PRIVACY POLICY

This document is part of the Hookd Group v1.2 legal pack, comprising: General Terms & Conditions, Privacy Policy, Cookie Policy, Refund Policy, Data Processing Agreement (DPA, Annex I to the Terms), and Subprocessor List. All documents in this set share the same effective date and must be read together. In the event of conflict between documents, the order of precedence is: (i) any individually-signed Order; (ii) the General Terms & Conditions; (iii) the Data Processing Agreement (for matters of personal-data protection, the DPA prevails over the Terms); (iv) the Refund Policy; (v) the Subprocessor List; (vi) the Privacy Policy; (vii) the Cookie Policy.

Hookd Group is the operating brand of OmnisMundi GmbH, a private limited company organised under the laws of the Federal Republic of Germany, with registered office at Kirchhainer Strasse 62, 60433 Frankfurt am Main, Germany, registered with the commercial register of the local court of Frankfurt am Main (Managing Director: Gerald Heydenreich). All references in this document to "Hookd Group", "the Company", "we", "us" or "our" mean OmnisMundi GmbH acting under the brand "Hookd Group". General contact: info@hookd.group. Data-protection enquiries: privacy@hookd.group. Web: https://www.hookd.group.

1. Data Controller's Contact Details

The data controller within the meaning of the General Data Protection Regulation (GDPR) and German Federal Data Protection Act (BDSG) is:

No data protection officer (DPO) has been appointed at the version date of this Policy, since Hookd Group does not meet the thresholds set out in Article 37 GDPR and § 38 BDSG. We will appoint a DPO if and when applicable thresholds are met and will update this Policy accordingly.

2. Purposes and Lawful Basis

The protection of personal data is an important concern for us. We collect, process and use personal data only in compliance with the relevant data protection regulations.

If you registered as a user of our Services, Hookd Group will process your personal data for the following purposes and legal basis:

• Provide and manage our Services in accordance with the Terms and Conditions of our Services; including but not limited to: creating, setting up and managing your user account and profile on Hookd Group, and if necessary, blocking it and/or proceeding to its cancellation; enjoy our Services; contact you for matters related to our Services, and assist, manage and address any requests, comments and/or queries you make to us. Legal basis: performance of a contract to which you are a party (Article 6(1)(b) GDPR), and consent where applicable (Article 6(1)(a) GDPR).
• Process payments and issue invoices via our Merchant of Record (Polar Software, Inc.) and meet our tax and accounting obligations. Legal basis: performance of a contract (Article 6(1)(b) GDPR) and compliance with legal obligations (Article 6(1)(c) GDPR, in particular § 257 HGB and § 147 AO).
• Comply with our legal obligations, possible judicial resolutions and other decisions determined by the authorities. Including the communication of personal data to law enforcement authorities, whenever we have suspicions or indications of an action that may constitute a criminal offence. Legal basis: compliance with the legal obligations of Hookd Group (Article 6(1)(c) GDPR).
• Guarantee the security of our Services, preventing and detecting possible security incidents, fraud and other criminal offences. Legal basis: satisfaction of our legitimate interest (Article 6(1)(f) GDPR).
• Carry out statistical analyses and reports in order to know the performance and need of our Services, with the purpose of improving the development and offering new solutions. Legal basis: satisfaction of our legitimate interest in managing and improving our products and services (Article 6(1)(f) GDPR).
• Maintain an internal audit trail of AI-generation actions for accountability and regulatory-compliance purposes, including (without limitation) for compliance with Article 50 of the EU AI Act (Regulation (EU) 2024/1689). Legal basis: compliance with the legal obligations of Hookd Group (Article 6(1)(c) GDPR) and our legitimate interest (Article 6(1)(f) GDPR).

If you have not registered as a user on Hookd Group, but you contact us by any contact email and/or through any available contact form and request information about our Services or make inquiries, your personal information will be processed in order to assist, manage and respond to any requests, comments and/or inquiries you make. The processing is done on your consent to contact us through the form provided or other contact channel enabled (Article 6(1)(a) GDPR).

Please note that our website installs cookies that may collect information about your navigation and that can identify you. For more information, please read our Cookie Policy.

3. Categories of Personal Data Processed

In the course of providing the Service, we process the following categories of personal data:

4. Storage

We will store your data for as long as we are required to do so by law or in order to fulfil our legal or contractual obligations. We will also store your data for as long as the statute of limitations has not expired. Specific retention periods are:

• Account and registration data — for the duration of the Subscription, plus 30 days after termination
• Billing and invoice data — 10 years from issuance, in accordance with § 257 HGB and § 147 AO
• Client Content — for the duration of the Subscription, plus 30 days after termination, after which it is deleted from active systems, subject to legal retention obligations
• Service-usage and audit data — up to 24 months, except for AI-action audit logs which are retained for the periods required to demonstrate compliance with applicable AI regulation (typically up to 6 years)
• Communications data (support tickets) — 3 years from closure of the ticket

Personal data processed on the basis of the consent given will be kept until the withdrawal of the same, and once withdrawn, in some cases, we may keep them for the period necessary for the formulation, exercise or defence of claims, requirements, liabilities and legal and/or contractual obligations.

5. Transfer of Data

Depending on the purposes for which personal information is collected, the following third parties may have access to personal data:

• Public Administrations, Agencies and/or Competent Authorities and the corresponding Law Enforcement Authorities, in cases where there is a requirement, a legal obligation or we consider that there are sufficient indications and/or suspicions to be facing an illicit or criminal offence;
• Partners and third-party service providers who process information as data processors. All our suppliers have signed the corresponding data processing agreement in accordance with Article 28 GDPR. A current list of subprocessors is maintained in the Hookd Group Subprocessor List (see Section 6 below).

