Legal document

Privacy Policy

Effective date: April 9, 2026Last updated: April 9, 2026Version 1.0

Important: This Privacy Policy applies to SocialHook (socialhook.io), operated by Lead Lock Systems LLC, Mesa, Arizona, USA. Questions? Contact us at privacy@socialhook.io.

Table of contents

01Who we are and what this policy covers 02What data we collect and why 03How we handle Meta messaging data 04Message content — storage, retention, and deletion 05Delivery logs and metadata 06How we use your data 07Who we share data with 08International data transfers 09Your rights under GDPR and other laws 10Data security 11Cookies and tracking 12Children's privacy 13Changes to this policy 14Contact us

1. Who we are and what this policy covers

SocialHook is a Meta messaging webhook platform operated by Lead Lock Systems LLC, a company incorporated in Wyoming, United States, with a business address in Mesa, Arizona, USA.

This Privacy Policy explains how SocialHook collects, processes, stores, and protects personal data when you visit or use the SocialHook website, create and use a SocialHook account, connect your Facebook, Instagram, or WhatsApp accounts, or receive webhook payloads through SocialHook.

SocialHook acts as a data processor in relation to the messages that pass through our platform — your end customers are the data subjects, and you (the SocialHook account holder) are the data controller.

2. What data we collect and why

2.1 Account data

When you create a SocialHook account, we collect:

—Name and email address — to identify your account and send service communications
—Billing information — processed and stored by our payment processor (Stripe or Paddle). We do not store full card numbers.
—Business name and address — for invoicing and legal compliance
—IP address at signup — for fraud prevention and security

2.2 Platform connection data

When you connect your Meta platforms (Facebook, Instagram, WhatsApp), we store OAuth access tokens (encrypted), platform account identifiers, and token health metadata. We do not store your passwords.

2.3 Webhook configuration data

Your webhook endpoint URL, secret key hash (stored as a one-way hash), and event type preferences.

3. How we handle Meta messaging data

Key principle: SocialHook is infrastructure. We are a conduit that moves message data from Meta's platforms to your server. We do not read, analyze, sell, or monetize message content.

Under GDPR, SocialHook is the data processor and you (the SocialHook account holder) are the data controller. This means your customers' messages are your responsibility. SocialHook processes those messages solely to deliver them to your webhook endpoint.

A Data Processing Agreement (DPA) is available to all SocialHook customers. To request a DPA, contact privacy@socialhook.io.

4. Message content — storage, retention, and deletion

Our commitment: Message content is not stored permanently. It exists in our systems only as long as technically necessary for delivery — and is automatically deleted.

When a payload is delivered successfully, message content is not retained after delivery. When delivery fails, the payload is stored in an encrypted database with a maximum TTL of 24 hours — then automatically and permanently deleted.

Data type	Stored?	Retention period	Purpose
Message content (successful delivery)	Not stored	0 — deleted on delivery	Delivery only
Message content (failed delivery)	Temporary	Maximum 24 hours	Retry delivery
Delivery metadata	Yes	30 days	Debugging, logs
Account data	Yes	Duration of account + 30 days	Service provision

5. Delivery logs and metadata

SocialHook logs delivery metadata for every webhook attempt: timestamp, HTTP status code, response time, retry count, and event type. Message content is never written to logs. Delivery logs are retained for 30 days and accessible from your dashboard.

6. How we use your data

—To provide, maintain, and improve the SocialHook service

—To process your subscription and manage billing

—To send service-related communications (delivery failures, token expiry alerts, security notices)

—To monitor token health and proactively prevent service interruptions

—To comply with legal obligations and enforce our Terms of Service

—To detect and prevent fraud, abuse, and security threats

7. Who we share data with

We do not sell, rent, or share your personal data with third parties for marketing purposes. We share data only with:

—Sub-processors — AWS (infrastructure), Stripe/Paddle (payments), Meta (API provider). All governed by Data Processing Agreements.

—Legal authorities — only when required by law, court order, or regulatory requirement.

—Acquirers — in the event of a merger or acquisition, subject to equivalent privacy protections.

8. International data transfers

SocialHook is operated from the United States. If you are located in the EU/EEA, your personal data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) as the legal mechanism for such transfers. A copy of the SCCs is included in our Data Processing Agreement, available at socialhook.io/dpa.

9. Your rights under GDPR and other laws

If you are in the EU/EEA, UK, or California, you have the following rights regarding your personal data:

—Right of access — request a copy of the personal data we hold about you

—Right to rectification — request correction of inaccurate personal data

—Right to erasure — request deletion of your personal data

—Right to restriction — request we limit processing of your data in certain circumstances

—Right to data portability — receive your data in a structured, machine-readable format

—Right to object — object to processing based on legitimate interests

To exercise any of these rights, email privacy@socialhook.io.

10. Data security

We implement industry-standard security measures including TLS 1.2+ encryption in transit, AES-256 encryption at rest, role-based access control with MFA, and regular security reviews. All infrastructure runs on AWS with SOC 2 / ISO 27001 certification. No security measure is 100% foolproof — if you discover a vulnerability, please report it to security@socialhook.io.

11. Cookies and tracking

We use minimal, privacy-preserving analytics. We do not use advertising cookies or third-party tracking pixels. Essential cookies are used for authentication and security. You can disable non-essential cookies in your browser settings.

12. Children's privacy

SocialHook is not directed at children under 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@socialhook.io.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to your registered account address with at least 14 days' notice. Your continued use of SocialHook after the effective date constitutes acceptance of the updated policy.

14. Contact us

Privacyprivacy@socialhook.io

Securitysecurity@socialhook.io

Generalhello@socialhook.io

AddressLead Lock Systems LLC · Mesa, Arizona, USA