○ Legal

Privacy Policy

What we collect, why, how long we keep it, and the third parties involved in delivering the Service.

Last updated: 2026-05-19 Status: Draft

1. What we collect

HypeCity is anonymous-first. We try to collect the minimum that lets us run the product.

Anonymous identifier. A random UUID stored in the hc_anon cookie (with a small hc_anon_read readability flag). This lets us persist your Watchlist and subscription status without an account.
Email address (paid users). When you upgrade, Stripe Checkout collects an email for billing receipts. We store that email in our subscriptions table to keep your tier linked to you.
IP address & basic device info. Captured automatically by our hosting (Vercel) for security, abuse prevention, and request routing. We don't use IPs for advertising.
Usage events. Aggregated product analytics — which page you viewed, whether you ran an analysis, whether a paywall was shown. Sent to PostHog with the anon_id but no PII.
Error reports. Server-side errors are forwarded to Sentry with the request route and stack trace, never the request body (we explicitly disable PII forwarding).
Listing inputs you paste. When you run a deal analysis, the listing URL or property details you enter are processed in-memory and saved on your analysis record so you can re-view it.

2. Why we collect

Deliver the Service. The Watchlist needs the anon_id; subscriptions need a billing email; analyses need the URL you pasted.
Bill you. Stripe needs your payment information to charge your card.
Improve the product. Aggregated analytics tell us which features work and which don't.
Comply with law. Tax records, fraud-prevention, and similar legal obligations.

3. How long we keep it

Anonymous Watchlist + analytics: kept while your hc_anon cookie is in use, and up to 24 months after last activity.
Subscription records (email, customer/subscription IDs): retained for the duration of your subscription plus 7 years after the last charge for tax and audit purposes.
Server logs: 30 days at Vercel; Sentry events are retained per their default plan settings (typically 90 days).

[TODO: founder review] Confirm 7-year billing-record retention against your jurisdiction's tax rules — some countries require 5 or 10.

4. Third parties we share with

We use the following sub-processors. None of them receives more than the data they need to do their job.

Service	Purpose	Data shared
Supabase	Database hosting	All persisted records (Watchlist, subscriptions, snapshots)
Stripe	Payments	Billing email, payment method, anon_id (as metadata)
PostHog	Product analytics	Event name + anon_id + non-PII event properties
Sentry	Error monitoring	Stack traces, request route, no request bodies
Vercel	Hosting + edge network	Request metadata (IP, user agent), all HTTP traffic
Anthropic	AI deal analysis	The listing data you submit on /analyze

We don't sell your data. We don't share it with advertising networks. We do not use it to train external AI models beyond the single-shot inference Anthropic performs to generate your analysis.

5. Your rights

Subject to applicable law (GDPR for EU/EEA residents, the UK GDPR, CCPA/CPRA for California residents, and similar laws elsewhere), you can:

Access the data we hold about you.
Correct inaccurate data — primarily your billing email via Stripe.
Delete your account and associated records. Email us and we'll process within 30 days, subject to legal retention obligations.
Export your data in a portable format.
Withdraw consent for analytics by following the opt-out steps in our Cookie Notice.
Complain to your local data protection authority.

To exercise any of these, email privacy@hypecity.com.

6. Cookies & tracking

We set the strictly-necessary hc_anon and hc_anon_read cookies plus PostHog and Stripe cookies during specific flows. See the full breakdown in our Cookie Notice.

7. Children

HypeCity is not directed at children under 16. We don't knowingly collect data from anyone under 16. If you believe a child has used the Service, contact us and we'll delete the associated records.

8. Changes

We'll post material changes to this page with a refreshed "Last updated" date. Active subscribers will be emailed at least 14 days before changes affecting their data take effect.

9. Contact

HypeCity Intelligence Ltd.
Privacy questions: privacy@hypecity.com
General: hello@hypecity.com

[TODO: founder review] If HypeCity has EU customers, GDPR Art. 27 may require a representative inside the EU — confirm with counsel whether you need one and whose contact details to publish here.