Sub-processors
  • ✅ Maintaining strict data processing agreements with all Sub-processors

CURRENT SUB-PROCESSORS

1. INFRASTRUCTURE & HOSTING

all-inkl.com

Service Provided: Web hosting, server infrastructure, and data storage

Entity Name: ALL-INKL.COM – Neue Medien Münnich
Location: Germany (Hauptsitz: Eisenach, Deutschland)
Legal Status: GDPR-compliant German hosting provider, data center in Germany

Data Processed:

  • All platform data including:
    • User account information (names, emails, encrypted passwords)
    • Hook text content and campaigns
    • Performance metrics and analytics
    • Session data and authentication tokens
    • Database records (MySQL)
    • File uploads and exports
    • Application logs

Purpose:

  • Host the Hookify web application
  • Store all user-generated content
  • Provide server resources and database hosting
  • Ensure platform availability and backups
  • Email hosting and delivery

Security & Compliance:

  • ISO 27001 certified data center
  • GDPR compliant (German provider)
  • Regular security audits
  • Daily backups
  • DDoS protection
  • SSL/TLS encryption

Data Transfer: No international transfer; all data remains in Germany (EU)

Privacy Policy: https://all-inkl.com/datenschutzinformationen/
Terms: https://all-inkl.com/agb/

Date Added: October 2025

2. AI & MACHINE LEARNING

OpenAI, Inc.

Service Provided: Large Language Model API (GPT models) for hook generation

Entity Name: OpenAI, Inc.
Location: USA (San Francisco, California)
Legal Status: US corporation, GDPR-compliant via Standard Contractual Clauses

Data Processed:

  • Hook text content submitted for generation
  • User prompts and parameters
  • Generated hook variations
  • API usage logs (anonymized)

Purpose:

  • Generate AI-powered content hooks
  • Provide creative suggestions
  • Analyze content patterns
  • Power the hook generation engine

Security & Compliance:

  • SOC 2 Type II certified
  • Enterprise API with data protection commitments
  • Data not used for model training (Enterprise agreement)
  • API requests encrypted in transit (TLS 1.3)
  • 30-day data retention for API logs only

Data Transfer: Transfer to USA protected by Standard Contractual Clauses (SCCs)

Privacy Policy: https://openai.com/privacy/
Enterprise Terms: https://openai.com/enterprise-privacy/

Date Added: October 2025

Important Notes:

  • OpenAI does NOT use Hook Inspo customer data to train models
  • API data is retained for 30 days for abuse monitoring only, then deleted
  • Enterprise API agreement with enhanced privacy protections

Anthropic, Inc.

Service Provided: Large Language Model API (Claude models) for hook generation

Entity Name: Anthropic, Inc.
Location: USA (San Francisco, California)
Legal Status: US corporation, GDPR-compliant via Standard Contractual Clauses

Data Processed:

  • Hook text content submitted for generation
  • User prompts and parameters
  • Generated hook variations
  • API usage logs (anonymized)

Purpose:

  • Generate AI-powered content hooks
  • Provide alternative AI engine
  • Analyze content patterns
  • Enhance hook quality and diversity

Security & Compliance:

  • SOC 2 Type II certified
  • API data not used for model training
  • API requests encrypted in transit (TLS 1.3)
  • 30-day data retention for trust & safety only

Data Transfer: Transfer to USA protected by Standard Contractual Clauses (SCCs)

Privacy Policy: https://www.anthropic.com/privacy
Commercial Terms: https://www.anthropic.com/legal/commercial-terms

Date Added: October 2025

Important Notes:

  • Anthropic does NOT use Hook Inspo customer data to train models
  • API data retained for 30 days for trust & safety monitoring, then deleted
  • Constitutional AI approach ensures safety and privacy

3. PAYMENT PROCESSING

3.1 Paddle.com Market Ltd

Service Provided: Payment processing, subscription billing, and merchant of record services

Entity Name: Paddle.com Market Ltd
Location: United Kingdom (London) with US operations
Legal Status: UK company, GDPR-compliant, acts as Merchant of Record

Data Processed:

  • Billing information (name, address, tax ID)
  • Payment method details (credit card, PayPal – handled by Paddle, not stored by Hook Inspo)
  • Transaction history
  • Subscription status
  • Invoice and receipt data
  • VAT/tax information

Purpose:

  • Process subscription payments
  • Handle refunds and chargebacks
  • Generate invoices and receipts
  • Manage VAT/sales tax compliance
  • Act as Merchant of Record for international sales
  • Handle payment disputes

Security & Compliance:

  • PCI DSS Level 1 certified
  • SOC 2 Type II certified
  • GDPR compliant
  • Payment card data never exposed to Hook Inspo
  • Strong Customer Authentication (SCA) compliant

Data Transfer: UK (adequate country) and USA (protected by SCCs)

Privacy Policy: https://www.paddle.com/privacy
DPA: Available upon request through Paddle dashboard

Date Added: October 2025

Important Notes:

  • Paddle acts as Merchant of Record (not Hook Inspo)
  • Full payment card data never stored by Hook Inspo
  • Paddle handles all PCI compliance

3.2 PayPal (Europe) S.à r.l. et Cie, S.C.A.

Service Provided: Alternative payment processing and digital wallet services

Entity Name: PayPal (Europe) S.à r.l. et Cie, S.C.A.

Location: Luxembourg (EU headquarters)

Legal Status: EU-based entity, GDPR-compliant

Data Processed:

  • PayPal account email address
  • Transaction details (amount, date, subscription status)
  • Billing name and address (when provided to PayPal)
  • Payment authorization tokens
  • Refund and dispute information

Purpose:

  • Provide alternative payment method for customers who prefer PayPal
  • Process one-time and recurring subscription payments
  • Handle payment confirmations and receipts
  • Enable refunds and payment disputes
  • Streamline checkout experience

Security & Compliance:

  • PCI DSS Level 1 certified
  • GDPR compliant (EU entity)
  • Two-factor authentication support
  • Buyer and seller protection programs
  • Fraud monitoring and prevention
  • Secure OAuth authentication

Data Transfer: No transfer outside EU (PayPal Europe entity)

Privacy Policy: https://www.paypal.com/privacy

User Agreement: https://www.paypal.com/legal/ua

Date Added: November 2025

Important Notes:

  • PayPal account details never stored by Hook Inspo
  • Users transact directly with PayPal via secure redirect
  • PayPal’s own privacy policy and terms apply to payment processing
  • Optional payment method – users can choose credit card via Paddle instead

4. EMAIL SERVICES

SendGrid, Inc. (Twilio SendGrid)

Service Provided: Transactional email delivery service

Entity Name: SendGrid, Inc. (a Twilio Company)
Location: USA (Colorado)
Legal Status: US corporation, GDPR-compliant via Standard Contractual Clauses

Data Processed:

  • Email addresses
  • Email content:
    • Account verification emails
    • Password reset emails
    • Billing notifications
    • Product updates (if opted in)
    • Hook generation completed notifications
  • Email engagement metrics (opens, clicks)

Purpose:

  • Deliver transactional emails reliably
  • Track email delivery success
  • Handle bounces and unsubscribes
  • Ensure high deliverability rates

Security & Compliance:

  • SOC 2 Type II certified
  • ISO 27001 certified
  • GDPR compliant
  • TLS encryption for email delivery
  • DKIM, SPF, DMARC authentication

Data Transfer: Transfer to USA protected by Standard Contractual Clauses (SCCs)

Privacy Policy: https://www.twilio.com/legal/privacy
GDPR: https://www.twilio.com/legal/data-protection-addendum

Date Added: October 2025

Data Retention:

  • Email logs retained for 30 days
  • Unsubscribe lists retained indefinitely
  • Engagement metrics retained for 90 days

5. ADVERTISING PLATFORM INTEGRATIONS

TikTok Pte. Ltd.

Service Provided: TikTok advertising platform integration for campaign performance data

Entity Name: TikTok Pte. Ltd.
Location: Singapore (regional headquarters) / USA operations
Legal Status: International corporation, API integration only

Data Processed:

  • Campaign performance metrics (views, engagement, CTR)
  • Public content metadata (when users connect TikTok accounts)
  • Ad spend data (if TikTok Ads connected)
  • Audience demographic data (aggregated)

Purpose:

  • Retrieve campaign performance data
  • Enable hook testing on TikTok platform
  • Provide performance predictions
  • Analytics and insights

Security & Compliance:

  • TikTok API with OAuth authentication
  • Data accessed per user consent only
  • No personal identifying information beyond public profile
  • API rate limiting and access controls

Data Transfer: International transfers to Singapore/USA

Privacy Policy: https://www.tiktok.com/legal/privacy-policy
Developer Terms: https://developers.tiktok.com/terms-and-conditions/

Date Added: October 2025

Important Notes:

