PRIVACY
Hoody Privacy Policy
How we collect, use, and protect your data.
Last updated: 30 April 2026
1. Who We Are and Who You Are
1.1 Hoody
This Privacy Policy describes how Hoody Limited ("Hoody", "we", "us") processes personal information in connection with the Hoody platform.
Hoody's architecture is the foundation of this Policy. For Customers using the Hoody Bare Metal Server offering, Hoody operates a control plane at api.hoody.com and the Hoody Proxy on Customer's rented bare-metal server. By design, Hoody cannot see Container traffic, terminal commands, files, AI prompts, or AI completions in default pass-through mode. This means that for these data categories on Bare Metal deployments, Hoody is not a data user, data controller, or data intermediary under applicable law because the data is not in Hoody's possession or under Hoody's control. The Free Machine offering uses a different architecture (a virtual machine on Hoody-operated hardware) and accordingly relies on policy commitments plus standard cloud isolation rather than capability-denial — see Section 2.4. Section 2 explains the architecture in operational detail. The rest of this Policy describes the personal information Hoody does process — the relatively narrow set of account, billing, service operation, and diagnostic data that Hoody controls to operate the platform.
For the purpose of EU GDPR, UK GDPR, and Swiss FADP, Hoody is the data controller for personal information of Customers and certain End Users as described in this Policy, and acts as a data processor on behalf of Customers for personal information processed inside Customer's Containers and through services Customer configures. The Hoody Data Processing Agreement (Annex A) governs the processor relationship.
For the purpose of the Hong Kong Personal Data (Privacy) Ordinance (PDPO), Hoody is the data user for personal information it controls.
For the purpose of the California Consumer Privacy Act (CCPA), Hoody is a business for personal information it controls and acts as a service provider for Customers' personal information processed under their direction.
1.2 Defined Terms
For clarity throughout this Policy:
- "Customer" means the individual or entity that has registered an account with Hoody and entered into the Hoody Terms of Service.
- "End User" means any third party (human or automated agent) that interacts with Customer's Containers, applications, or services running on or through Hoody. End Users are Customer's users, not Hoody's. Hoody does not have a direct relationship with End Users.
- "Customer Data" means personal information about Customer (account, billing, authentication, usage of Hoody's control plane, support communications) that Hoody processes as controller.
- "Customer Content" means data, code, configurations, files, and other materials Customer or End Users upload to, create within, or run through the Services. Personal information within Customer Content is processed by Hoody as processor on Customer's behalf, subject to the DPA.
- "Services" has the meaning given in the Terms of Service: the Hoody control plane, Bare Metal Server managed compute offering, Container infrastructure, AI gateway, and auxiliary services.
End Users with questions about how their personal information is processed inside Customer's Containers should contact the Customer directly. Hoody cannot answer these questions because of how the Services are built (see Section 2).
2. What Hoody Cannot See
Before describing what Hoody collects, we describe what Hoody cannot collect — because the architecture of the Services makes it impossible, not because of policy choice.
This section applies primarily to the Hoody Bare Metal Server offering, where Hoody's architecture provides structural privacy guarantees that policy alone cannot match. Section 2.4 describes how this differs for the Free Machine offering, which uses standard virtual-machine isolation rather than the Bare Metal architecture.
2.1 Capability-Denial Statements (Bare Metal Server Offering)
The following statements describe technical impossibilities for Hoody Bare Metal Server deployments, not commitments. They cannot be unilaterally walked back without re-architecting the Services, which would be observable.
(a) Hoody cannot see the contents of Customer's Containers. The Hoody Proxy operates inside Containers running on Customer's rented Bare Metal Server. The proxy is part of Customer's infrastructure, not Hoody's. Files, applications, databases, application logs, internal Container processes, and data at rest within Containers are not transmitted to Hoody and are not accessible to Hoody.
(b) Hoody cannot see network traffic to or from Customer's Containers. Network traffic transits the Hoody Proxy on Customer's bare metal. Hoody does not operate the network path between End Users and Customer's Containers and does not log, inspect, or store the contents of that traffic.
(c) Hoody cannot see terminal commands executed within Containers. Terminal sessions run on Customer's bare metal. Command history, command output, and process activity within the Container are not accessible to Hoody.
(d) Hoody cannot see the contents of AI prompts or completions routed through the Hoody AI gateway in pass-through mode (the default mode). The AI gateway routes payloads between Customer's Containers and the upstream AI provider Customer selects. Prompt content and completion content do not transit Hoody-operated storage and are not accessible to Hoody.
(e) Hoody cannot see the contents of files stored on Customer's Bare Metal Server. Customer's storage on rented bare metal is operated by the third-party hosting provider, not by Hoody. Hoody does not access, mount, or replicate Customer's bare-metal storage.
(f) Hoody cannot see the upstream-provider API keys Customer has configured for the AI gateway. Customer's API keys for upstream AI providers live in Customer's Containers on Customer's Bare Metal Server. The AI gateway routes authenticated requests without Hoody storing or accessing the credentials. See Section 5.0.
2.2 What This Means
Most cloud privacy policies say "we collect data X, we use it for purpose Y, we may share it with Z." This is honest — those providers do collect that data, because their architectures require them to.
For Bare Metal Server deployments, Hoody is structurally different. The privacy commitments in Section 2.1 are encoded in the Services' architecture, not in policy. A future change in corporate ownership, jurisdiction, or executive intent would not change the underlying technical facts.
2.3 What Hoody Does See
The remainder of this Policy describes what Hoody does see. The pairing matters: without the explicit enumeration of what Hoody collects, the capability-denial statements above would read as marketing rather than architecture.
2.4 Free Machine — Different Architecture, Policy Commitments Instead
The Free Machine (defined in Terms of Service §1.1(f)) is a virtual machine that shares physical hardware operated by Hoody with other Free Machine users. It is not a dedicated Bare Metal Server. Because Hoody operates the underlying physical host for Free Machines, the Section 2.1 capability-denial statements do not apply to the Free Machine offering — Hoody could, in principle, access Free Machine guest data the way any virtualization-platform operator can access guest data on hosts the operator controls.
