Privacy Policy

This Privacy Policy explains how ViralHook Media SRL ("ViralHook", "we", "us", or "our") collects, uses, and protects your personal data when you use our platform at viralhook.media. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable Romanian law.

1. Data Controller

2. Data We Collect

We collect the following categories of personal data:

• Account data: Full name, email address, and password (hashed) when you register
• Phone number: Required for identity verification via SMS before exporting content
• Authentication data: If you sign in with Google, we receive your name, email address, and profile picture from Google
• Video content: Videos you upload for processing. These are stored securely on our servers
• Usage data: Information about how you use the platform (clips created, exports generated, features used)
• Payment data: Billing details processed by Stripe. We do not store card numbers — only subscription status and Stripe customer ID
• Technical data: IP address, browser type, device type, and access timestamps for security and analytics purposes

3. How We Use Your Data

• To provide, operate, and improve the ViralHook platform
• To verify your identity via SMS before allowing content export
• To send transactional emails (account confirmation, password reset)
• To process payments and manage your subscription
• To prevent fraud, abuse, and unauthorized access
• To comply with legal obligations

We do not use your data for advertising or sell it to third parties.

4. Legal Basis for Processing

• Contract performance — processing necessary to provide the service you signed up for (Art. 6(1)(b) GDPR)
• Legitimate interest — security monitoring, fraud prevention, platform analytics (Art. 6(1)(f) GDPR)
• Legal obligation — compliance with applicable Romanian and EU law (Art. 6(1)(c) GDPR)
• Consent — where explicitly requested (e.g. marketing communications)

5. Third-Party Services

We use the following third-party processors, each bound by appropriate data protection agreements:

• Supabase — database and authentication infrastructure (EU region)
• Vercel — hosting and content delivery
• Cloudflare R2 — encrypted video file storage
• Twilio — SMS verification for phone number confirmation
• Resend — transactional email delivery
• Google — optional OAuth sign-in
• Stripe — payment processing and subscription management

6. Data Retention

• Account data is retained for as long as your account is active. You may delete your account at any time
• Videos and exported clips are stored in your account until you delete them manually from your dashboard
• Payment records are retained for 5 years as required by Romanian fiscal law
• Server logs are retained for up to 90 days for security purposes

7. Data Security

We protect your data using industry-standard measures:

• All data transmitted between your browser and our servers is encrypted via HTTPS/TLS
• Video files are stored with server-side encryption at rest
• Passwords are hashed and never stored in plain text
• Access to production systems is restricted and audited
• Phone verification is required before any content export

8. Your Rights Under GDPR

As a data subject, you have the following rights:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure — request deletion of your personal data ("right to be forgotten")
• Right to data portability — receive your data in a structured, machine-readable format
• Right to restriction — request that we limit how we process your data
• Right to object — object to processing based on legitimate interest
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at hello@viralhook.media. We will respond within 30 days.

9. Cookies

We use only strictly necessary cookies for authentication and session management (Supabase auth cookies). We do not use tracking, advertising, or analytics cookies.

No cookie consent banner is required for strictly necessary cookies under the ePrivacy Directive.

10. International Transfers

Some of our third-party processors (e.g. Vercel, Cloudflare) may process data outside the EU/EEA. Where this occurs, appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions) to ensure your data is protected to GDPR standards.

11. Supervisory Authority

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Romanian data protection supervisory authority:

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by displaying a notice on the platform. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact

For any privacy-related questions or requests, contact us at: