Privacy Policy
What HypeCity Intelligence LTD collects, why, how long we keep it, who we share it with, and your rights under GDPR, UK GDPR, the Israeli Privacy Protection Law, and CCPA/CPRA.
1. Who we are
The data controller for the personal data processed through hypecintelligence.com, hypecity.com, the underlying applications and APIs, and any related services (collectively, the "Service") is:
Company No. 517353868 · Registered office: 18 Maze St, Tel Aviv, Israel
Privacy questions: privacy@hypecintelligence.com
EU/UK representative (GDPR Art. 27 / UK GDPR). We are reviewing with counsel whether we are required to appoint a representative in the EU and/or the UK. If an appointment is required, the representative's name and contact details will be published in this section and this Policy's version will be updated.
For purchases, our Merchant of Record Paddle.com Market Limited (UK) and Paddle Inc. (US) (together, "Paddle") act as independent controllers of the personal data they collect to process your payment, calculate and remit tax, issue invoices, and detect fraud. Paddle's own Privacy Policy applies to that processing.
2. Scope
This Policy applies to personal data we process when you visit our websites, use the Service (including the AI Deal Analyzer, the Speed Match quiz, the AI Copilots "Roison" and "Antonia", and the Tycoon market), or otherwise interact with us. It does not cover websites or services operated by third parties, even if linked from the Service.
3. What we collect & why
The Service is anonymous-first. We try to collect the minimum that lets us run the product. The table below summarises each category, what it is, why we process it, and the legal basis under the EU/UK GDPR. Where the Israeli Privacy Protection Law 5741-1981 ("PPL") applies, processing is grounded in your consent or our legitimate interests as a database holder, in accordance with Article 1 of the PPL.
| Category | Why we process | Legal basis (GDPR) |
|---|---|---|
Anonymous identifier. A random UUID stored in the hc_anon cookie + a small hc_anon_read readability flag. | Persist your Watchlist, quiz results, subscription tier, and AI Copilot history (on your device) across page loads without an account. | Necessary for performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) for Free-tier visitors. |
| Billing email + subscription metadata received from Paddle when you upgrade. | Link your Paid Plan to your Account, deliver receipts and renewal notices, provide support. | Necessary for performance of a contract (Art. 6(1)(b)); legal obligation for tax records (Art. 6(1)(c)). |
| IP address & basic device/browser info. | Security, abuse prevention, request routing, rate-limiting, fraud detection. Never used for advertising. | Legitimate interests (Art. 6(1)(f)) in operating the Service securely and legally. |
| Usage events (page viewed, analysis run, paywall shown, quiz answered). | Aggregated product analytics so we know which features work. Tied to the hc_anon id, not to any identified person. | Legitimate interests (Art. 6(1)(f)); or consent (Art. 6(1)(a)) where required by ePrivacy / Israeli telecom rules. |
| Error reports. Server-side errors with stack traces and request route — request bodies are stripped. | Detect, diagnose, and fix faults; protect the integrity of the Service. | Legitimate interests (Art. 6(1)(f)). |
| User Inputs. Content you submit — listing URLs, property details, AI Copilot chat messages, quiz answers. | Generate the Output you asked for; let you re-view past analyses on your device. | Necessary for performance of a contract (Art. 6(1)(b)). |
| Support correspondence. Anything you send to support@, legal@, or privacy@. | Handle your request; document our compliance. | Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) where applicable. |
We do not intentionally collect "special-category" personal data (e.g. race, health, political opinions, biometrics). Do not submit such data through the Service.
4. AI features & your inputs
The AI Deal Analyzer and the AI Copilots ("Roison" / "Antonia") send your prompts and supporting context to a third-party large-language-model provider (currently Anthropic) for inference. The provider returns a response which we display to you and (subject to your device) cache locally so you can re-read it.
We do not use your User Inputs or AI prompts/responses to train external large-language models beyond the single inference necessary to produce your Output. We may process anonymised and de-identified prompts/responses to operate, secure, evaluate, and improve the Service.
5. How long we keep it
- Anonymous Watchlist, quiz results, and on-device Copilot history persist on your device as long as the
hc_anoncookie is in use. We delete server-side anonymous records up to 24 months after last activity. - Subscription metadata (email, customer/subscription ID, plan, charge history) are retained for the duration of your subscription plus seven (7) years after the last charge, to comply with Israeli tax-record and accounting obligations and similar legal requirements in other jurisdictions.
- Server logs are retained for up to 30 days at our hosting provider, except where retained longer for an active security investigation.
- Error monitoring events are retained for up to 90 days.
- Support correspondence is retained for up to 3 years after the matter closes, or longer if needed to defend or pursue a legal claim.
