Privacy Policy
Effective June 1, 2026
Hookline operates an automated receptionist service that answers missed calls for local businesses, captures caller information, and helps schedule appointments. This Policy explains what information we collect, how we use it, who we share it with, and the choices you have. By using Hookline, you agree to this Policy.
Throughout this Policy, "we," "us," and "Hookline" refer to the service operator. "You" refers to (a) the business owner who creates a Hookline account and (b) any person who calls a business that uses Hookline. Where rights and obligations differ between those groups, we say so explicitly.
1. Information we collect
From business owners
When you sign up and use Hookline, we collect:
- Account information — name, email address, and authentication credentials. Passwords are stored as salted hashes; we do not store them in clear text.
- Business profile — business name, type, hours of operation, missed-call message text, and frequently asked questions you configure.
- Telephony configuration — the Hookline phone number assigned to your account and any call-forwarding settings.
- Billing information — your subscription status and a Stripe customer identifier. Full payment card details are submitted directly to Stripe; we do not store card numbers or CVCs on Hookline servers.
- Integration credentials — OAuth access and refresh tokens for third-party services you connect, such as Google Calendar.
From callers
When someone calls a business that uses Hookline and the call is forwarded to us, we collect:
- Caller phone number (caller ID), along with the date, time, and duration of the call.
- SMS conversation content — the messages exchanged between the caller and Hookline's automated assistant following a missed call.
- Information the caller voluntarily provides — for example, their name, the reason for calling, or a preferred appointment time.
Callers do not create a Hookline account. We process caller information on behalf of the business they called, which acts as the data controller for that information. Callers may request access to or deletion of their information by contacting us; we will assist and, where appropriate, route the request to the relevant business.
From integrations
When you connect a third-party service, we receive information from that service to provide the integration. Google Calendar is covered separately in Section 3.
Technical information
When you use the Hookline web application, our hosting providers log standard request data such as IP address, browser user agent, and timestamps. We use this information to operate the service, prevent abuse, and diagnose problems.
2. How we use information
We use the information we collect to:
- Operate the receptionist service — answer forwarded calls, send automated SMS replies, capture caller details, and notify you of new leads.
- Schedule appointments by checking availability on connected calendars and creating events on a caller's behalf.
- Bill account holders, manage subscriptions, and prevent fraudulent transactions.
- Communicate with account holders about their account, service updates, billing, and security incidents.
- Improve the service — for example, by reviewing aggregated, non-identifying usage metrics to understand which features are valuable.
- Comply with legal obligations and enforce our terms.
We do not use caller phone numbers or conversation content to train generalized AI models, nor to target advertising.
3. Google Calendar integration
If you choose to connect a Google Calendar, Hookline requests two OAuth scopes:
https://www.googleapis.com/auth/calendar.freebusy— read free/busy windows so we can offer callers appointment times that do not conflict with your existing schedule. This scope does not give us access to event titles, descriptions, attendees, or any other event content.https://www.googleapis.com/auth/calendar.events— create and update events for appointments booked through Hookline. We only create or modify events that originate from a Hookline booking flow; we do not read or modify your other events.
In line with the Google API Services User Data Policy, including the Limited Use requirements, Hookline's use of information received from Google APIs adheres to the following:
- We use Google user data only to provide the calendar-availability and appointment-booking features described above.
- We do not transfer Google user data to third parties except as necessary to provide or improve those features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you.
- We do not use Google user data for serving advertisements.
- We do not allow humans to read Google user data unless we have your affirmative consent, it is necessary for security purposes (such as investigating abuse), it is required by law, or the data has been aggregated and anonymized.
You can disconnect Google Calendar at any time by revoking access at myaccount.google.com/permissions or by contacting us. After disconnection, we delete the stored OAuth tokens and stop accessing your calendar.