  • Optional integration – users must explicitly connect TikTok accounts
  • Only public performance data accessed
  • Users can disconnect at any time
  • Hook Inspo does NOT post to TikTok without explicit permission

Meta Platforms Ireland Ltd

Service Provided: Facebook/Instagram advertising platform integration

Entity Name: Meta Platforms Ireland Limited
Location: Ireland (EU headquarters)
Legal Status: EU-based entity, GDPR-compliant

Data Processed:

  • Campaign performance metrics (reach, engagement, conversions)
  • Public content metadata (when users connect Facebook/Instagram)
  • Ad spend and ROI data (if Meta Ads connected)
  • Audience insights (aggregated, anonymized)

Purpose:

  • Retrieve campaign performance data
  • Enable hook testing on Facebook/Instagram
  • Provide performance analytics
  • Ad creative optimization insights

Security & Compliance:

  • Meta Marketing API with OAuth authentication
  • GDPR compliant (EU entity)
  • Data processed per user consent
  • Access limited to user-authorized data only

Data Transfer: No transfer outside EU (Meta Ireland entity)

Privacy Policy: https://www.facebook.com/privacy/policy/
Developer Terms: https://developers.facebook.com/terms/

Date Added: October 2025

Important Notes:

  • Optional integration – users must explicitly connect accounts
  • Only accesses data user authorizes
  • Users can revoke access anytime
  • Hook Inspo does NOT post to Meta platforms without permission

SUB-PROCESSOR SUMMARY TABLE

Sub-ProcessorServiceLocationData ProcessedGDPR Safeguards
all-inkl.comWeb hostingGermany (EU)All platform dataIn EU, no transfer needed
OpenAI, Inc.LLM API (GPT)USAHook text contentStandard Contractual Clauses
Anthropic, Inc.LLM API (Claude)USAHook text contentStandard Contractual Clauses
Paddle.com Market LtdPayment processingUK/USABilling informationUK Adequacy + SCCs for USA
PayPal (Europe) S.à r.l. et Cie, S.C.A.Payment processingLuxembourg (EU)Payment transaction dataIn EU, no transfer needed
SendGrid (Twilio)Email deliveryUSAEmail addresses, contentStandard Contractual Clauses
TikTok Pte. Ltd.Ad platform APISingapore/USACampaign data (public)User consent + API terms
Meta Platforms IrelandAd platform APIIreland (EU)Campaign data (public)In EU, no transfer needed

DATA PROTECTION SAFEGUARDS

All Sub-processors are required to:

Sign Data Processing Agreements (DPAs) with GDPR-compliant terms
Implement appropriate technical and organizational security measures
Use data only for specified purposes (no secondary use)
Enable data subject rights (access, deletion, portability)
Notify Hook Inspo of data breaches within 24 hours
Undergo regular security assessments
Maintain confidentiality of all processed data
Delete or return data upon contract termination
Allow audits and inspections for compliance verification

For international transfers (outside EU/EEA): ✅ Standard Contractual Clauses (SCCs) – EU Commission approved Module 2 (Controller to Processor)
Transfer Impact Assessments (TIAs) conducted for USA transfers
Additional safeguards including encryption, access controls, and data minimization

CHANGE NOTIFICATION PROCESS

How We Notify You

If we plan to add a new Sub-processor or make material changes to an existing Sub-processor’s services, we will:

  1. Email Notification: Send advance notice to your registered email address
  2. Advance Notice: Provide at least 30 days before the change takes effect
  3. Website Update: Update this page with change details
  4. Change Log: Record changes in the history section below
  5. Objection Period: Give you the opportunity to object to the change

Your Rights to Object

You may object to a new Sub-processor within the 30-day notice period if you have reasonable data protection or security concerns.

To Object:

  1. Email: legal@hookinspo.com
  2. Subject: “Sub-Processor Objection – [Your Company Name]”
  3. Include:
    • Your company name and account details
    • The Sub-processor you object to
    • Specific data protection concerns
    • Alternative suggestions (if any)
  4. Timeline: Must object within 30 days of notification

If You Object:

  • We will work with you in good faith to address your concerns
  • We may propose alternative Sub-processors or solutions
  • We will investigate your concerns and respond within 10 business days
  • If no mutually acceptable solution can be found, you may:
    • Terminate the affected services without penalty, or
    • Terminate your entire subscription with pro-rata refund

How to Stay Informed

  • Bookmark this page: https://hookinspo.com/subprocessors
  • Subscribe to updates: Contact legal@hookinspo.com with “Sub-processor Notifications” in subject
  • Enable notifications: Check your account email preferences
  • Review regularly: We recommend checking quarterly
  • RSS Feed: Subscribe to our legal updates feed (if available)

CHANGE HISTORY

We maintain a complete, transparent history of all Sub-processor changes:

DateChange TypeSub-ProcessorDetailsNotification Sent
2025-11-01Initial PublicationAllInitial publication of Sub-processor listN/A – Initial list

Note: This table will be updated with each change. Past changes are never deleted to maintain full transparency.

