Privacy Policy
Brand / Application: SocialHook Legal Entity: SOCIALHOOK TECHNOLOGIES PRIVATE LIMITED Corporate Identity Number (CIN): U63120MH2025PTC446413 PAN: ABQCS0075H | TAN: NGPS26649A Date of Incorporation: 23 April 2025 (incorporated under the Companies Act, 2013; a company limited by shares) Registered Office: Plot No. 11, New Dnyaneshwar Nagar, Manewada Road, Dighori Naka, Nagpur – 440024, Maharashtra, India Website: https://socialhook.digitalarena.online Support / Grievance / Data Protection Contact: socialhook4@gmail.com Grievance Officer & Data Protection Officer: Tejas Mawale — socialhook4@gmail.com
Effective Date: 1 July 2026 Last Updated: 1 July 2026 Version: 2.0
1. Who We Are and About This Policy
This Privacy Policy ("Policy") describes how SOCIALHOOK TECHNOLOGIES PRIVATE LIMITED, a private limited company incorporated under the Companies Act, 2013, bearing CIN U63120MH2025PTC446413, having its registered office at Plot No. 11, New Dnyaneshwar Nagar, Manewada Road, Dighori Naka, Nagpur – 440024, Maharashtra, India ("SocialHook", "Company", "we", "us", "our"), collects, uses, discloses, stores, transfers, protects, and otherwise processes your personal data when you access or use the SocialHook mobile application, the website at https://socialhook.digitalarena.online, and all related products, features, and services (together, the "Platform").
SocialHook is a social-media and creator platform offering, among other things: a personalised content feed; reels and short videos; stories; blogs and long-form articles; comments, reactions, and threaded discussions; direct and group messaging; audio rooms and live audio/video sessions; free skill-based quiz contests; debates; an in-app virtual coin and gifting system; creator earnings and payouts funded by advertising; third-party advertising; an AI companion feature ("Dalal"); and machine-learning-based recommendations, ranking, and engagement features.
For the purposes of the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the DPDP Rules, 2025, we are a Data Fiduciary and you are a Data Principal. For the purposes of the EU General Data Protection Regulation ("GDPR") and the UK GDPR, we are a Data Controller. For the purposes of the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), we are a "business".
This Policy is designed to comply with, and should be read in light of, the DPDP Act 2023 and DPDP Rules 2025, the Information Technology Act, 2000 ("IT Act"), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("IT Rules 2021"), the GDPR, the UK GDPR, and the CCPA/CPRA. It is incorporated into and forms part of our Terms & Conditions.
By creating an account, accessing, or using the Platform, you acknowledge that you have read and understood this Policy. Where applicable law requires your consent, we obtain it separately through a clear, affirmative, unbundled action at sign-up and through the controls in your settings; this Policy is informational and does not, by itself, constitute your consent.
2. Scope and Application
This Policy applies to all users of the Platform worldwide and to all personal data we process in connection with the Platform, whether you access it from India or elsewhere. It applies when you, among other things:
- register for, authenticate, maintain, or delete an account;
- set up or edit a profile;
- create, upload, post, stream, broadcast, transmit, or share content;
- interact socially (follow, comment, react, message, join audio/video sessions);
- participate in quizzes, debates, or other Platform activities;
- earn, purchase, gift, hold, or withdraw virtual coins, or receive creator payouts;
- view, click, or interact with advertising;
- use the AI companion or location-based features; or
- contact us, submit feedback, or raise a grievance.
This Policy does not apply to third-party websites, applications, networks, or services that we do not own or control, even where they are integrated into, embedded within, or linked from the Platform (for example, ad networks, payment processors, authentication providers, and external links or web views). Your interactions with those third parties are governed by their own privacy policies, and we encourage you to review them.
3. Strict 18+ Platform — No Minors
The Platform is intended exclusively for persons who are 18 years of age or older.
- You must be at least 18 years old and have the legal capacity to enter into a binding contract in order to create an account or use the Platform.
- At sign-up, you are required to provide clear affirmative confirmation, through a separate, unticked control, that you are 18 or older.