For the Free Machine specifically, Hoody commits as a matter of policy that:
(a) Hoody does not access the contents of Free Machine guests, terminal sessions, files, or network traffic except where (i) Customer has affirmatively requested support that requires such access, (ii) automated abuse-prevention systems flag specific suspected violations of the AUP for human review (and only the minimum data necessary to assess the alert), or (iii) compelled by lawful legal process under Section 7.
(b) Hoody isolates Free Machine guests from each other using standard virtualization isolation (separate kernels, dedicated memory regions, network namespaces, separate filesystems). Customers should not assume Free Machine guarantees the same architectural isolation as Bare Metal.
(c) The zero-training commitment in Section 4.1 applies in full to Free Machine usage. The no-sale commitment in Section 4.2(a) applies in full.
(d) Customers running production workloads, regulated data, or content of material economic value should use the Bare Metal Server offering, not the Free Machine. The Free Machine is intended for hobbyists, learning, and side projects.
The architectural distinction matters because the Bare Metal Server offering's privacy is enforced by the architecture itself; the Free Machine's privacy is enforced by Hoody's policy plus standard cloud isolation. Both are real commitments — but they are different kinds of commitments and Customer should choose the offering whose privacy posture matches Customer's needs.
3. Personal Information We Collect
We collect personal information in the following categories. For each category, we list the specific fields, the trigger that causes collection, and the source.
3.1 Account Information (Customer)
Collected when Customer registers and maintains an account.
| Field | Trigger | Source |
|---|---|---|
| Full name | Account registration | Customer (direct) |
| Email address | Account registration | Customer (direct) |
| Country of residence | Account registration (sanctions screening, tax) | Customer (direct) |
| Hashed password | Account registration | Customer (direct, hashed at receipt) |
| MFA configuration (TOTP secret, recovery codes) | MFA enrollment | Customer (direct) |
| OAuth provider identifier and verified email | OAuth sign-in | Identity provider (Google, GitHub, etc.) |
| Organization name, role, billing address | Organization-account registration | Customer (direct) |
| Profile preferences (language, time zone) | Profile customization | Customer (direct) |
| Account audit logs (login times, IP, MFA result, action history) | Authentication and account actions | Automatic (Hoody) |
3.2 Service Operation Data (Customer)
Collected when Customer uses the Services.
| Field | Trigger | Source |
|---|---|---|
| Container lifecycle events (create, start, stop, delete, snapshot, restart) | Container actions | Automatic (Hoody) |
| Project, realm, and team configuration | Configuration changes | Customer (direct) |
| Bare Metal Server rental metadata (provider, region, rental status) | Server rental transactions | Automatic (Hoody) and underlying hosting provider |
| API request metadata (timestamp, source IP, endpoint, response code, user agent) | API usage | Automatic (Hoody) |
| Hoody AI gateway routing metadata (model selected, token counts, latency, response status) | AI gateway usage | Automatic (Hoody) |
| Storage share mounts and configuration | Storage configuration | Customer (direct) |
We do not collect Container contents, network traffic content, terminal contents, or AI prompt/completion content (Section 2.1).
3.3 Billing and Payment Data (Customer)
Collected when Customer adds funds to balances or pays for Services.
| Field | Trigger | Source |
|---|---|---|
| Last four digits of card; card brand; card expiry month/year | Stripe card setup | Stripe (sub-processor — full card details handled by Stripe) |
| Cryptocurrency wallet address (sender) | NOWPayments crypto payment | Customer (direct, via NOWPayments) |
| Bank account details (originating bank, account holder name, reference) | Bank transfer payment | Customer (direct, via banking partner) |
| Transaction history (amount, currency, date, processor reference, invoice ID) | Each payment | Automatic (Hoody) |
| Tax identification numbers (where required) | Tax-required onboarding | Customer (direct) |
| Sanctions screening results | Onboarding and ongoing screening | Sanctions screening sub-processor |
3.4 Diagnostic and Security Data
Collected for Service operation, security, and abuse detection.
| Field | Trigger | Source |
|---|---|---|
| Network-level metadata transiting the Hoody control plane (source/destination IP, protocol, volume, timing) | Service operation | Automatic (Hoody) |
| Authentication telemetry (login times, IP, MFA challenge results, failed attempts) | Authentication events | Automatic (Hoody) |
| API error rates, latency metrics, capacity utilization | Service health monitoring | Automatic (Hoody) |
| Abuse detection signals (DDoS pattern detection, mining signature detection, fraud signals from payment processors) | Detection events | Automatic (Hoody, payment sub-processors, blacklist authorities) |
3.5 Communications
Collected when Customer or other parties communicate with us.
| Field | Trigger | Source |
|---|---|---|
| Support tickets (subject, body, attachments, communication thread) | Support requests | Customer or other party (direct) |
| Abuse reports (target, evidence, reporter contact) | Abuse reports | Reporter (direct) |
| Billing inquiries (transaction reference, evidence) | Billing disputes | Customer (direct) |
| Legal notices (subpoenas, requests, correspondence) | Legal correspondence | Issuing party (direct) |
3.6 End User Data (Processor Role)
When End Users interact with Customer's Containers or applications, personal information about those End Users may be collected, stored, or processed inside Customer's Containers. Hoody is the processor for such data, not the controller. Hoody's processing of End User data is limited to operating the Services as Customer has configured them, and is governed by the DPA (Annex A).
Because of the architectural facts in Section 2.1, Hoody does not have access to most categories of End User data — even as processor, Hoody literally cannot see Container content. End Users with questions about how their personal information is processed inside Customer's Containers should contact the Customer directly.
3.7 What We Do Not Collect
For clarity, and notwithstanding any general language elsewhere in this Policy, Hoody does not collect:
(a) The contents of Customer's Containers (per Section 2.1(a)); (b) The contents of network traffic to or from Customer's Containers (per Section 2.1(b)); (c) Terminal commands, application data, database contents, or any in-Container activity (per Section 2.1(c)); (d) AI prompts or completions in pass-through mode (per Section 2.1(d)); (e) Files stored on Customer's Bare Metal Server (per Section 2.1(e)); (f) Personal data of End Users beyond what Customer has configured Hoody to handle.
