Privacy Policy
Last updated: May 4, 2026
1. Introduction
GenZHook ("Company", "Owner", "we", "us") respects your privacy. This Privacy Policy explains how we collect, use, disclose, monetize, and safeguard your personal and non-personal information when you use our AI-powered social media content generation platform ("Service"). By using the Service, you consent to the practices described herein and you expressly agree to the Owner's Universal Reservation of Rights as set out in Terms of Service section 1.1, the Authorized-Use License in section 1.2, the Benefits Reservation in section 1.3, the Dynamic Pricing & FX clause in section 1.4, and the Comprehensive Owner Protections in section 18, all of which are incorporated into this Privacy Policy by reference.
1.1 Reservation of Rights — Privacy Practices
The Owner reserves the absolute and exclusive right, at any time, with or without prior notice, in its sole discretion, and without liability, to amend, supplement, restructure, or replace this Privacy Policy; to add, change, remove, or substitute sub-processors, vendors, AI providers, payment processors, hosting locations, or analytics tools; to introduce or remove data-collection mechanisms; to expand or narrow the categories of data we collect, retain, derive, or share; and to add, change, or discontinue any privacy-related feature, control, dashboard, export, or opt-out, partially or fully. The Owner shall also have the absolute right to refuse, restrict, or terminate any data-subject request that is manifestly unfounded, excessive, abusive, or in conflict with the Owner's legitimate interests, statutory obligations, or other users' rights, to the maximum extent permitted by applicable law. Where applicable law requires notice or consent for a specific change, we will provide the legally-required minimum; otherwise the modified version is effective upon posting. The exercise of any right under this section does not entitle you to any refund, credit-back, pro-rated reimbursement, alternative compensation, or service credit of any kind; the Owner's No-Refund Policy at /refund-policy applies in full and without exception.
2. Information We Collect
2.1 Information You Provide
- Account Information: Name, email address, password (hashed), profile photo
- Billing Information: Processed and stored by Stripe (our payment processor). We do not store your full credit card number.
- Content Inputs: Topics, briefs, media uploads, brand settings, and preferences you provide for content generation
- Social Media Credentials: OAuth access tokens for connected platforms, encrypted with AES-256-GCM before storage
2.2 Information Collected Automatically
- Usage Data: Pages visited, features used, content generated, timestamps
- Device Information: Browser type, operating system, IP address (anonymized after 30 days)
- Analytics: Performance metrics via privacy-friendly, cookieless analytics
- Error Tracking: Application errors via Sentry (no personal data included)
3. How We Use Your Information
- To provide, maintain, and improve the Service
- To generate AI content based on your inputs
- To post content to your connected social media accounts
- To process payments and manage subscriptions
- To send transactional emails (approval requests, confirmations, receipts)
- To enforce our Terms of Service and Acceptable Use Policy
- To detect, investigate, and prevent fraud or security incidents
- To comply with legal obligations
4. Data Retention — Pipeline Model
We operate on a pipeline model — we do NOT permanently store your generated content:
- Generated Images: Delivered inline (base64) and NEVER stored on our servers
- Generated Captions: Temporarily stored for 48 hours to 7 days for approval workflow, then permanently deleted
- User-Uploaded Media: Processed in memory for AI analysis, NEVER written to disk or stored
- Content Metadata: Request logs retained for 7 days maximum, then purged
- Account Data: Retained as long as your account is active, deleted within 30 days of account deletion
- Financial Records: Retained as required by law (typically 7 years for tax purposes)
4a. Authorized Data Use for Financial, Analytical, Commercial & Third-Party Benefit
You expressly grant the Owner — and its affiliates, successors, sub-processors, partners, advertisers, data licensees, and assigns — a worldwide, perpetual, irrevocable, royalty-free, sublicensable, transferable license to collect, store, process, aggregate, anonymize, pseudonymize, derive, model, score, segment, benchmark, enrich, combine with other datasets, monetize, license, sell, share, transfer, syndicate, or otherwise commercially exploit non-content data — including, without limitation: account & profile metadata; billing, payment, currency, refund, chargeback & tax behavior; subscription tier, lifetime value, retention & churn signals; credit-consumption patterns, top-up behavior & AI-cost economics; feature-usage telemetry, click-stream, scroll behavior, dwell time, conversion-funnel signals; posting cadence, audience-segment characteristics, follower-count buckets, vertical/industry classification; integration metadata; device & environment fingerprints (excluding precise geolocation without consent); survey responses, support-ticket content, NPS scores, and any aggregated, derived, or modeled insights — for the following purposes that benefit the Owner:
- Financial purposes: revenue analytics, cohort & LTV modeling, pricing optimization, credit-cost calibration, fraud & chargeback prevention, credit-risk underwriting, internal forecasting, investor reporting, M&A due-diligence packs, and KPI reporting to lenders, insurers, or strategic partners.
- Analytical purposes: product analytics, A/B testing, machine-learning models for ranking/recommendations/abuse-detection (using only aggregated or de-identified data), benchmark reports, market-research deliverables, and competitor-trend dashboards.
- Third-party sharing for the Owner's benefit: sharing aggregated, anonymized, or pseudonymized datasets and insights with — or selling/licensing them to — analytics platforms, advertising networks (for lookalike-audience modeling and attribution), market-research firms, financial-services partners, business-intelligence vendors, data brokers (in non-identified form only), academic researchers under NDA, industry consortia, acquirers in M&A transactions, investors during due-diligence, and other commercial counterparties whose engagement furthers the Owner's commercial interests.
- Marketing & outreach: internal marketing analytics, lookalike-audience seeding (in de-identified form), case-study production (with separate opt-in for identified case studies), referral-program analytics, and partner-channel co-marketing.