- We do not knowingly collect, solicit, or process the personal data of any person under the age of 18. We do not knowingly direct any behavioural tracking, profiling, or targeted advertising at minors.
- Because the Platform is an 18+ service, we satisfy children's-data obligations under DPDP Act Section 9 through a strict age gate combined with removal of any account discovered to belong to a person under 18, rather than through parental-consent or minor-mode mechanisms.
- If we learn or have reasonable grounds to believe that a user is under 18, we will suspend and remove that account and delete, restrict, or anonymise the associated personal data in accordance with applicable law and our retention schedule (Section 11).
- If you believe that a person under 18 is using the Platform, please notify the Grievance Officer at socialhook4@gmail.com immediately so that we can act.
4. Categories of Personal Data We Collect
The categories below reflect the Platform's actual functionality and its integrated technologies (see the Data Inventory in Section 6).
4.1 Data you provide to us directly
| Category | Examples | Collected via |
|---|---|---|
| Account & identity data | Full name, username/handle, email address, mobile number, password (stored only as a salted secure hash, never in plain text), profile photo, bio/about, and chosen login method | Registration, login, profile setup |
| Profile & social graph data | Links, interests, gender (if provided), followers/following, friends, blocked/muted users, and other relationship data | Profile and social features |
| User-generated content | Feed posts, reels/short videos, stories, blogs/long-form articles, comments and replies, reactions, audio and video content, images, uploaded PDFs (e.g. comics), quiz answers and results, debate content, and captions/metadata | Content-creation features |
| Communications data | Direct and group messages, live-session chat, reports, suggestions/feedback, and grievance submissions | Messaging, feedback, grievance features |
| Financial, transaction & payout data | Virtual coin balance and ledger entries, coin purchases (where offered), gifts sent/received, creator earnings, withdrawal/redemption requests, and KYC data required for payouts (e.g. PAN, payout destination such as UPI ID or bank account details, and, where required, an identity document) | Wallet, purchase, and withdrawal/payout features |
| AI interaction data | The text you send to the "Dalal" AI companion and prompts you select in sessions | AI companion feature |
4.2 Data collected automatically
| Category | Examples | Source / SDK |
|---|---|---|
| Device & technical data | Device model, manufacturer, operating system and version, application version, hardware/software identifiers, device/push notification token, language, locale, and time zone | Device, device_info_plus, package_info_plus |
| Log & usage data | IP address (including registration IP and last-login IP), login and activity timestamps, actions taken, screens/content viewed, watch time, search queries, session identifiers, referral data, crash logs, and diagnostic data | Server logs, application telemetry |
| Behavioural & inference data | Content you view and engage with, dwell time, likes/shares/comments, follow patterns, and derived machine-learning "embeddings"/signals used to rank and personalise your feed, recommendations, discovery, and engagement features | Recommendation & ML systems (feed-service, ml-service) |
| Precise location data | GPS coordinates (latitude/longitude) — collected only where you grant device-level location permission | geolocator, google_maps_flutter |
| Approximate location data | Country, region, city, and time zone, derived from IP address or coarse signals | Server-side derivation, geocoding |
| Media & sensor input | Metadata associated with photos/videos you upload; camera input when you use media, QR, or barcode features (barcode scanning is processed on-device) | image_picker, mobile_scanner, google_mlkit_barcode_scanning |
| Cookies / local storage / identifiers | Advertising identifiers, app-instance identifiers, local storage, secure storage, and similar technologies | Platform, SDKs |
4.3 Data we receive from third parties
- Authentication providers: When you sign in with Google or Apple, we receive the basic profile identifiers you authorise (such as name and email, or a private relay email for Apple).
- Advertising & analytics partners: We may receive aggregated, pseudonymous, or de-identified measurement, attribution, and audience insights.
- Payment & payout partners: We may receive transaction status, verification/KYC results, and payout success/failure information.
4.4 Sensitive personal data
We do not intentionally collect "special category" (GDPR) or "sensitive personal data or information" (SPDI Rules) — such as data revealing health, religious or political beliefs, sexual orientation, biometric or genetic data, or financial account passwords. Please do not submit such data through the Platform. Where financial information such as PAN or payout details is collected for withdrawals, it is treated as sensitive and processed only for payout, tax, and compliance purposes. Any sensitive data you voluntarily choose to make public in your content is processed on the basis of your having manifestly made it public, and at your own risk.