INTERNATIONAL DATA TRANSFERS

Some Sub-processors are located outside the European Economic Area (EEA). For these transfers, we ensure appropriate safeguards are in place:

Transfers to USA

OpenAI, Anthropic, SendGrid, Paddle (US operations):

  • Mechanism: Standard Contractual Clauses (SCCs) – EU Commission Module 2
  • Additional Safeguards:
    • Encryption in transit and at rest
    • Strict access controls and authentication
    • Contractual prohibition on government data requests without legal process
    • Commitment to challenge unlawful data requests
    • Regular Transfer Impact Assessments (TIAs)
    • Data minimization principles applied

US Privacy Framework:

  • Note: As of 2025, the EU-US Data Privacy Framework provides adequacy for certified companies
  • We verify Sub-processor certification status where applicable
  • SCCs remain in place as backup mechanism

Transfers to Singapore

TikTok Pte. Ltd.:

  • Mechanism: User consent + API terms + contractual safeguards
  • Data Type: Only public, non-personal campaign metrics
  • Optional: Users must explicitly connect TikTok accounts

No Transfer Required (Data Stays in EU)

all-inkl.com (Germany):

  • All data stored in German data centers
  • No transfer outside EU/EEA

Meta Platforms Ireland:

  • EU entity, data processed in EU
  • GDPR applies directly

Standard Contractual Clauses (SCCs)

We use the European Commission’s Standard Contractual Clauses (Module 2: Controller to Processor) approved on June 4, 2021, for all transfers to countries without an adequacy decision.

Key SCC Provisions:

  • Obligation to process data only on documented instructions
  • Confidentiality commitments
  • Security measures appropriate to the risk
  • Sub-processor requirements
  • Data subject rights assistance
  • Data breach notification
  • Deletion or return of data after contract ends
  • Audit rights
  • Liability and indemnification

Documentation:

  • Executed SCCs available to business customers upon request
  • Contact legal@hookinspo.com for copies

Transfer Impact Assessments (TIAs)

We conduct regular Transfer Impact Assessments for transfers outside the EU to ensure:

  • No local laws undermine SCC protections
  • Additional safeguards are sufficient
  • Data subjects’ rights are effectively protected
  • No high-risk scenarios exist

Last TIA Review: November 2025
Next TIA Review: May 2026

SUB-PROCESSOR SECURITY REQUIREMENTS

All Sub-processors must meet our strict security standards:

Mandatory Certifications

At least one of:

  • ✅ SOC 2 Type II
  • ✅ ISO 27001
  • ✅ PCI DSS (for payment processors)
  • ✅ Equivalent recognized certification

Technical Security Measures

  • ✅ Encryption in transit (TLS 1.2 minimum)
  • ✅ Encryption at rest for sensitive data
  • ✅ Multi-factor authentication (MFA)
  • ✅ Access controls and least privilege principle
  • ✅ Regular security patching and updates
  • ✅ Intrusion detection systems
  • ✅ DDoS protection
  • ✅ Regular penetration testing
  • ✅ Secure backup and disaster recovery

Organizational Measures

  • ✅ Security awareness training for staff
  • ✅ Background checks for personnel
  • ✅ Confidentiality agreements
  • ✅ Incident response procedures
  • ✅ Business continuity planning
  • ✅ Vendor management program
  • ✅ Regular risk assessments

Contractual Requirements

  • ✅ Data Processing Agreement (DPA)
  • ✅ GDPR compliance commitments
  • ✅ Security incident notification (24 hours)
  • ✅ Data breach notification procedures
  • ✅ Audit and inspection rights
  • ✅ Data deletion/return upon termination
  • ✅ No onward transfers without approval
  • ✅ Insurance coverage for data breaches

MONITORING AND COMPLIANCE

Our Sub-Processor Management

We actively monitor and manage all Sub-processors:

Annual Reviews:

  • Security posture assessment
  • Compliance verification
  • Performance evaluation
  • Risk assessment update

Ongoing Monitoring:

  • Security incident tracking
  • Service availability monitoring
  • Compliance with SLAs
  • Data protection compliance

Due Diligence:

  • Pre-engagement security assessment
  • Contract review by legal counsel
  • Reference checks
  • Financial stability review

Audits and Inspections

We maintain the right to:

  • Request audit reports (SOC 2, ISO 27001, etc.)
  • Conduct on-site inspections (with reasonable notice)
  • Engage third-party auditors
  • Request evidence of compliance with DPA terms

Business Customers: You may request Sub-processor audit information. Contact legal@hookinspo.com.

