Privacy Policy

1. Data controller role

HyperApps acts as data controller for data related to commercial, contractual, billing, and support management.

For customer-hosted data processed through subscribed services, HyperApps may act as processor under customer instructions.

2. Data we collect

We may collect identification data (name, business email, company), account data (roles, access logs), billing data, and technical data (application logs, metrics, error traces).

We prioritize collecting only data strictly necessary for service operation and security.

3. Purposes and legal bases

Processing is carried out to perform the contract, deliver the service, ensure security, bill subscriptions, provide support, and comply with legal obligations.

Depending on context, legal bases include contract performance, legitimate interest (security and service improvement), consent where required, and legal obligation.

4. Data recipients

Data is accessible to authorized HyperApps personnel and, where needed, to strictly supervised technical subprocessors.

HyperApps does not sell personal data to third parties.

5. Payments and third parties

Payments are processed by Stripe. HyperApps does not access full card details.

Third-party providers are selected for appropriate security and compliance guarantees.

6. International transfers

HyperApps prioritizes data hosting and processing within the European Union.

Business data processed by HyperApps remains hosted on HyperApps physical infrastructure in the Bourgogne-Franche-Comte Region (France). The identified non-EU transfer concerns payment provider Stripe only, under the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses depending on applicable flows.

7. Retention periods

Data is retained for as long as necessary for stated purposes, then deleted or archived according to legal and operational obligations.

Connection logs are retained for 12 months in line with applicable French legal obligations (LCEN), subject to regulatory changes.

Other technical and security logs are retained for periods proportionate to monitoring, security, and audit requirements.

In case of non-payment, suspension, or account closure due to unpaid invoices, account data and related metadata may be retained for 6 months from suspension date, then permanently deleted unless legal obligations require longer retention.

8. Security measures

HyperApps applies reasonable technical and organizational measures including access control, role segregation, logging, and monitoring.

Network traffic is protected with TLS 1.3 and data at rest uses AES-256 encryption.

Physical security includes mechanical chassis locking and hardware tamper-detection controls.

Despite these measures, no system can guarantee zero risk.

9. Backups and customer responsibility

HyperApps strongly recommends that customers maintain regular backups, run restore tests, and define business continuity procedures.

Customers remain responsible for their backup strategy and data retention decisions for business data.

10. Cookies and trackers

Strictly necessary cookies may be used without prior consent when essential to provide the service.

Analytics or similar trackers, when not exempt, are subject to consent according to applicable regulation.

11. Data subject rights

In accordance with Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act of January 6, 1978 as amended, you may exercise rights of access, rectification, objection, restriction, portability, and the right to be forgotten (erasure), subject to legal limits.

Data portability can be exercised through export in an interoperable format (including JSON or CSV depending on data type).

Rights requests may be submitted through HyperApps contact channels communicated on the website or in contractual documents.

12. Data breach handling

In the event of a personal data breach, HyperApps applies incident response procedures and performs legally required notifications within applicable timelines.

Affected customers are informed where required and once useful information is available.

13. Policy updates

This policy may evolve to reflect technical, legal, or operational changes.

The effective update date is shown at the top of this page.