5. Purposes of Processing and Legal Bases
We process personal data only for specified, lawful purposes. The following table maps each purpose to its legal basis under the DPDP Act and the GDPR/UK GDPR.
| Purpose | Data used | DPDP basis | GDPR / UK GDPR basis |
|---|---|---|---|
| Create, authenticate, and operate your account and the core Platform | Account, identity, content, device, log data | Contract necessity / consent | Contract — Art. 6(1)(b) |
| Enable social interaction, messaging, and live audio/video sessions | Profile, social, communications data | Contract / consent | Contract — Art. 6(1)(b) |
| Personalise your feed, recommendations, ranking, and discovery | Behavioural, inference, usage data | Consent | Consent — Art. 6(1)(a) |
| Operate the coin economy, gifts, earnings, and creator payouts | Financial, transaction, KYC data | Contract / legal obligation | Contract; legal obligation — Art. 6(1)(b), (c) |
| Serve advertising, including personalised advertising where you consent | Advertising identifiers, usage, ad-interaction data | Consent (personalised) | Consent; legitimate interests (non-personalised) — Art. 6(1)(a), (f) |
| Measure, analyse, and improve the Platform | Usage, device, log data | Consent / legitimate use | Consent; legitimate interests — Art. 6(1)(a), (f) |
| Safety, content moderation, fraud/abuse prevention, and security | Content, device, log, behavioural data | Legitimate use; legal obligation | Legitimate interests; legal obligation — Art. 6(1)(f), (c) |
| Provide AI companion features | AI interaction text | Consent | Consent — Art. 6(1)(a) |
| Location-based features | Precise / approximate location | Consent | Consent — Art. 6(1)(a) |
| Communicate service, transactional, and (where opted in) marketing messages | Contact data, device token | Contract / consent | Contract; consent — Art. 6(1)(b), (a) |
| Comply with law, respond to lawful requests, exercise/defend legal claims, and enforce our Terms | Any relevant data | Legal obligation | Legal obligation; legitimate interests — Art. 6(1)(c), (f) |
Where we rely on consent, you may withdraw it at any time (Section 12). Withdrawal is as easy as granting, does not affect processing carried out before withdrawal, and may limit or disable features — for example, declining personalisation yields a non-personalised feed, and declining ad personalisation yields non-personalised ads.
5.1 Legitimate uses relied on without consent (DPDP Section 7)
We may process certain personal data without separate consent where the DPDP Act permits, including: providing a service or benefit you have requested (account provisioning under the contract); complying with law or a judgment/order; responding to lawful requests from public authorities; corporate reorganisation; fulfilling legal obligations; and preventing/detecting fraud and ensuring security. Personalisation, marketing, and ad-targeting are not treated as legitimate uses and are carried out only with your consent.
6. Third-Party Services and SDKs — Data Inventory
The Platform integrates the third-party services and software development kits ("SDKs") listed below. For each, we disclose its purpose and the categories of personal data shared with or processed by it. We display third-party advertising, and we use Google Analytics / Firebase Analytics — both are expressly disclosed here.