4. How We Use Personal Information
We use personal information only for the purposes described in this Policy. We will not use your personal information for any new or unrelated purpose without your explicit consent, except where permitted by applicable law (for example, where required to comply with a legal obligation, to investigate suspected abuse or fraud, or to enforce our agreements).
Where GDPR applies, the legal basis for each purpose is identified below.
| Purpose | Categories of Data | Legal Basis (GDPR) |
|---|---|---|
| Provide and operate the Services (provisioning, control plane, authentication) | 3.1, 3.2 | Performance of contract (Art. 6(1)(b)) |
| Route requests to upstream Bare Metal hosting providers | 3.2 | Performance of contract (Art. 6(1)(b)) |
| Route AI gateway requests to upstream AI providers selected by Customer | 3.2 | Performance of contract (Art. 6(1)(b)) |
| Process payments (charge for Services, issue invoices, handle refunds and disputes) | 3.3 | Performance of contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)) for tax records |
| Sanctions screening and KYC where applicable | 3.1, 3.3 | Legal obligation (Art. 6(1)(c)) |
| Communicate service announcements, security alerts, billing notices, support responses | 3.1, 3.5 | Performance of contract; Legitimate interests (security) |
| Detect, prevent, and respond to abuse, fraud, and security threats | 3.2, 3.4 | Legitimate interests (Art. 6(1)(f)) — keeping the Services secure for all Customers and End Users |
| Maintain and improve Service capacity, reliability, and performance | 3.2, 3.4 | Legitimate interests (Art. 6(1)(f)) |
| Respond to lawful process and protect Hoody's and others' rights | All categories as applicable | Legal obligation (Art. 6(1)(c)); Legitimate interests (Art. 6(1)(f)) |
| Marketing communications (where opted in or where applicable law permits) | 3.1, 3.5 | Consent (Art. 6(1)(a)) where required; Legitimate interests (Art. 6(1)(f)) for soft opt-out jurisdictions |
You may object to processing based on legitimate interests by contacting privacy@hoody.com. We will assess and respond.
Cross-jurisdictional note on lawful bases. The legal bases listed above use the EU GDPR framework. Not all data protection laws recognise the same legal bases for processing. In particular, the Hong Kong PDPO is notification-based and structures permitted processing differently from GDPR — for example, it does not have an exact equivalent to GDPR's "legitimate interests" basis. Hoody will process your personal data in accordance with the legal bases or grounds for processing applicable in your jurisdiction. Where this Policy describes a basis that is unavailable in your jurisdiction, an equivalent basis under applicable local law applies.
4.1 No AI Training on Customer Data
Hoody does not use Customer Data, Customer Content, prompts routed through the AI gateway, completions returned through the AI gateway, terminal commands, files, application data, support communications, or any other Customer-originated data to train, fine-tune, evaluate, or otherwise improve any artificial intelligence or machine learning model.
This commitment applies regardless of whether the model would be used internally, made available to other Customers, or shared with third parties. There is no aggregation-and-de-identification carve-out, no opt-in mechanism, and no exception other than what is explicitly required by law.
4.2 What We Do Not Do With Personal Information
We do not:
(a) Sell personal information for monetary consideration; (b) Share personal information with marketers or advertisers for cross-context behavioral advertising or targeted advertising, except where specifically opted in by Customer; (c) Use Customer-originated data for AI model training (Section 4.1); (d) Read, inspect, or use the contents of Customer's Containers, network traffic, terminal commands, AI prompts, AI completions, or stored files for any purpose, including operational improvement (per Section 2.1); (e) Make automated decisions about Customers or End Users that produce legal effects or similarly significant effects without human involvement. Hoody's automated systems perform operational tasks (routing, billing, abuse detection signal generation) but consequential decisions (account suspension, abuse enforcement, billing disputes) involve human review.
5. The Hoody AI Gateway
The Hoody AI gateway (ai.hoody.com) routes Customer requests to third-party AI providers Customer selects. The current list of supported upstream providers and aggregators is maintained as part of Hoody's sub-processor disclosures (see Section 8.1). The list is updated from time to time as Hoody adds, removes, or changes upstream relationships.
5.0 API Key Custody (Architectural Commitment)
Customer's API keys for upstream AI providers are stored in Customer's Containers on Customer's Bare Metal Server. Hoody does not store Customer's upstream-provider API keys in Hoody's database, control plane, or any infrastructure operated by Hoody. When Customer's Container makes an AI request, the upstream-provider authentication is constructed in Customer's Container using the key stored there; Hoody's gateway routes the authenticated request without retaining the credential.
This is a structural architectural commitment, not a policy choice. It follows from the same architecture that prevents Hoody from seeing Container traffic (Section 2.1).
5.1 Pass-Through Mode (Default)
In pass-through mode, the Hoody AI gateway proxies Customer's requests to the upstream provider Customer has selected. Hoody:
(a) Sees request metadata (timestamp, model selected, source IP, response status); (b) Sees token counts (for billing and reporting); (c) Sees latency and error metrics; (d) Does not see the content of prompts sent through the gateway (per Section 2.1(d)); (e) Does not see the content of completions returned through the gateway (per Section 2.1(d)); (f) Does not see the upstream-provider API key Customer has configured (per Section 5.0).
5.2 Customer-Configured Observability Mode
Because every Hoody service is HTTP-native and runs in Customer's Containers on Customer's Bare Metal Server, Customer may configure Customer's own Containers to intercept, inspect, and log AI traffic flowing through them. This is sometimes referred to as "MITM mode," but the interception is performed by Customer's own infrastructure on Customer's own server — Hoody is not the intermediary. Logs from observability mode are stored in Customer's Containers and on Customer's Bare Metal Server, not in Hoody's infrastructure. Hoody does not have access to such logs.
5.3 Upstream AI Provider Data Handling
Each upstream AI provider has its own data handling practices, retention policies, and training behavior. These vary significantly between providers and may change over time. Common variations include:
(a) Whether the provider uses API inputs or outputs to train its models by default; (b) Whether the provider retains data for safety, abuse, or operational review (and for how long); (c) Whether Zero Data Retention (ZDR) or no-training arrangements are available, and on what tier; (d) Which jurisdictions and regions the provider supports for data processing; (e) Whether the provider is certified for specific compliance frameworks (HIPAA, SOC 2, ISO 27001, etc.).