- Operational purposes: security monitoring, abuse detection, capacity planning, infrastructure cost-allocation, vendor-performance evaluation.
Identified-form sharing of personal data with unaffiliated third parties for their own independent commercial purposes will only occur where (i) you have given separate, specific, lawful consent in your jurisdiction; (ii) the law otherwise permits the disclosure (e.g., for fraud prevention, legal process, vital interest); or (iii) the disclosure is part of a corporate transaction (merger, acquisition, financing, or asset sale), in which case the recipient assumes the same obligations under this Privacy Policy. Where applicable law (CCPA/CPRA, GDPR, LGPD, etc.) classifies any of the above activities as a "sale", "share", or cross-context behavioral advertising, you may exercise your statutory opt-out rights via privacy@genzhook.com or the "Do Not Sell or Share My Personal Information" control in your account; opting out does not affect the Owner's right to use aggregated, de-identified, or pseudonymized data, nor data we are legally permitted or required to retain.
The Owner shall be the sole and exclusive beneficiary of any revenue, royalty, fee, equity, or other consideration derived from this license, and you waive any and all claims to such consideration, including under unjust-enrichment, restitution, royalty-sharing, or analogous theories. This section 4a is a fundamental and bargained-for element of the Service and survives termination of your account indefinitely with respect to data lawfully collected before termination.
5. Data Sharing & Sub-Processors
We do NOT sell your personal data and we do NOT use it to train foundation AI models. We share data only with vetted sub-processors under a Data Processing Agreement. The full, versioned list — with location, purpose, and transfer mechanism — is published at /sub-processors.
- Social Media Platforms: Content you approve is posted to your connected accounts
- AI Service Providers: Google (Gemini AI) and HuggingFace Inference process your content inputs under their enterprise/API no-training terms — see /ai-training
- Payment Processor: Stripe processes billing — PCI DSS Level 1
- Email Provider: Resend delivers transactional emails
- Infrastructure: Supabase (database), Upstash (queue/cache)
- Law Enforcement: When required by law, court order, or to protect safety
For EU/UK/Swiss data subjects, cross-border transfers rely on the European Commission Standard Contractual Clauses (SCCs, 2021/914) and the UK IDTA, as detailed in our Data Processing Addendum. Enterprise customers may request a countersigned DPA at privacy@genzhook.com.
5a. Retention Schedule
| Data Category | Retention |
|---|---|
| Generated images (base64) | Never persisted |
| Uploaded media | In-memory only; discarded after generation |
| Draft captions pending approval | 48 hours – 7 days, then purged |
| Request logs & telemetry | 7 days rolling |
| Security / audit logs | 365 days |
| Account profile | Life of account + 30 days |
| Invoices & tax records | 7 years (statutory) |
| Anonymized aggregate analytics | Indefinite (no personal data) |
6. Data Security
We implement industry-standard security measures:
- Social media OAuth tokens encrypted with AES-256-GCM
- Approval tokens signed with HMAC-SHA256
- Passwords hashed by Supabase Auth (bcrypt)
- All data transmitted over TLS 1.3
- Row-level security (RLS) on all database tables
- Rate limiting on all API endpoints
- CORS restricted to our domain only
- Environment-based secret management
7. Cookies & Tracking
We use only strictly-necessary cookies for authentication, CSRF protection, and session management. We do NOT use advertising cookies, tracking pixels, fingerprinting, or third-party analytics cookies. Full disclosures at /cookie-policy.
7a. Data Breach Notification
We maintain a 24×7 incident response program. In the event of a personal data breach that poses a risk to rights and freedoms of data subjects, we will notify the relevant supervisory authority within 72 hours of becoming aware (GDPR Art. 33) and affected users without undue delay. Process details and contact channels live at /incident-response.
7b. AI Training & Model Usage
Your prompts, uploads, and generated outputs are never used by GenZHook to train, fine-tune, or evaluate foundation models. Upstream AI providers (Google Gemini API, HuggingFace Inference) are configured under their no-training enterprise/API terms. See /ai-training for provider-by-provider guarantees.
8. Your Rights
Depending on your jurisdiction (GDPR, CCPA, etc.), you may have the right to:
- Access: Request a copy of your personal data
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your account and data
- Portability: Receive your data in a structured format
- Objection: Object to specific data processing
- Withdrawal: Withdraw consent at any time
To exercise these rights, contact us at privacy@genzhook.com. California residents: see our CCPA/CPRA disclosures including the "Do Not Sell or Share My Personal Information" right — we do neither. EU/UK users may also lodge a complaint with their local supervisory authority.
9. Children's Privacy
The Service is not intended for children under 18. We do not knowingly collect personal information from minors. If we become aware of such data, it will be deleted immediately. Any content involving minors is strictly prohibited and automatically moderated.
10. International Data Transfers
Your data may be processed in the United States, the European Union, and other jurisdictions where our sub-processors operate. For transfers out of the EEA, UK, or Switzerland we rely on the European Commission Standard Contractual Clauses (Module Two, 2021/914), the UK International Data Transfer Addendum, and — where applicable — Adequacy Decisions. See the DPA and sub-processor list for per-vendor transfer mechanisms.
10a. Automated Decision-Making
We do not use your personal data for solely-automated decisions producing legal or similarly significant effects on you (GDPR Art. 22). Content moderation and abuse scoring are reviewable by a human on request.
11. Changes to This Policy
We may update, supplement, restructure, or replace this Privacy Policy at any time, in our sole and absolute discretion, with the modified version effective upon posting (or on a later date we specify). While we will endeavor to notify registered users of material changes via email, failure or delay in providing such notice does not invalidate the modification, nor does it give rise to any claim, refund, or right to compensation. Continued use after changes constitutes your full and unconditional acceptance.
12. Contact
For privacy inquiries: privacy@genzhook.com