Privacy Policy

We collect the minimum data needed to operate the Service. We do not sell your data. We do not mine your content to train AI models. We encrypt data in transit and at rest. You can export or delete your data at any time.

Account data: email, display name, password hash, authentication provider (OAuth).

Usage data: container state, API requests, network traffic metadata, log output, billing usage counters.

Device data: IP address, user-agent, referrer (for security + fraud prevention).

Payment data: handled by our payment processor — we store only the last 4 digits and card brand, never full card numbers.

Your content: files, databases, code, terminal output, and anything else you create in the Service.

• Provide and operate the Service
• Authenticate you and secure your account
• Bill you for paid plans
• Investigate and prevent abuse, fraud, and security incidents
• Send transactional emails (receipts, security alerts, service announcements)
• Improve the Service through aggregated, de-identified analytics

We will NEVER use your content to train AI models or sell your data to third parties.

Account data is retained while your account is active and for 30 days after deletion. Billing records are retained for 7 years as required by law. Logs and usage data are retained for 90 days. Your content is deleted within 30 days of account termination.

We use essential cookies for authentication and session management. We use privacy-respecting analytics (self-hosted) without third-party ad cookies. We do not use Google Analytics, Facebook Pixel, or similar trackers.

We rely on a small set of sub-processors: payment processor, email delivery provider, and infrastructure colocation partners. Each sub-processor is bound by data protection agreements and processes data only under our instructions. A current list is available on request.

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your data ("right to be forgotten")
• Export your data in a portable format
• Object to or restrict certain processing
• Lodge a complaint with your local data protection authority

To exercise any right, email privacy@hoody.com from the address associated with your account. We respond within 30 days.

All data is encrypted in transit using TLS 1.3. Data at rest is encrypted with AES-256. Passwords are hashed with Argon2id. Access to production systems is restricted to authorized personnel via hardware-backed keys and audit logging. We conduct regular security reviews and penetration tests.

Hoody operates data centers in multiple regions. When data crosses borders we rely on standard contractual clauses and equivalent legal mechanisms to ensure continued protection. You can choose the region of your workspace at creation.

The Service is not directed at children under 13 (or the minimum digital consent age in your jurisdiction). We do not knowingly collect data from children. If you believe a child has provided us with data, email privacy@hoody.com and we will delete it.

We may update this policy from time to time. Material changes will be announced at least 14 days before they take effect. Continued use after the effective date constitutes acceptance.

Questions or requests? Email privacy@hoody.com.