Customer is responsible for selecting an appropriate upstream provider for Customer's use case. This includes verifying the upstream provider's data handling commitments, retention policies, training behavior, regional availability, and applicable certifications. Hoody surfaces upstream provider information to assist Customer's selection but does not warrant the accuracy of upstream provider commitments and does not take responsibility for upstream provider behavior.
For routes where the upstream provider does not by default provide a no-training commitment satisfactory to Customer, Customer should configure the route accordingly using the controls Hoody surfaces (provider opt-out flags where available, ZDR-eligible routes where available, or by selecting a different upstream provider).
5.4 What Hoody Commits Regarding the AI Gateway
(a) Hoody does not train any models on prompts or completions transiting the Hoody AI gateway (per Section 4.1).
(b) Hoody does not retain the content of prompts or completions in pass-through mode (per Section 2.1(d) and 5.1).
(c) Hoody surfaces the upstream AI provider list at the URL referenced above and updates it when providers are added, removed, or replaced.
(d) Hoody passes through Customer's selected privacy controls (opt-outs, ZDR settings, regional routing preferences) to the upstream provider where the upstream provider's API supports it.
(e) Hoody flows down the upstream provider's binding use restrictions to Customer through the AUP (see Section 4 of the Terms of Service) — Customer's use of an upstream provider through Hoody is subject to the more restrictive of Hoody's AUP and the upstream provider's terms.
5.5 Specific Restrictions and Carve-Outs
(a) Healthcare data (PHI under HIPAA). Hoody's pass-through gateway does not currently support routing of HIPAA-regulated PHI. No Business Associate Agreement is in place between Hoody and any upstream provider as of the date of this Policy. Customer must not route PHI through the Hoody AI gateway. If Customer requires PHI routing, Customer should contact Hoody to discuss enterprise arrangements.
(b) GDPR Article 9 special-category data. Routing of special-category personal data (health, biometric, genetic, racial/ethnic origin, political opinions, religious beliefs, sexual orientation, trade-union membership, criminal-conviction data) through the AI gateway requires Customer to ensure a valid GDPR Article 9 lawful basis and the upstream provider's terms permit such use. Hoody does not warrant that any upstream provider supports special-category processing.
(c) Sanctioned regions. Each upstream AI provider has its own list of supported regions. Customer must ensure routing complies with the upstream provider's regional availability. The Hoody AI gateway does not enforce per-upstream regional restrictions; this is Customer's responsibility.
6. Bare Metal Server Hosting
Hoody's Bare Metal Server offering is a managed compute product. The Hoody platform runs on dedicated hardware that Hoody arranges in third-party data centers (such as OVH, Hetzner, and others). Customer's contractual counterparty for the managed product is Hoody, while the underlying data center operator handles the physical hardware and infrastructure layer.
This means the data center operator:
(a) Has its own privacy policy governing the data center operator's own processing of data at the hardware and infrastructure level; (b) Sees network metadata at the hardware and ISP level that Hoody does not see; (c) Is governed by its own jurisdiction (e.g., OVH is governed by French/EU law; Hetzner is governed by German law); (d) Is subject to its own legal process and government-request handling at the data-center level.
Even though Customer's contractual relationship is with Hoody, the underlying data center operator processes certain data Hoody never sees (per Section 2.1).
This separation matters because: (a) the data center operator sees and processes data Hoody does not see; (b) the data center operator is subject to legal process and jurisdictional reach Hoody is not subject to. Customer should be aware which data center underlies a given Bare Metal Server when Customer's data handling requirements include data residency, jurisdictional protection, or specific certifications. Hoody surfaces the underlying data center for each available Bare Metal Server in the Hoody control plane.
7. Government and Legal Requests
This Section restates the architectural privacy commitment of Section 2 in legal-compliance terms.
7.1 Default Position
Hoody requires lawful process for any disclosure of personal information.
(a) We do not disclose personal information without a subpoena, warrant, court order, or equivalent lawful authority valid in the jurisdiction issuing the request.
(b) We respond only to requests for what we actually possess. Hoody cannot produce Container contents, network traffic, terminal commands, AI prompts, AI completions, or the contents of files stored on Customer's Bare Metal Server, because of how the Services are built (per Section 2.1). The architectural impossibility is a legal-compliance ceiling, not a refusal to comply.
(c) For requests for data Hoody does possess, we comply with binding lawful process for the data we hold.
7.2 User Notification
Where the request is not accompanied by a gag order or other legal prohibition on notice, we will give Customer advance written notice of the request so Customer may seek protective treatment. We default to notification.
7.3 Push-Back Posture
Where a request is overbroad, vague, lacks lawful basis in the jurisdiction issuing it, or appears to be a fishing expedition, we challenge it through appropriate legal channels.
7.4 Cross-Border Requests
(a) Third-country requests for EEA-resident data. Where a request from an authority outside the European Economic Area seeks personal data of EEA-resident individuals, we object unless (i) the request is made under an enforceable international agreement (such as a mutual legal assistance treaty), (ii) the data is stored outside the EEA, or (iii) the request pursues an important reason of public interest recognized by EU law.
(b) Home jurisdiction requests. Hoody is incorporated in Hong Kong. We comply with binding legal process from Hong Kong courts and authorities.
(c) Foreign authority requests. Foreign authorities have no automatic jurisdiction over Hoody. Access requires international agreements on mutual assistance, an order from a Hong Kong court (or local court of any successor jurisdiction in the event of corporate restructuring), or the equivalent.
7.5 Minimum Disclosure
Where disclosure is required, we disclose only what is necessary to comply.
8. Sharing and Disclosure
8.1 Sub-Processors
We use third-party service providers ("sub-processors") to operate the Services. The current sub-processor list is maintained at https://hoody.com/subprocessors. The list is updated when sub-processors are added, replaced, or removed.