| Service / SDK | Provider | Purpose | Personal data shared / processed |
|---|---|---|---|
Google AdMob (google_mobile_ads) | In-app advertising, including personalised ads where you consent | Advertising identifiers, device data, coarse location, ad-interaction data | |
Firebase Analytics / Google Analytics (firebase_analytics) | Product analytics, usage measurement, attribution | Pseudonymous identifiers, event/usage data, device data | |
Firebase Cloud Messaging (firebase_messaging) | Push notifications | Device/push token, device data | |
Firebase Authentication (firebase_auth) | Account authentication, session security | Identifiers, email, auth tokens | |
Cloud Firestore (cloud_firestore) | Realtime data storage for certain features | Account identifiers and related feature data | |
Google Sign-In (google_sign_in) | Sign in with a Google account | Name, email, Google account identifier | |
Sign in with Apple (sign_in_with_apple) | Apple | Sign in with an Apple ID | Name (if shared), email or private relay email, Apple identifier |
Google Maps / Geocoding / Geolocation (google_maps_flutter, geocoding, geolocator) | Google / device | Maps and location-based features | Precise and approximate location |
Google ML Kit — Barcode Scanning (google_mlkit_barcode_scanning) | Google (on-device) | QR/barcode scanning | Camera image processed on-device |
RevenueCat (purchases_flutter) | RevenueCat, Inc. | Managing in-app purchases/subscriptions where offered | Purchase identifiers, transaction data, app user ID |
| Apple App Store / Google Play Billing | Apple / Google | Processing in-app purchases | Transaction and purchase data (handled by the store) |
| Razorpay / RazorpayX | Razorpay Software Pvt. Ltd. | Processing creator withdrawals/payouts via UPI and other eligible methods | Payout destination (UPI/bank), KYC/verification data, transaction data |
LiveKit (livekit_client) & WebRTC (flutter_webrtc) | LiveKit / WebRTC | Audio rooms and live audio/video sessions | Connection metadata; audio/video streams during a session |
Centrifugo (centrifuge) | Self-hosted (Centrifugal Labs software) | Realtime chat and live updates | Message and presence data |
| Google Cloud Storage | Storing and serving uploaded media | Uploaded content and associated metadata | |
Google Fonts (google_fonts) | Font rendering | Technical request data | |
Dalal AI Companion (self-hosted ml-service, Ollama-based) | Operated by SocialHook | Generating AI companion replies and conversation prompts | The text you send to the AI in a session |
We maintain and periodically review an internal data inventory. If a data category or third-party service is added to, removed from, or changed in the Platform, we will update this Section accordingly. No data category or third-party service present in our data inventory is omitted from this Policy.
6.1 Advertising — data, purpose, and opt-out
We display advertising through Google AdMob. AdMob and its partners may collect device and advertising identifiers, coarse location, and ad-interaction data to serve, cap, measure, and — where you consent — personalise ads. Advertising is the primary source of Platform revenue and funds creator/user payouts.
How to control advertising:
- In-app: Use the ad-personalisation / privacy controls in Settings to decline personalised ads (you will still see non-personalised ads).
- Android: Settings → Google → Ads → reset/delete advertising ID or opt out of ad personalisation.
- iOS: Settings → Privacy & Security → Tracking / Apple Advertising; deny App Tracking Transparency prompts.
- Google Ads Settings: https://adssettings.google.com
6.2 Analytics — data, purpose, and opt-out
We use Firebase Analytics / Google Analytics to understand usage, measure performance, and improve the Platform. It processes pseudonymous identifiers and event/usage data. You can disable analytics collection using the privacy controls in Settings where available, and reset/limit your advertising identifier as above. Google's practices are described at https://policies.google.com/privacy and https://policies.google.com/technologies/partner-sites
7. Cookies, SDKs, and Similar Technologies
The Platform is primarily a mobile application and relies on SDKs, device identifiers, local storage, and secure storage rather than browser cookies. Our website (https://socialhook.digitalarena.online) and any embedded web views may use cookies and similar technologies for essential operation, security, preferences, and measurement. Where required by law, we obtain consent for non-essential technologies and provide controls to manage them. You can also manage cookies through your browser settings.
8. How We Share and Disclose Personal Data
We do not sell your personal data for monetary consideration. We disclose personal data only as described below:
- With other users and the public: Content you post and profile information you make public are visible to other users and, depending on your settings, to the public and to non-users. Direct/group messages are shared with your chosen recipients. Live-session audio/video is shared with session participants.
- With processors and service providers: The third parties listed in Section 6, who process data on our behalf under contractual confidentiality, security, and data-protection obligations, and only on our instructions.
- For payments and payouts: With payment/payout processors (including Razorpay), and with tax and regulatory authorities where legally required.
