1. Who we are & scope
Cyberdune Technologies Pvt. Ltd. ("Cyberdune", "we", "our", "us") is the owner, operator and data controller of the Hypa app, website and related services (the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use, share, retain and protect it, and the rights available to you.
This Policy applies to all users of the Service worldwide and is designed to comply with major privacy frameworks, including the EU/UK General Data Protection Regulation (GDPR/UK GDPR), the California Consumer Privacy Act as amended by CPRA (CCPA/CPRA), India's Digital Personal Data Protection Act (DPDPA), Apple App Store privacy requirements and Google Play's User Data policy.
2. The short version
Hypa is a personal catalogue for your diecast collection. We collect only the data we need to run the Service, we never sell or rent your personal data, we do not use it for cross-context behavioural advertising, and you can export or delete your data at any time.
3. Information we collect
- Account details from your identity provider (e.g. Google Sign-In): name, email address, profile picture and a unique identifier.
- Profile you create: first name, last name, mobile number (optional), bio, avatar, currency and appearance preference.
- Collection content: photos you upload and the structured metadata our AI generates (make, model, series, year, scale, colour, condition, packaging, estimated value range, rarity, notes).
- Device & usage data: app version, device model, operating system, language, coarse region, crash logs, diagnostic events and performance metrics. Collected via first-party SDKs; no advertising identifiers are collected.
- Support communications you send to us.
- Payment metadata (if you subscribe): transaction identifiers, plan, status. Card details are handled by Apple, Google or our payment processor — never by us.
We do not knowingly collect precise location, health, biometric, contact-list, calendar, SMS or call-log data.
4. How we use your information (purposes & legal bases)
- Provide, personalise and secure the Service — performance of contract.
- Run AI identification, enrichment and valuation on the photos you upload — performance of contract.
- Display your collection, KPIs and insights back to you — performance of contract.
- Diagnose crashes, prevent fraud/abuse and improve stability — legitimate interests.
- Communicate service updates, security notices and support responses — legitimate interests / contract.
- Comply with legal obligations, respond to lawful requests and enforce our Terms — legal obligation / legitimate interests.
- With your explicit consent, send optional product updates — consent, withdrawable at any time.
We do not use your data for advertising, we do not sell or "share" it for cross-context behavioural advertising as defined under CCPA/CPRA, and we do not use Your Content to train third-party foundation models.
5. AI processing
Photos you upload are transmitted to vetted AI providers strictly to identify the diecast and generate structured metadata. Providers process the image transiently under contractual data-processing terms that prohibit using your content to train their models and require deletion after processing (subject to short abuse-monitoring windows). AI outputs are best-effort estimates and are not appraisals — see the Terms of Service for details.
6. Sharing & disclosures
We share personal data only with:
- Identity providers (e.g. Google) to authenticate you;
- Cloud infrastructure and storage providers that host the Service on our behalf;
- AI model providers that process uploaded images to generate metadata;
- Payment processors (Apple, Google, or our billing provider) for subscriptions and in-app purchases;
- Analytics and crash-reporting providers that help us maintain quality;
- Professional advisors (lawyers, auditors, insurers) under confidentiality;
- Authorities where required by law, subpoena or to protect rights, safety or property;
- Successors in the event of a merger, acquisition, reorganisation or sale of assets, subject to equivalent protections.
All processors are bound by written data-processing agreements. We do not sell your personal data.
7. International transfers
Cyberdune is headquartered in India and uses infrastructure and subprocessors in multiple jurisdictions. When personal data is transferred across borders, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent mechanisms recognised under applicable law.
8. Data retention
- Profile and collection data are retained while your account is active.
- If you delete a car, its record and associated photos are removed from production systems, with residual copies expiring from encrypted backups on their normal rotation (typically within 30–90 days).
- If you delete your account, we delete or anonymise your personal data within 30 days, except where longer retention is required for legal, tax, accounting, fraud-prevention or dispute-resolution purposes.
- Aggregated and de-identified data may be retained indefinitely.
9. Your rights & choices
Depending on your jurisdiction, you may have the right to access, rectify, delete, restrict or object to processing, port your data, withdraw consent, and lodge a complaint with a supervisory authority. California residents have additional rights to know, delete, correct, and to opt-out of "sale" or "sharing" (which we do not engage in). Residents of India have rights under the DPDPA including nomination and grievance redressal.
You can exercise most rights directly in the App (edit profile, delete cars, sign out, delete account). For anything else, contact compliance@hypa.app; we will respond within the timeframes required by applicable law (typically within 30 days). We may need to verify your identity before acting on a request.
10. Security
We use industry-standard technical and organisational measures to protect personal data, including encryption in transit (TLS) and at rest, row-level access controls, private storage buckets, least- privilege access for staff, audit logging, and regular security reviews. No system is perfectly secure; you also play a role — use a strong password on your identity provider, enable multi-factor authentication, and keep your device up to date. If you believe your account has been compromised, contact support@hypa.app immediately.
11. Children's privacy
Hypa is not directed to children under 13 (or the minimum digital- consent age in your jurisdiction, if higher) and we do not knowingly collect personal data from them. If we learn that we have collected data from a child without appropriate consent, we will delete it. If you are a parent or guardian and believe your child has provided us data, contact compliance@hypa.app.
12. Apple & Google platform disclosures
In line with the Apple App Store privacy nutrition- label framework, we disclose the categories above (Contact Info, User Content, Identifiers, Usage Data, Diagnostics). None of these are used for third-party advertising or tracking as defined by Apple's App Tracking Transparency framework — Hypa does not track you across apps or websites owned by other companies.
In line with Google Play's User Data policy and Data Safety declarations, we collect only the data categories needed for the Service, encrypt data in transit, provide an in-app mechanism to request data deletion, and honour deletion requests submitted to compliance@hypa.app.
13. Cookies & similar technologies
Our website uses strictly necessary cookies and similar local-storage technologies to keep you signed in and remember your preferences. We do not use advertising cookies. Where required by law, we present a cookie/consent notice and honour your choices.
14. Ownership of data & aggregate insights
Your personal data belongs to you. The Service software, models, prompts, catalogues, database schemas and derived aggregated/de- identified statistics are the proprietary property of Cyberdune Technologies Pvt. Ltd. and its licensors and are protected as described in the Terms of Service.
15. Automated decision-making
The AI features generate suggestions (identification, valuation ranges) that are advisory only. We do not use these outputs to make decisions that produce legal or similarly significant effects on you within the meaning of GDPR Article 22.
16. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be surfaced in-app or by email before they take effect. The "Last updated" date below indicates the most recent revision.
17. Contact & grievance officer
Data controller: Cyberdune Technologies Pvt. Ltd.
- Privacy & data-protection requests: compliance@hypa.app
- Product support: support@hypa.app
- Billing & subscriptions: billing@hypa.app
For users in India, the Grievance Officer under the DPDPA and IT Rules can be reached at compliance@hypa.app. We aim to acknowledge grievances within 48 hours and resolve them within the statutory timeframe.