Security

Passwordless Authentication

Hooks.ly uses passwordless login exclusively. Instead of storing passwords (which can be leaked, guessed, or reused), we send a one-time 6-digit code to your email every time you sign in. Codes are cryptographically generated, expire in 10 minutes, and are limited to 5 verification attempts. Each new code automatically invalidates all previous codes for your account.

If you signed up through Google or Apple OAuth, your identity is verified directly with those providers using industry-standard OpenID Connect — we never see or store your password from those services.

Payment Security

Hooks.ly does not currently process payments or handle card data. Payment for a trip is arranged and made directly between you and the Guide (for example by Venmo, Zelle, or cash), so no card numbers or bank details are entered into or stored by Hooks.ly.

When we introduce built-in online card payment, it will be handled by a PCI DSS Level 1 certified payment processor — the highest level of certification in the payments industry — with card details entered directly into the processor's secure forms so they never touch our servers. We'll update this page when that launches.

Data Encryption

All data in transit is encrypted using TLS 1.2+ (HTTPS). Our production servers enforce HSTS (HTTP Strict Transport Security) with a one-year policy, preloading, and subdomain inclusion — meaning your browser will never connect to us over an insecure channel.

Data at rest is stored in PostgreSQL databases with access restricted to application-level credentials. Media files (profile images, trip photos) are stored in AWS S3 with server-side encryption and served through CloudFront CDN.

Messaging Privacy

When you message a guide through Hooks.ly, your personal phone number and email are never shared directly. Messages are routed through our platform using proxy contact information. If you opt into SMS messaging, texts are sent through our Twilio integration — the guide sees a platform number, not yours.

WebSocket connections (real-time messaging) require JWT authentication. Messages are validated for participant membership before delivery — you can only send and receive messages in threads you belong to.

Rate Limiting & Abuse Prevention

All API endpoints are rate-limited to prevent abuse. Login attempts are throttled to 10 per minute, magic code requests to 5 per minute, and general API usage to 300 requests per minute for authenticated users. Public endpoints have stricter limits.

We use anti-scraping protections on guide data to prevent automated harvesting of guide contact information and business details.

Account Deletion & Data Erasure

You can request account deletion at any time from your settings. Deletion requires email confirmation via a signed, time-limited token. After confirmation, your account is deactivated immediately and can be restored if you change your mind.

If you require full data erasure under GDPR or similar privacy regulations, contact us at [email protected]. We will permanently anonymize all personal information associated with your account — including your name, email, phone number, and profile photo — while preserving non-identifying platform records for operational integrity. This process is irreversible.

Audit Logging

All significant actions on the platform — account changes, bookings, payments, permission changes — are recorded in a tamper-resistant audit log using cryptographic hash chaining (SHA-256). Each log entry includes the previous entry's hash, making unauthorized modification detectable. This ensures accountability and supports compliance investigations.

Infrastructure

Our application runs in containerized environments with isolated services. Secrets (API keys, database credentials, encryption keys) are managed through environment variables and never committed to source code. Error monitoring is handled by Sentry with performance tracing. Security headers (CSP, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) are applied to all responses.

Responsible Disclosure

If you discover a security vulnerability, please report it to [email protected]. We take all reports seriously and will respond promptly.