We commit to:
(a) Maintain a current sub-processor list at the URL above; (b) Provide at least thirty (30) days' advance notice to B2B Customers under DPA before engaging a new sub-processor that will access personal data of those Customers; (c) Bind sub-processors by contract to data protection obligations no less protective than those in this Policy and applicable DPA; (d) Provide a reasonable mechanism for Customers to object to a new sub-processor under DPA (see DPA Section A.6 for the objection mechanics).
The sub-processor list includes, at minimum, the following categories:
| Category | Examples (subject to change; current list at the URL above) |
|---|---|
| Payment processing | Stripe (cards), NOWPayments (cryptocurrency), PaymentWall, PayPal, banking partners |
| Bare Metal Server hosting | OVH, Hetzner, others underlying Hoody's managed compute offering at the time of Customer's rental |
| AI gateway upstream providers and aggregators | Multiple third-party AI model providers and aggregators (current list at the subprocessor URL above) |
| Email infrastructure | Transactional email service providers |
| Analytics (control plane only) | Service operation analytics |
| Sanctions and KYC screening | Compliance vendors |
8.2 Bare Metal Server Hosting Providers (Restated)
When Customer rents a Bare Metal Server, the underlying hosting provider physically operates the hardware in its data center. Customer's contractual counterparty for the server is Hoody, not the underlying hosting provider — but the hosting provider is a sub-processor with respect to data Hoody routes through it, and the hosting provider has its own privacy policy applicable to the data the hosting provider processes at the hardware and data-center level. See Section 6.
8.3 Legal Compliance and Government Requests
See Section 7.
8.4 Business Transfers
If Hoody is acquired, merged, or transfers substantially all of its assets, or undergoes a corporate restructuring or reorganization, personal information may be transferred to the acquirer or successor as part of the transaction. We will notify you of any such transfer.
8.5 With Your Consent
We share personal information in other circumstances only with your consent.
8.6 We Do Not
We do not sell personal information for monetary consideration. We do not share personal information with marketers or advertisers for cross-context behavioral advertising or targeted advertising, except where specifically opted in by Customer.
9. International Data Transfers
When Customer uses the Services, personal information may be transferred to and processed in jurisdictions other than Customer's country of residence.
9.1 Categorisation of Data Flows by Hoody's Role
Different data categories cross borders in different ways and Hoody's role differs by category:
(a) Controller / data user data — Customer account, billing, control plane operation, and diagnostic data. For this category, Hoody is the data controller (GDPR/UK GDPR/Swiss FADP) or data user (HK PDPO) and Hoody initiates the transfer to its sub-processors. Transfer mechanisms in Section 9.2 apply.
(b) Processor data — personal information processed inside Customer's Containers under Customer's instructions. For this category, Hoody acts as data processor (GDPR/UK GDPR/Swiss FADP) or under equivalent contractual arrangements (HK PDPO). Customer determines the destination through Customer's choice of Bare Metal Server region.
(c) Architecturally unsighted data — Container traffic, terminal commands, files, AI prompts, AI completions. Hoody does not see this category (per Section 2.1) and accordingly does not "transfer" it in the data-protection-law sense. The destination is determined by Customer's choice of Bare Metal Server region (for stored data) and Customer's choice of upstream AI provider (for AI gateway traffic). Hoody does not control the routing of this data beyond what Customer has configured.
9.2 Transfer Mechanisms (Controller / Data User Data)
For controller-data transfers, where personal information of EEA, UK, or Swiss residents is transferred to jurisdictions not recognized as providing adequate protection under GDPR/UK GDPR/Swiss FADP, Hoody relies on:
(a) Standard Contractual Clauses (SCCs) approved by the European Commission. Module 1 (Controller-to-Controller) where Hoody is controller for the data received; Module 2 (Controller-to-Processor) where Customer is controller and Hoody is processor; Module 3 (Processor-to-Processor) where Hoody passes data to a sub-processor.
(b) UK International Data Transfer Addendum for transfers of UK GDPR-governed data.
(c) Swiss-specific addenda for FADP-governed data.
(d) PCPD Recommended Model Clauses (2022) as best practice for HK transfers.
(e) Any other valid transfer mechanism recognized under applicable law.
The SCCs are incorporated into the DPA (Annex A).
9.3 Transferring Jurisdictions
Personal information may be processed in: Hong Kong (under PDPO), the European Union (under GDPR, via sub-processors), the United Kingdom (under UK GDPR, via sub-processors), the United States (under various state and federal laws, via certain payment and AI sub-processors), and other jurisdictions where Hoody or its sub-processors operate.
9.4 Data Localization for Bare Metal
Customer Content stored on Bare Metal Servers remains in the geographic region of Customer's chosen Bare Metal Server. Hoody does not move Customer Content between regions. The data center operator's terms govern data residency for Bare Metal Servers.
10. Retention
10.1 Specific Retention Periods
| Data Category | Retention Period | After Retention |
|---|---|---|
| Active account information | While the account is active | See "after termination" |
| Account information after termination | Up to 90 days post-termination, or longer where required by law | Permanently deleted |
| Service operation logs (API request metadata) | 90 days for raw logs; aggregated/anonymized retention for capacity planning thereafter | Aggregated form does not re-identify Customer |
| Hoody AI gateway routing metadata | 90 days for raw metadata; aggregated billing-only retention thereafter | Aggregated billing-only form |
| Authentication and audit logs | 365 days | Permanently deleted |
| Billing and payment records | 7 years (HK tax and accounting requirement) | Permanently deleted |
| Support communications | 2 years after resolution | Permanently deleted |
| Abuse reports and investigation records | 2 years after resolution; longer for sanctions, fraud, CSAM-related where required by law | Permanently deleted |
| Backup copies | 30 days standard backup retention | Aged out automatically |
10.2 Customer Content Retention
The retention of Customer Content is governed by Section 9.7 of the Terms of Service. Customer Content is generally not personal information of Hoody (it is data Customer chooses to put into Customer's infrastructure).
Per Section 2.1, Hoody does not have access to most categories of Customer Content. The retention question for Customer Content is therefore primarily about the retention behavior of Customer's Bare Metal Server (controlled by the hosting provider) and Customer's chosen storage configuration.
10.3 Deletion on Request
Customer may request deletion of Customer Data at any time, subject to retention obligations imposed by law and our legitimate need to retain certain information. See Section 11.
