Privacy policy

Hookline is a daily music guessing game at hookline.live. This policy covers data we collect when you use the service. Hookline acts as the data controller for that data — your rights under EU law, and how to lodge a complaint with the Portuguese DPA, are summarised in the Your rights section below.

• Anonymous play. Without an account, your game state and stats stay in your browser only.
• Account email. If you sign in, we store the email you used.
• Sign-in emails. When you ask to sign in, we email you a one-time 6-digit code. Codes expire after a short time.
• A sign-in cookie.When you're signed in, a small cookie keeps you signed in across visits.
• Signed-in game data. Your daily play results and running stats (games played, score, streak) are saved on our servers so they follow you across devices.
• Practice usage.We track how much of the free practice quota you've used, so the limit is counted fairly.
• Purchases. If you buy a pack we record that you own it. Card details are processed by Stripe.

Email and session cookies exist solely to authenticate you and link your purchases. Practice-play records exist to enforce the free quota fairly. We don't profile you, sell your data, or run targeted advertising.

Under GDPR Art. 6, the lawful bases we rely on are:

• Contract — to deliver the sign-in service and pack purchases you've requested. This covers your email, the session cookie, and your ownership records.
• Legitimate interest — to enforce the free-tier practice quota fairly.

The sign-in cookie is strictly necessary for the service to function, so no consent prompt is required under ePrivacy.

• Stripe — payment processing for pack purchases. Your card details are entered on Stripe's hosted Checkout page; Stripe is the data controller for payment data.
• Resend — sending sign-in emails. Your email is shared with Resend only to deliver them.
• Vercel — our hosting provider. Their server logs include standard request details and are kept briefly for operational purposes.

Some of these processors operate outside the EU/EEA — Stripe and Resend run infrastructure in the United States. Transfers rely on Standard Contractual Clauses approved by the European Commission, which provide GDPR-equivalent safeguards.

Under GDPR you can request access, correction, export, or deletion of your data at any time. Hookline is built so you can exercise these rights yourself, from your account page:

• Access & export — download a JSON copy of every record we hold on your account.
• Delete — wipe your account (email, session, ownership records, game data). This action is immediate and irreversible.
• Correction — the only identifying field we store is the email you signed in with. To change it, delete the account and sign in fresh with the new address.

If you believe Hookline has handled your data improperly, you have the right to lodge a complaint with the Portuguese data protection authority — CNPD (www.cnpd.pt).

Account data is kept while your account exists. Sign-in codes expire within minutes. Stripe retains payment records on its own schedule (typically several years, as required by EU law). Hosting access logs are kept for a short period by our hosting provider.

We set one cookie when you sign in, to keep you signed in. We don't use third-party tracking cookies.

If we change this policy in any material way we'll update the “Last updated” date and, where reasonable, highlight the change on the homepage.