Who we are

Hype Doc is operated by Hype Doc ("we," "us," "our"). We are the data controller responsible for your personal data. If you have questions about this policy or your data, contact us at hello@myhypedoc.com.

What we collect

We collect the following categories of personal information:

• Account information: Email address (used for passwordless sign-in via one-time codes)
• User content: The wins, spaces, and tags you create
• Usage data: Server logs including IP address, browser type, and timestamps of requests. These are retained for 30 days for security and debugging purposes, then deleted
• Payment data: If you subscribe to Pro, Stripe collects and processes your payment information. We receive only your subscription status and a Stripe customer ID. We never see or store your credit card number

Legal basis for processing (GDPR)

We process your personal data under the following legal bases:

• Contract: Processing your account and content data is necessary to provide the Hype Doc service you signed up for
• Legitimate interest: Server logs are processed for security, fraud prevention, and debugging. We balance this against your privacy rights and limit retention to 30 days
• Consent: If we ever introduce optional features that require additional data processing, we will ask for your explicit consent first

How we use your data

Your data is used solely to provide and maintain the Hype Doc service. Specifically:

• To create and manage your account
• To store and display your wins, spaces, and tags
• To process payments for Pro subscriptions
• To send transactional emails (sign-in codes, email verification, billing notices)
• To monitor and protect the security of the service

We do not sell, rent, or share your personal data with third parties for their marketing purposes. We do not run ads. We do not build profiles on you. We do not engage in automated decision-making or profiling. Your wins are private to your account.

Third-party services

We use a small number of third-party services to operate Hype Doc:

• Render (United States) hosts the application and database under their privacy policy
• Stripe (United States) processes payments for Pro subscriptions under their own privacy policy

We do not use any analytics, advertising, or tracking services.

International data transfers

Hype Doc is hosted in the United States. If you are accessing the service from outside the United States (including the European Economic Area, United Kingdom, or Switzerland), your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and our data processing agreements with infrastructure providers to ensure appropriate safeguards for international transfers.

Data retention

We retain your data as follows:

• Account and content data: Retained for as long as your account is active. When you delete your account, all associated data is permanently deleted within 30 days
• Server logs: Retained for 30 days, then automatically deleted
• Payment records: Retained as required by tax and accounting regulations (typically 7 years for transaction records)

Data security

All traffic to Hype Doc is encrypted via HTTPS/TLS. Authentication uses passwordless one-time codes that expire after 15 minutes. API tokens are stored as SHA-256 digests. OAuth tokens expire after one hour. We follow security best practices including rate limiting, CSRF protection, and input validation.

Data breach notification

In the event of a data breach affecting your personal data, we will notify you via the email address associated with your account within 72 hours of becoming aware of the breach, as required by GDPR.

Cookies

We use a single, strictly necessary session cookie to keep you signed in. No tracking cookies, no analytics cookies, no third-party cookies. Because this cookie is essential for the service to function, it does not require consent under GDPR.

Do-Not-Track

We honor Do-Not-Track browser signals. Since we do not use tracking cookies or analytics, there is no tracking behavior to disable.

API and MCP access

When you connect Hype Doc to external tools via the API, CLI, or MCP server, those tools can only access your data with your explicit authorization. API tokens can be revoked at any time from Settings. OAuth tokens for MCP access expire automatically and can be revoked through the app.

Your rights under GDPR

If you are in the European Economic Area, United Kingdom, or Switzerland, you have the following rights:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate personal data
• Erasure: Request deletion of your personal data
• Restriction: Request that we restrict processing of your data in certain circumstances
• Portability: Request your data in a structured, machine-readable format (JSON)
• Objection: Object to processing based on legitimate interest
• Withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, email hello@myhypedoc.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

Your rights under CCPA (California residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following rights:

• Right to know: You can request the categories and specific pieces of personal information we have collected about you
• Right to delete: You can request deletion of your personal information
• Right to opt-out of sale: We do not sell your personal information. We have never sold personal information and have no plans to do so
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise your rights, email hello@myhypedoc.com. We will verify your identity using the email associated with your account and respond within 45 days.

In the preceding 12 months, we have collected the following categories of personal information: identifiers (email address), commercial information (subscription status), and internet activity (server logs). We have not sold or shared any personal information with third parties for cross-context behavioral advertising.

Children's privacy

Hype Doc is not directed at children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us at hello@myhypedoc.com and we will delete it promptly.

Changes to this policy

If we make significant changes to this privacy policy, we will notify you via the email address associated with your account at least 30 days before the changes take effect.

Contact

Questions about privacy? Reach out at hello@myhypedoc.com.