11. Customer Rights
11.1 Universal Rights
Regardless of jurisdiction, Customer has the following rights with respect to Customer Data Hoody controls:
(a) Right of access — to obtain a copy of Customer Data Hoody holds about Customer.
(b) Right of correction — to correct inaccurate Customer Data.
(c) Right of deletion — Hoody will erase or anonymise Customer Data when it is no longer needed for the purposes for which it was collected, in accordance with Section 10 (Retention) and applicable law. Customer may request deletion of Customer Data at any time, subject to (i) retention obligations imposed by law (for example, accounting and tax records), (ii) Hoody's legitimate need to retain certain information for fraud prevention, dispute resolution, or enforcement of agreements, and (iii) what is technically practicable. For Customers in jurisdictions with broader erasure rights (for example, EU residents under GDPR Article 17), additional rights are described in Addendum B.
(d) Right to object to processing — to object to processing based on legitimate interests, including for security, abuse detection, or service improvement purposes.
(e) Right of data portability (where GDPR or equivalent applies) — to receive Customer Data in a structured, machine-readable format. This right applies in EU/UK/Swiss jurisdictions; it is not a statutory right under the Hong Kong PDPO. Hoody offers account export as a product feature regardless of jurisdiction.
(f) Right to withdraw consent — where processing is based on consent, Customer may withdraw consent at any time, without affecting the lawfulness of prior processing.
11.2 How to Exercise Rights
Send a request to privacy@hoody.com. Where possible, exercise rights through Customer's account settings (account export, account deletion, communication preferences). Hoody responds within thirty (30) days of receipt of a verifiable request, with reasonable extension for complex requests (with notice).
11.3 Verification
For requests that affect account integrity (deletion, large-scale export), Hoody verifies the requester's identity through the Customer's account authentication. Where the requester cannot authenticate, Hoody requires reasonable identity verification before fulfilling the request.
For requests where Hoody does not have the data necessary to identify the requester (consistent with the architectural facts in Section 2.1), Hoody invokes Article 11(2) of GDPR (or the equivalent under PDPO and other applicable regimes): Hoody is not required to maintain or seek additional information solely for the purpose of identifying the data subject in order to comply.
11.4 Right to Lodge Complaint
If Customer believes Hoody has not handled personal information in accordance with applicable law:
- EEA residents: the data protection authority of Customer's country of residence
- UK residents: the Information Commissioner's Office (ICO) at
ico.org.uk - Swiss residents: the Federal Data Protection and Information Commissioner (FDPIC) at
edoeb.admin.ch - Hong Kong residents: the Office of the Privacy Commissioner for Personal Data (PCPD) at
pcpd.org.hk - California residents: the California Privacy Protection Agency (CPPA) or California Attorney General
- Other jurisdictions: Customer's local data protection authority
We encourage Customer to contact us first to resolve concerns directly.
11.5 Non-Discrimination
Hoody does not discriminate against Customer for exercising rights under this Policy. We do not deny Services, charge different prices, provide different quality of service, or suggest different prices or quality of service in retaliation for the exercise of rights.
12. Security
12.1 Technical and Organizational Measures
We implement appropriate technical and organizational measures to protect personal information, including:
(a) Encryption in transit. All communications with Hoody's control plane (api.hoody.com), the Hoody AI gateway (ai.hoody.com), and other Hoody-operated endpoints use TLS 1.2 or higher.
(b) Encryption at rest. Personal information stored in Hoody's databases is encrypted at rest using industry-standard symmetric encryption (AES-256 or equivalent).
(c) Access controls. Hoody personnel access to personal information is on a need-to-know basis, governed by role-based access control and audit logged.
(d) Authentication. Multi-factor authentication is supported and recommended for all accounts. Passwords are stored only in hashed form using a modern password hashing algorithm.
(e) Network segregation. Hoody's control plane infrastructure is logically segregated from Customer Bare Metal Servers. Per Section 2.1, the architectural separation is enforced by design.
(f) Logging and monitoring. Access to systems handling personal information is logged and monitored for anomalies.
(g) Incident response procedures. See Section 13.
12.2 Honest Acknowledgment
No system is perfectly secure. We aim to detect and respond to incidents promptly, and to give Customer accurate, timely information when something happens.
13. Data Breach Notification
13.1 Notification to Authorities
In the event of a personal data breach affecting Customer's personal information, Hoody notifies the relevant data protection authority where required by applicable law, including:
(a) EU/UK/Switzerland (GDPR / UK GDPR / Swiss FADP): without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach.
(b) Hong Kong (PDPO): notification to the PCPD on a voluntary basis, as soon as practicable, where the breach poses a real risk of significant harm (per PCPD Guidance, June 2023).
(c) Other jurisdictions: as required by applicable law.
Hoody's internal incident response operates on a 72-hour clock to satisfy GDPR, treating the strictest applicable timeline as the operational target.
13.2 Notification to Customer
Where a breach is likely to result in a high risk to Customer's rights and freedoms, Hoody notifies Customer directly without undue delay after becoming aware. Notifications include: the nature of the breach; the categories and approximate numbers of Customers and data records affected; the likely consequences; the measures taken or proposed to address the breach.
13.3 Carve-Out for Routine Unsuccessful Events
Hoody does not consider routine, unsuccessful security events to constitute a personal data breach for purposes of notification. These include: port scans, unsuccessful login attempts, packet sniffing of public headers, denial-of-service attempts that do not result in unauthorized access, and other events that do not result in compromise of personal information.
13.4 Notification Chain
Where a breach originates with a sub-processor or upstream provider (Bare Metal Server hosting, AI gateway upstream, payment processor), Hoody's notification timeline runs from Hoody becoming aware of the breach, not from when the breach occurred at the upstream layer. Hoody notifies Customer based on what Hoody knows at the time of notification, and updates Customer with additional information as it becomes available.
14. Cookies and Similar Technologies
Hoody uses a small number of cookies and similar technologies on its websites. We use:
(a) Strictly necessary cookies. Required for core functionality including session management, authentication, multi-factor authentication state, security (such as CSRF protection), and load balancing. These cookies cannot be disabled while using the Services.