6. Sub-processors
We engage the following sub-processors. Each receives only the data needed to perform its function and is bound by contractual confidentiality and data-protection obligations.
| Sub-processor | Purpose | Data shared | Region |
|---|---|---|---|
| Paddle (Paddle.com Market Ltd, UK; Paddle Inc., US) | Merchant of Record — checkout, payment processing, tax calculation & remittance, refunds, fraud prevention, invoicing. | Billing email, billing country/address, payment method (handled by Paddle), purchase metadata. | UK, US, EU |
| Supabase Inc. | Primary database hosting (PostgreSQL). | Watchlist, subscription tier, hashed identifiers, analysis records. | EU / US (region of your Supabase project) |
| Vercel Inc. | Hosting, edge network, deployment. | Request metadata (IP, user agent), all HTTP traffic. | Global edge |
| PostHog Inc. (EU Cloud where available) | Product analytics. | Event name + hc_anon id + non-PII event properties. | EU / US |
| Sentry / Functional Software, Inc. | Error monitoring. | Stack traces, request route, no request bodies. | EU / US |
| Anthropic, PBC | AI inference for the Analyzer and Copilots. | The prompt you submit (User Inputs + system context) — single-shot inference, not used for model training. | US |
| Cloudflare, Inc. | Bot protection (Turnstile) and DNS. | Visit metadata for the bot challenge. | Global edge |
We may update this list. Material additions of new categories of sub-processor will be reflected here and (for Paid Plan users) notified by email at least 14 days in advance where reasonably practicable.
We do not sell your personal data. We do not "share" it for cross-context behavioural advertising as defined under the CCPA/CPRA. We do not use it to train external AI models beyond the single-shot inference described in Section 4.
7. International data transfers
HypeCity is established in Israel, which has been recognised by the European Commission as offering an adequate level of data protection (adequacy decision, 2011). For transfers to sub-processors in the United States or elsewhere outside the EEA, UK, and Israel, we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and (where applicable) the EU–US Data Privacy Framework certifications of the relevant sub-processor.
You may request a copy of the safeguards in place by emailing privacy@hypecintelligence.com.
8. Your rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you and obtain a copy.
- Rectify data that is inaccurate or incomplete (typically your billing email — update it in the Paddle customer portal).
- Erasure ("right to be forgotten") — we will delete your records subject to legal retention obligations (e.g. tax records).
- Restriction of processing in defined circumstances.
- Portability — receive your data in a structured, machine-readable format.
- Object to processing based on our legitimate interests, including direct marketing.
- Withdraw consent at any time where processing relies on consent — withdrawal does not affect the lawfulness of processing before withdrawal.
- Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you.
Israeli residents additionally have the right to access, correct, and request deletion of personal data under sections 13 and 14 of the PPL and (from 2025) the strengthened rights introduced by Amendment 13 to the PPL.
California residents have the rights to know, delete, correct, opt out of "sale" or "sharing" (we do neither), and limit the use of sensitive personal information under CCPA/CPRA. We do not discriminate against you for exercising these rights.
To exercise any right, email privacy@hypecintelligence.com. We will respond within 30 days (and where required, within shorter statutory periods). We may need to verify your identity (typically by confirming control of the email tied to your subscription).
Right to complain. If you believe we have not handled your data lawfully, you may complain to your supervisory authority — for example, the Israeli Privacy Protection Authority (www.gov.il/.../privacy_protection_authority), the UK ICO (ico.org.uk), or any EU/EEA Data Protection Authority. We would appreciate the opportunity to address your concerns first — please contact us.
9. Cookies & tracking
The full breakdown of every cookie we set is in our Cookie Notice. In short: we set strictly-necessary cookies to remember your anonymous identity and consent, analytics cookies to count usage in an aggregated way, and (only on the Paddle checkout) payment cookies set by Paddle for fraud prevention.
10. Security
We protect personal data using technical and organisational measures appropriate to the risk, including TLS encryption in transit, encryption at rest at our hosting provider, role-based access controls, secrets management, application-layer authentication, bot protection (Turnstile), and ongoing monitoring. No system can be guaranteed secure; you are responsible for keeping your device and email secure.
If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in line with our legal obligations (under GDPR within 72 hours, and under the PPL in accordance with the Israeli data-security regulations).
11. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under that age. If you believe a child has used the Service, contact privacy@hypecintelligence.com and we will delete the associated records.
12. Do Not Track & Global Privacy Control
The "Do Not Track" browser signal lacks an agreed industry standard and the Service does not currently respond to it. Where the Global Privacy Control (GPC) signal is sent by your browser, we treat it as an opt-out of analytics cookies on the page where it is received.
13. Changes to this Policy
If we make material changes, we will give you reasonable advance notice (by email to the address on file for Paid Plan users, by an in-product notice, or by updating the "Effective" date at the top). Continued use of the Service after the effective date means you accept the updated Policy.
14. Contact
Company No. 517353868 · Registered office: 18 Maze St, Tel Aviv, Israel
Privacy questions & data-rights requests: privacy@hypecintelligence.com
General: support@hypecintelligence.com