4. How we share information
We share information only with the following categories of recipients:
- Service providers and sub-processors, who process information on our behalf under contractual obligations of confidentiality and security. Our current sub-processors include:
- Supabase — database and authentication hosting
- Stripe — payment processing
- Twilio — telephony (provisioned phone numbers and SMS)
- Google — calendar integration (only for users who connect a Google Calendar)
- Vercel — application hosting and edge delivery
- The business you called — if you are a caller, the business that uses Hookline receives the information you provide during the call or SMS conversation. The business is the controller of that information and its own privacy practices apply.
- Legal and safety — when we believe disclosure is required by law, legal process, or to protect the rights, property, or safety of Hookline, our users, or the public.
- Business transfers — in connection with a merger, acquisition, financing, or sale of assets, in which case the receiving party will be bound by terms at least as protective as this Policy.
We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.
Mobile opt-in data and phone numbers collected for SMS communications will never be shared or sold to third parties or affiliates for marketing or promotional purposes at any time.
5. Data retention
We retain information for as long as needed to provide the service and for the periods described below:
- Account data — for the life of your Hookline account, plus 90 days after cancellation to allow reactivation. After 90 days, we delete or anonymize the account record.
- Call records and SMS transcripts — 24 months by default. After the retention period, records are deleted or anonymized.
- Integration tokens (e.g., Google OAuth) — until you disconnect the integration or close your account.
- Billing records — for the period required by applicable tax and accounting law, typically up to seven years.
- Backup copies — up to 30 days after a record is deleted from production, after which backups are rotated out.
We may retain information longer when required by law, to resolve disputes, or to enforce our agreements.
6. Security
We implement administrative, technical, and physical safeguards designed to protect the information we hold, including encryption in transit (TLS), authenticated access, row-level access controls in our database, and least-privilege secret management. No method of electronic transmission or storage is 100% secure, however, and we cannot guarantee absolute security.
If we become aware of a security incident affecting your information, we will notify affected users and applicable regulators as required by law.
7. Your rights and choices
All users
Subject to applicable law, you may have the right to:
- Access the personal information we hold about you;
- Correct information that is inaccurate or incomplete;
- Delete your information, subject to limited exceptions;
- Receive a copy of your information in a portable format;
- Object to or restrict certain processing;
- Withdraw any consent you have previously given.
To exercise these rights, email hline@hooklineapp.org. We will respond within the time required by applicable law (typically 30 to 45 days). We may need to verify your identity before acting on a request.
California residents
If you are a California resident, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act, gives you specific rights, including the right to know what categories of personal information we collect, the right to delete personal information, the right to correct inaccurate personal information, and the right to opt out of the sale or sharing of personal information. We do not sell personal information and do not share it for cross-context behavioral advertising.
European Union and United Kingdom residents
If you are located in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation ("GDPR") and equivalent local laws apply. Our legal bases for processing your personal information are: (a) performance of a contract with you (operating the service); (b) legitimate interests (improving and securing the service); (c) consent (where you explicitly opt in, such as connecting a Google Calendar); and (d) compliance with legal obligations. You have the right to lodge a complaint with your local data protection authority.
8. International data transfers
Hookline is operated from the United States. If you access the service from outside the United States, information we collect may be transferred to, stored, and processed in the United States or other countries where our service providers operate. Where required, we rely on appropriate transfer mechanisms such as the European Commission's Standard Contractual Clauses.
9. Children
Hookline is intended for businesses and adult users. It is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided information to us, please contact hline@hooklineapp.org and we will take appropriate steps to delete it.
10. Changes to this Policy
We may update this Policy from time to time. Material changes will be communicated to account holders by email or through a prominent notice in the web application before they take effect. The "Effective" date at the top indicates when the current version was published. Continued use of Hookline after a revised Policy takes effect constitutes acceptance of the revised Policy.
11. Contact us
If you have questions about this Policy, or want to exercise any of the rights described above, contact us at hline@hooklineapp.org. Please include enough detail for us to respond, including the email address associated with your Hookline account if applicable.