(b) Preference cookies. Used to remember your interface preferences (such as theme, language, and dashboard layout) so you do not need to set them on every visit.
(c) Operational analytics on hoody.com. Privacy-preserving analytics on Hoody's marketing and documentation websites help us understand how visitors use those sites. We do not use cross-site tracking, do not build advertising profiles, and do not share these analytics with advertising partners.
We do not use cookies for advertising, behavioural targeting, or tracking pixels for marketing purposes. We do not embed third-party advertising or social-media tracking on Hoody websites.
You can control cookies through your browser settings, including blocking, deleting, or being notified before cookies are set. Where required by applicable law (such as the EU ePrivacy Directive), non-essential cookies are set only with your prior opt-in consent.
15. Children
The Services are not directed at children under 16. Hoody does not knowingly collect personal information from persons under 16. If Hoody becomes aware that it has collected personal information from a person under 16 without verifiable parental consent, Hoody will delete that information as soon as practicable. If you are a parent or guardian and believe your child has provided Hoody with personal information, please contact privacy@hoody.com.
For Customers operating products or services that themselves serve End Users under 16, Customer is responsible for compliance with applicable law (COPPA in the US for users under 13; GDPR Article 8 in the EU; PCPD guidance on minors in Hong Kong; equivalents elsewhere) and must obtain any required parental consent for End Users under the applicable threshold.
16. Changes to This Policy
We may update this Policy from time to time. Updates take effect when the revised Policy is posted at https://hoody.com/privacy, which is reflected in the "Last Updated" date at the top of the Policy. Customer is responsible for checking the Policy periodically for changes.
Where a change materially reduces Customer's rights or materially expands the categories of personal information Hoody collects or the purposes for which Hoody uses personal information, Hoody will use commercially reasonable efforts to notify Customer in advance, by email to Customer's account address, in-product notification, or other reasonable means.
Customer's continued use of the Services after the effective date constitutes acceptance. If Customer does not agree to a material change, Customer's sole remedy is to terminate Customer's account.
We will not retroactively apply a modified Policy to acts or omissions occurring before the effective date.
17. Contact
For privacy questions, requests to exercise rights, or complaints:
- Email:
privacy@hoody.com - Postal address: Hoody Limited, a company incorporated in Hong Kong, with registered office at Rm 32, 11/F Lee Ka Industrial Building, 8 Ng Fong Street, San Po Kong, Kowloon, Hong Kong
For EEA / UK / Swiss residents, see also Addendum B for jurisdiction-specific information including the right to lodge a complaint with the relevant supervisory authority.
Addendum A — Hong Kong PDPO Notice
This Addendum applies to Hong Kong residents and supplements the main Policy with PDPO-specific disclosures.
A.1 Data User
Hoody Limited is the data user under PDPO for personal data Hoody controls.
A.2 Purposes of Collection
The purposes of collection are described in Section 4 of the main Policy. Direct marketing of Hoody products and services is included only where you have consented or where applicable law permits.
A.3 Direct Marketing (Part 6A)
Where Hoody intends to use personal data for direct marketing, or to provide personal data to a third party for use in direct marketing, Hoody complies with the consent and notification requirements in Part 6A of the PDPO (Sections 35A–35M). At first use of your personal data for direct marketing, Hoody will notify you of: (i) the kinds of personal data to be used; (ii) the classes of marketing subjects in relation to which the data is to be used; and (iii) your right to opt out at any time without charge. You may opt out of direct marketing at any time by contacting privacy@hoody.com or by following the unsubscribe instructions in any direct marketing communication.
A.4 Access and Correction Requests
PDPO Sections 18-22 give you the right to request access to and correction of personal data. To exercise these rights, contact privacy@hoody.com. We respond within forty (40) days.
A.5 Complaints
You may complain to the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) at pcpd.org.hk.
Addendum B — EEA, UK, and Switzerland Notice
This Addendum applies to residents of the European Economic Area, the United Kingdom, and Switzerland, and supplements the main Policy with GDPR / UK GDPR / Swiss FADP-specific disclosures.
B.1 Controller
For Customer Data, Hoody is the controller. See Section 1.1.
B.2 Legal Bases
See the table in Section 4 of the main Policy.
B.3 Data Subject Rights
The universal rights in Section 11 implement GDPR Articles 15-22. Right of access (Art. 15), correction (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), and rights related to automated decision-making (Art. 22) apply.
Hoody does not engage in automated decision-making (including profiling) producing legal effects on Customer or similarly significantly affecting Customer.
B.4 Sensitive Data (Article 9)
Hoody does not process special-category personal data of Customer. For special-category data within Customer Content (which Customer controls), see Section 5.5(b) of the main Policy.
B.5 International Transfers
See Section 9 of the main Policy.
B.6 EU and UK Representatives
Under GDPR Article 27 and UK GDPR Article 27, controllers established outside the EU/UK that offer goods or services to data subjects in the EU/UK are required to designate a representative in the relevant territory in certain circumstances.
Hoody Limited is established outside the EU and UK. Where Hoody's offering to EU and UK data subjects requires designation of a representative under Article 27, Hoody will designate a representative and update this Addendum accordingly. EU and UK data subjects may, in the meantime, contact Hoody directly at privacy@hoody.com for any matter relating to processing of their personal information.
B.7 Right to Lodge Complaint
See Section 11.4.
Annex A — Data Processing Agreement (Framework)
A.1 Roles and Definitions
(a) Customer is the data controller for personal information Customer or Customer's End Users provide to or process through the Services.
(b) Hoody is the data processor acting on Customer's documented instructions.
(c) Where Customer is itself a processor for an upstream controller, Hoody acts as a sub-processor, with the controller's instructions flowing through Customer.
(d) Where personal information transits the Hoody AI gateway to upstream AI providers (directly or through aggregators), the upstream AI providers act as further sub-processors. The processing chain is: Customer (controller) → Hoody (processor) → Aggregator (sub-processor) → AI provider (sub-sub-processor) for aggregator-routed traffic, or Customer → Hoody → AI provider for direct routing.
(e) "Personal Data", "processing", "data subject", "controller", and "processor" have the meanings given in GDPR.