- For legal, safety, and compliance reasons: With law-enforcement agencies, courts, regulators, and other authorities where required by applicable law, a valid legal order, or to preserve information under the IT Rules 2021; and to protect the rights, safety, and property of SocialHook, our users, or the public, to detect/prevent fraud, abuse, or security incidents, and to enforce our Terms.
- In corporate transactions: In connection with a merger, acquisition, investment, financing, reorganisation, insolvency, or sale of assets, subject to appropriate confidentiality and continuity of this Policy.
- With your consent or at your direction: In any other case where you consent to or direct the disclosure.
9. Intermediary Status and Content
SocialHook operates the Platform as an intermediary under Section 79 of the IT Act and observes due-diligence obligations under the IT Rules 2021, including publishing rules of conduct, prohibiting unlawful content, operating a grievance-redressal mechanism, preserving information as required, and acting on valid takedown requests. Personal data associated with reported or unlawful content may be processed and preserved for investigation, compliance, and legal purposes.
10. International Data Transfers
SocialHook is based in India and serves users internationally. Personal data may be processed and stored in India and in other countries where we or our service providers operate (including where Google, Apple, RevenueCat, Razorpay, and similar providers host infrastructure).
Where personal data is transferred outside India, or outside your home jurisdiction, the categories of recipients include cloud-hosting, analytics, advertising, authentication, realtime-communication, and payment providers described in Section 6. We apply appropriate safeguards, which may include:
- transferring personal data only to countries not restricted by the Central Government under Section 16 of the DPDP Act;
- for transfers of EU/EEA and UK personal data, the European Commission / UK Standard Contractual Clauses or equivalent contractual protections, together with any required transfer-impact assessment;
- reliance on recipient certifications, adequacy determinations, and binding security commitments; and
- data-minimisation, purpose-limitation, and confidentiality obligations imposed on recipients.
You may contact us for further information about the safeguards applied to a specific transfer.
11. Data Retention
We retain personal data only for as long as necessary for the purposes described in this Policy, after which it is deleted, anonymised, or restricted. Our retention criteria are:
| Data category | Retention criterion |
|---|---|
| Account & profile data | For the life of your account; then deleted or anonymised after deletion, subject to the periods below |
| User-generated content | For the life of your account or until you delete it; some content may be anonymised to preserve thread/social-graph integrity |
| Direct/group messages & chat | For the life of your account; purged or anonymised following account deletion |
| Behavioural / ML inference data | Retained while needed for personalisation and safety, then aggregated, de-identified, or deleted |
| Precise location data | Retained only as long as needed for the feature used, then deleted or aggregated |
| Log & security data | Retained for a limited period necessary for security, fraud prevention, and legal compliance |
| Preservation on account deletion | Certain user information is preserved for 180 days after deletion to meet IT Rules 2021 due-diligence/investigation obligations |
| Financial, transaction & tax records | Retained for up to 7 years (or longer where required) to meet Income-Tax, GST, TDS, accounting, and anti-money-laundering obligations, even after account deletion |
| Consent records | Retained on an append-only basis to evidence consent history and version |
Account deletion process: when you delete your account, we (i) promptly hide your profile and content and revoke access tokens; (ii) delete ephemeral content (e.g. stories) immediately; (iii) delete or anonymise your content and messages; (iv) move a legally-required subset (identity, IP/log, transaction, moderation/security records) into a restricted, access-controlled archive for 180 days; and (v) purge remaining personal data thereafter, except financial records retained for the statutory period above. We may notify you when deletion and final purge are complete.
12. Your Rights and How to Exercise Them
Subject to applicable law and verification of your identity, you have the rights below. To exercise any right, use the in-app "Privacy & Your Data" controls in Settings (which include Download My Data, Correct My Data, Delete My Account, and Nominate) where available, or contact socialhook4@gmail.com or the Grievance Officer. We respond within the timelines required by applicable law.
12.1 Rights under the DPDP Act, 2023 (India)
- Access: obtain a summary of the personal data we process and the identities of those with whom it is shared.
- Correction & completion: correct inaccurate or misleading data and complete incomplete data.
- Erasure: have personal data erased where it is no longer necessary for the purpose it was processed, subject to legal-retention exceptions.