Where personal data is transferred to recipients outside the European Economic Area, we ensure adequate protection by using the safeguards permitted by law, in particular Standard Contractual Clauses ("SCCs") adopted by the European Commission (Decision (EU) 2021/914), supplemented where necessary by additional technical, contractual and organisational measures pursuant to the Schrems II jurisprudence of the Court of Justice (Case C-311/18). Where applicable, we also rely on European Commission adequacy decisions (e.g. the EU-US Data Privacy Framework for participating organisations). A copy of the relevant safeguards is available on request to privacy@hookd.group.

6. Subprocessors

A current list of subprocessors engaged by us to process personal data on behalf of Clients (where we act as processor) is maintained in the Hookd Group Subprocessor List, available within the Service or on request to privacy@hookd.group. The Subprocessor List identifies, for each subprocessor: name, role and purpose, location, categories of data processed, and the international-transfer mechanism where applicable.

As of the version date of this Policy, our key subprocessors are: Polar Software, Inc. (payment processing, Merchant of Record), Brevo SAS (email delivery), Anthropic, PBC (Premium and Mid-tier AI models), DeepSeek (Budget-tier AI model), PostHog Inc. (product analytics), and the cloud hosting and backup providers identified in the Subprocessor List.

7. Collection and Storage of Access Data (Web Analytics and Cookies)

Each time our website is called up, our content management system automatically collects and stores data and information from the computer system of the calling computer. The following data is collected in this process:

• Information about the browser type and version used
• The operating system of the user
• The user's Internet service provider
• The IP address of the user
• Date and time of access
• Internet pages from which the user's system accesses our website

We store this information for a maximum period of 30 days for reasons of data security, to ensure the stability and operational security of our system as well as to optimise it. The legal basis for the temporary storage of the data is Article 6(1)(f) GDPR.

Web analytics: We use PostHog Inc. for product analytics within the Service (not on our marketing website). Configuration is documented in the Subprocessor List.

Cookies: please refer to our separate Cookie Policy for details on cookies used on our website and within the Service.

8. Data Security

Within the website visit, we use the widespread TLS procedure in connection with the highest encryption level supported by your browser. You can see whether an individual page of our website is transmitted in encrypted form by the closed display of the lock symbol in the address bar of your browser.

In addition, we use other appropriate technical and organisational security measures within the meaning of Article 32 GDPR to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties. Measures include (without limitation): encryption of data in transit (TLS 1.2 or higher) and at rest, multi-factor authentication for administrative access, role-based access controls, audit logging, regular backups, and personnel training. Specific measures evolve in line with the state of the art and are detailed in the Technical and Organisational Measures Annex of the Data Processing Agreement.

Notwithstanding the measures taken to protect your data, data protection and confidentiality may sometimes be restricted when processing data via universally accessible media. When using the Internet as a transmission medium via computer, cell phone or other end device, it cannot be ruled out that third parties may gain access to your data and thus draw conclusions about you or that personal data may flow to third countries without our intervention.

9. Automated Decision-Making and Profiling

Certain features of the Service involve automated processing, including AI-based scoring and prioritisation of leads ("Qualify" scoring) and AI-based content generation. The output of these features is intended to support, not replace, decisions made by the Client's authorised users. The features do not produce legal effects concerning data subjects within the meaning of Article 22 GDPR, since (i) the output is advisory and (ii) a human-in-the-loop approval step is required before any AI Output is published or transmitted externally.

Where, in the future, the Service introduces fully automated decision-making within the meaning of Article 22(1) GDPR, this Policy will be updated and, where required, additional consent or legal-basis disclosures will be made.

10. Your Rights

With regard to the personal data concerning you, you are entitled in particular to the data protection rights under the GDPR:

• Right of withdrawal: you have the right to withdraw your consent to the processing of personal data concerning you for one or more specific purposes at any time, if the processing is based on your explicit consent (Article 7 GDPR).
• Right to information: you can request information about whether and to what extent personal data about you is being processed (Article 15 GDPR).
• Right to rectification, erasure and restriction of processing: You have the right to request the rectification of inaccurate or incomplete personal data concerning you (Article 16 GDPR), the restriction of processing (Article 18 GDPR), and the deletion of your personal data if one of the listed grounds applies (Article 17 GDPR).
• Right to data portability: You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format and to have this data transferred to another controller (Article 20 GDPR).
• Right to object: You have the right to object informally to data processing in individual cases for reasons arising from your particular situation, provided that the processing is in the public interest or is carried out to protect the legitimate interests of Hookd Group or a third party (Article 21 GDPR).
• Right to lodge a complaint: you have the right — if you are of the opinion that the processing of personal data by Hookd Group is in conflict with the applicable data protection law — to lodge a complaint with the competent data protection supervisory authority (Article 77 GDPR).

If you have any questions regarding individual data processing or wish to exercise your aforementioned rights, you can reach us at privacy@hookd.group. We will respond without undue delay and at the latest within one month of receipt of the request, in accordance with Article 12(3) GDPR.

You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work or place of the alleged infringement.

11. Children's Data

The Service is a B2B platform intended exclusively for entrepreneurs (Unternehmer within the meaning of § 14 BGB) and is not directed at children. We do not knowingly collect personal data of persons under the age of 16. If we become aware that personal data of a person under 16 has been collected, we will delete that data without undue delay.

12. Updates to This Policy

We may update this Policy from time to time to reflect changes in the Service, in applicable law, or in our processing practices. Material changes will be notified to you via in-Service notification or email at least 30 days before they take effect. Non-material changes (e.g. updates to the Subprocessor List, clerical corrections) come into force with their publication on our website. The current version is always available via the URL stated within the Service. The version number and effective date at the top of this Policy indicate the version in force.