A.2 Subject Matter and Scope
(a) Subject matter: Hoody's processing of Personal Data on Customer's behalf in connection with the Services.
(b) Duration: For the term of the Terms of Service plus any retention period required under Section 10 of the Privacy Policy.
(c) Nature and purpose: Operation of the Hoody control plane, Container infrastructure, AI gateway routing, and related Services.
(d) Categories of Personal Data: As specified in Schedule 1.
(e) Categories of data subjects: As specified in Schedule 1.
A.3 Customer Instructions
Hoody processes Personal Data only on Customer's documented instructions, including:
(a) The instructions embodied in Customer's configuration of the Services (selection of upstream AI providers, regional routing, observability mode, etc.);
(b) Instructions in the Terms of Service, Privacy Policy, and this DPA;
(c) Specific instructions provided by Customer in writing.
If Hoody is required by law to process Personal Data otherwise than on Customer's instructions, Hoody notifies Customer (unless prohibited by law) before processing.
A.4 Confidentiality
Hoody ensures that personnel authorized to process Personal Data are bound by confidentiality obligations of substantially the same scope as Hoody's own.
A.5 Security
Hoody implements the technical and organizational measures specified in Schedule 2.
A.6 Sub-Processors
(a) Customer authorizes Hoody to engage sub-processors as identified in Hoody's sub-processor disclosures (see Section 8.1).
(b) Hoody notifies Customer of intended changes (additions or replacements) to the sub-processor list at least thirty (30) days in advance, by email or in-product notification.
(c) Customer may object to a new sub-processor on reasonable, documented grounds within thirty (30) days of notification. If Customer objects, Customer's options are: (i) terminate the affected Services; (ii) cease using the affected functionality; or (iii) where technically feasible, configure the Services to avoid the sub-processor (for example, by selecting an alternative upstream AI provider). Hoody is not obligated to refrain from engaging the sub-processor.
(d) Hoody binds each sub-processor by written contract to data protection obligations no less protective than those in this DPA, to the extent permitted by the contractual relationship with the sub-processor. Where Hoody routes through aggregators to further upstream sub-processors, Hoody's binding obligations apply to its direct contractual counterparty (the aggregator); the aggregator is responsible for binding its own upstream providers.
(e) Hoody remains responsible for sub-processor compliance with the obligations specifically allocated to it.
A.7 Data Subject Rights
(a) Hoody provides reasonable assistance to Customer in responding to data subject requests, taking into account the nature of processing and the information available to Hoody.
(b) Where a data subject contacts Hoody directly with a request relating to Personal Data Customer controls, Hoody forwards the request to Customer and is not obligated to respond directly.
(c) Hoody's assistance is "reasonable" — Hoody does not warrant that all data subject rights can be fulfilled where the architectural facts in Section 2.1 of the Privacy Policy mean Hoody does not have access to the data.
A.8 Personal Data Breach
In the event of a Personal Data Breach (as defined in GDPR), Hoody:
(a) Notifies Customer without undue delay and in any event within seventy-two (72) hours of Hoody becoming aware of the breach. The seventy-two-hour clock runs from Hoody's awareness, not from when the breach occurred at any layer of the processing chain (relevant where the breach originates with an upstream sub-processor and is reported to Hoody).
(b) Provides information sufficient for Customer to comply with its own notification obligations: nature of breach, categories and approximate numbers of data subjects affected, likely consequences, measures taken or proposed.
(c) Cooperates reasonably with Customer's investigation, including providing additional information as it becomes available.
(d) Does not include, in the notification or in the determination of whether a Personal Data Breach has occurred for notification purposes, routine unsuccessful security events.
A.9 Data Protection Impact Assessments
Hoody provides reasonable assistance to Customer for DPIAs and prior consultations under GDPR Articles 35 and 36, taking into account the nature of processing and the information available to Hoody.
A.10 Deletion or Return on Termination
On termination of Customer's account or on Customer's written request:
(a) Hoody deletes or returns Personal Data Hoody processes for Customer, in accordance with Section 9.7 of the Terms of Service;
(b) Hoody is not required to retain copies except where required by law (in which case Hoody continues to protect such copies under this DPA);
(c) Backup copies persist for the period of standard backup retention and age out automatically.
A.11 Audit Rights
(a) Hoody makes available to Customer information necessary to demonstrate compliance with this DPA, including third-party audit reports (e.g., SOC 2, ISO 27001) where Hoody has obtained them.
(b) Customer may, on reasonable prior written notice and at Customer's expense, conduct or commission audits of Hoody's processing under this DPA, no more than once per twelve (12) month period unless required by a data protection authority.
(c) Audits are subject to Hoody's reasonable security and confidentiality requirements, scope agreed in advance, and the practical constraint that Hoody cannot grant audit access to facilities operated by upstream sub-processors. Customer's audit rights extend to Hoody's own systems and processes.
A.12 Cross-Border Transfers
Where Personal Data is transferred from the EEA, UK, or Switzerland to a jurisdiction not providing adequate protection:
(a) The Standard Contractual Clauses approved by the European Commission (Module 2 for Customer-to-Hoody; Module 3 for Hoody-to-sub-processor) are incorporated into this DPA;
(b) The UK International Data Transfer Addendum applies to UK-origin transfers;
(c) Swiss-specific provisions apply to FADP-origin transfers;
(d) Annex I (Parties), Annex II (Description of Processing), and Annex III (Technical and Organizational Measures) of the SCCs are completed in Schedules 1, 2, and 3 of this DPA.
A.13 Governing Law
This DPA is governed by the law specified in Section 19.1 of the Terms of Service. Where SCCs are incorporated, the SCCs are governed as specified within them.
A.14 Order of Precedence
In the event of conflict between this DPA and the Terms of Service, this DPA prevails as to data protection matters. The SCCs prevail over both as to matters they govern.
Schedules
Schedule 1 (Description of Processing), Schedule 2 (Technical and Organizational Measures), and Schedule 3 (Sub-Processor List) form part of this DPA. Schedule 3 is maintained at https://hoody.com/subprocessors and is incorporated by reference. Schedules 1 and 2 are provided on request to Customers operating under this DPA, or on execution of a B2B order form referencing this DPA.