- Nomination: nominate another individual to exercise your rights in the event of your death or incapacity.
- Grievance redressal: raise a grievance with our Grievance Officer and escalate to the Data Protection Board of India if unsatisfied.
- Withdraw consent: withdraw any consent at any time, as easily as it was given.
12.2 Rights under the GDPR / UK GDPR (EEA and United Kingdom)
Access; rectification; erasure ("right to be forgotten"); restriction of processing; data portability (a machine-readable copy of your data); objection (including to processing based on legitimate interests and to direct marketing); rights relating to automated decision-making and profiling; the right to withdraw consent where processing is consent-based; and the right to lodge a complaint with a supervisory authority (in the UK, the Information Commissioner's Office), although we ask that you contact us first.
12.3 Rights under the CCPA/CPRA (California)
- Right to know the categories and specific pieces of personal information collected, the sources, purposes, and categories of recipients.
- Right to delete personal information, subject to exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of "sale" or "sharing" and of cross-context behavioural advertising. We do not sell personal information for money; to the extent advertising/analytics identifier use qualifies as a "sale" or "share", you may exercise this right via the ad/analytics controls in Section 6 and the "Do Not Sell or Share My Personal Information" option where provided.
- Right to limit the use of sensitive personal information.
- Right to non-discrimination for exercising your rights.
You may use an authorised agent where the law permits. We verify all requests before acting.
13. Automated Decision-Making and Profiling
We use automated systems and machine learning to rank and personalise your feed and recommendations, to detect and prevent abuse and fraud, and to assist content moderation. These processes do not produce legal or similarly significant effects on you without human involvement where such involvement is legally required. Content-moderation and account decisions can be contested through our grievance mechanism (Section 17).
14. Security
We implement reasonable security practices and procedures designed to protect personal data against unauthorised access, alteration, disclosure, loss, or destruction, consistent with the SPDI Rules and Section 8 of the DPDP Act. These include encryption in transit, access controls, secure credential and token storage, hashing of passwords, monitoring, and least-privilege practices. No system is perfectly secure, and we cannot guarantee absolute security. You are responsible for keeping your login credentials confidential and for activity under your account.
15. Personal-Data Breach Notification
In the event of a personal-data breach, we will assess, contain, and respond in accordance with applicable law, including notifying the Data Protection Board of India and affected Data Principals under the DPDP Act, reporting to CERT-In within the timelines prescribed under the IT Act framework, and notifying supervisory authorities and individuals under the GDPR/UK GDPR, where and within the timeframes required.
16. Marketing Communications
We send service and transactional messages necessary to operate the Platform. Where you have opted in, we may send promotional communications; you may opt out at any time using the unsubscribe controls or notification settings. Opting out of marketing does not affect transactional or service messages.
17. Grievance Redressal and Contact
For any question, request, or complaint about your personal data or this Policy, contact:
Grievance Officer & Data Protection Officer: Tejas Mawale Email (support / grievance / data protection): socialhook4@gmail.com Address: SOCIALHOOK TECHNOLOGIES PRIVATE LIMITED, Plot No. 11, New Dnyaneshwar Nagar, Manewada Road, Dighori Naka, Nagpur – 440024, Maharashtra, India
In accordance with the IT Act, the IT Rules 2021, and the DPDP Act, the Grievance Officer will acknowledge every complaint within 24 hours of receipt and resolve it within 15 days of receipt (and within 72 hours for complaints concerning content in the nature of non-consensual intimate imagery, impersonation, or sexual-act content, where an expedited statutory window applies).
18. Changes to This Privacy Policy
We may amend this Policy from time to time. Each published version carries a version identifier and a last-updated date, and prior versions are retained. Where changes are material, or where required by law, we will notify you within the Platform and, where necessary, seek renewed consent. Your continued use of the Platform after an update takes effect constitutes acknowledgement of the updated Policy to the extent permitted by law.
This Privacy Policy is issued in English. If it is translated into any other language, the English version prevails to the extent permitted by law. This Policy is published by SOCIALHOOK TECHNOLOGIES PRIVATE LIMITED, CIN U63120MH2025PTC446413.