SUB-PROCESSOR INCIDENTS

In the unlikely event of a security incident involving a Sub-processor:

Our Response Process

  1. Immediate Notification: Sub-processor must notify us within 24 hours
  2. Assessment: We evaluate impact on customer data
  3. Customer Notification: We notify affected customers without undue delay
  4. Mitigation: Work with Sub-processor to contain and resolve incident
  5. Investigation: Root cause analysis
  6. Remediation: Implement corrective actions
  7. Documentation: Maintain incident records
  8. Reporting: Notify authorities if required by law (within 72 hours for GDPR)

Your Rights

If you are affected by a Sub-processor incident:

  • We will inform you of the nature and scope
  • Provide details on potential impact
  • Explain mitigation measures taken
  • Offer assistance for data subject notifications if needed
  • Answer your questions promptly

FREQUENTLY ASKED QUESTIONS

Q: Why do you use Sub-processors?

A: Sub-processors enable us to provide a high-quality, secure, and feature-rich service. They provide specialized expertise in areas like cloud infrastructure, AI, payment processing, and email delivery that would be cost-prohibitive to build in-house while maintaining the same level of security and reliability.

Q: Can I refuse to allow certain Sub-processors?

A: Yes, business customers have objection rights. If you have reasonable data protection concerns about a Sub-processor, you can object during the 30-day notice period. We’ll work to address your concerns or provide alternatives.

Q: How do you ensure Sub-processors comply with GDPR?

A: All Sub-processors sign Data Processing Agreements with GDPR-compliant terms, undergo security assessments, maintain relevant certifications (SOC 2, ISO 27001, etc.), and are subject to ongoing monitoring and periodic audits.

Q: What happens to my data if you stop using a Sub-processor?

A: When we discontinue a Sub-processor relationship, we ensure:

  • Data is migrated to a new provider (if applicable)
  • Data is securely deleted from the old Sub-processor
  • We verify deletion has occurred
  • No service disruption to customers

Q: Do Sub-processors use my data for their own purposes?

A: No. Contractually, all Sub-processors are prohibited from using your data for any purpose other than providing services to Hook Inspo. They cannot use your data to train models (for AI providers), for marketing, or for any other secondary purpose.

Q: Can I get copies of Sub-processor DPAs?

A: Business customers can request copies of relevant Sub-processor Data Processing Agreements. Contact legal@hookinspo.com. Some agreements may be subject to confidentiality provisions, but we can provide summaries of key terms.

Q: How often is this list updated?

A: We review this list quarterly and update it immediately when changes occur. We commit to 30 days’ advance notice before adding new Sub-processors.

Q: Do you use any other third parties not listed here?

A: This list includes all Sub-processors who process customer personal data. We may use other vendors for internal operations (e.g., office software, HR systems) that do not process customer data – those are not listed as they don’t impact your data.

CONTACT INFORMATION

General Sub-Processor Inquiries

Email: legal@hookinspo.com
Subject: “Sub-Processor Inquiry”

Objections to Sub-Processor Changes

Email: legal@hookinspo.com
Subject: “Sub-Processor Objection – [Your Company]”

DPA and SCC Requests

Email: legal@hookinspo.com
Subject: “Sub-Processor DPA Request”

Security Concerns

Email: security@hookinspo.com
Subject: “Sub-Processor Security Concern”

Subscribe to Updates

Email: legal@hookinspo.com
Subject: “Subscribe to Sub-Processor Notifications”
Include: Your company name and email address

LEGAL BASIS

This Sub-processor list is maintained in accordance with:

  • GDPR Article 28(2) – Requirement to obtain controller approval for Sub-processors
  • GDPR Article 28(3)(d) – Assistance with data subject rights
  • GDPR Article 28(4) – Conditions for engaging Sub-processors
  • Standard Contractual Clauses – Transparency requirements

Last Updated: November 1, 2025
Next Scheduled Review: February 1, 2026
Version: 1.0