GDPR Compliance Notice

EU/UK GDPR roles, legal bases, transfers, DPO contact and data subject rights.

Version 1.0.0Effective May 30, 2026Last reviewed May 30, 2026
Plain-English summary. If you are based in the EU, UK, EEA or Switzerland and your personal data is processed by HookPilot, this page summarises the rights you have under GDPR / UK GDPR and how to exercise them.

1. Who Is This For

This notice supplements the Privacy Policy for data subjects located in the European Economic Area, the United Kingdom and Switzerland.

2. Controller / Processor

HookPilot Caption Studio LLC is the controller of personal data we collect to run our website and the HookPilot AI Workforce Operating System (account, billing, usage data, support). HookPilot is the processor of personal data inside Customer Content for our enterprise customers — those customers are the controllers and we act on their instructions under a Data Processing Addendum.

3. Legal Bases (Art. 6)

  • Contract (6(1)(b)) — to provide the Services you signed up for.
  • Legitimate interests (6(1)(f)) — to secure the platform, prevent fraud, improve features in privacy-respecting ways, and run analytics on aggregated usage data.
  • Legal obligation (6(1)(c)) — tax, accounting, sanctions screening, lawful preservation orders.
  • Consent (6(1)(a)) — marketing communications, non-essential cookies, opt-in evaluation programs.

4. International Transfers

HookPilot operates from the United States and our sub-processors operate from multiple jurisdictions. Where personal data is transferred from the EEA, UK or Switzerland to a country not deemed adequate, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914), the UK International Data Transfer Addendum, and supplementary technical and organisational measures (encryption in transit and at rest, tenant isolation, sub-processor flow-down).

5. Sub-Processors

The current list of sub-processors is published at Privacy Policy §8. Enterprise customers can subscribe to advance notification of new sub-processors and have a right to object.

6. Your Rights

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion subject to lawful carve-outs (see Data Deletion Policy).
  • Restriction / objection — pause or object to certain processing.
  • Portability — receive a machine-readable export.
  • Withdraw consent — where we rely on it, without affecting prior processing.
  • Lodge a complaint — with your local supervisory authority.

Request channel: privacy@hookpilot.co. Response window: 30 days (extendable by 60 if complex, with notice).

7. DPA and SCCs for Customers

If your organisation processes personal data of EEA / UK / Swiss residents through HookPilot, you can request our Data Processing Addendum, which incorporates the 2021 EU SCCs and the UK IDTA. Email dpo@hookpilot.co from a verifiable corporate email.

8. EU AI Act Interplay

For customers operating high-risk AI use cases under the EU AI Act, GDPR and the AI Act operate together. HookPilot's AI Governance Policy documents how the platform supports deployer obligations (transparency, human oversight, logging, accuracy) alongside GDPR (lawful basis, transparency, rights).

9. Complaints

You may lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement. We would appreciate the chance to address concerns first — please contact us before filing if possible.

10. Contact / DPO

Data Protection Officer: dpo@hookpilot.co
Privacy team: privacy@hookpilot.co
EU and UK representative contact details are available on request.