hyperlists
Start free

Legal

Privacy Policy

Last updated: 3 May 2026

Hyperlists Labs LLC (“Hyperlists”, “we”, “us”) provides the Hyperlists web application and website (the “Service”). This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have under the EU General Data Protection Regulation (“GDPR”) and UK GDPR / Data Protection Act 2018.

1. Who we are (controller)

The controller for personal data processed through the Service is Hyperlists Labs LLC. You can contact us at contact@hyperlists.app.

2. What we collect

2.1 Information you provide

  • Account data — email address, optional display name, optional profile photo (provided by Google when you sign in with OAuth).
  • Content — tasks, projects, labels, descriptions and any other content you create in the Service.
  • Billing data — name, billing address and the last four digits of your card, processed and stored by our payment processor Stripe. We never see or store your full card number.
  • Support correspondence — anything you send us by email.

2.2 Information collected automatically

  • Technical data — IP address, device type, browser, OS, referrer, and pages viewed.
  • Cookies & similar technologies — see our Cookie Policy for the full list and your choices.

3. Why we use it (purposes & legal bases)

  • Provide the Service (contract — Art. 6(1)(b) GDPR): authentication, syncing your tasks, processing payments via Stripe.
  • Keep the Service safe & abuse-free (legitimate interests — Art. 6(1)(f)): rate-limiting, fraud detection.
  • Improve the product (consent for non-essential analytics — Art. 6(1)(a)): aggregated usage analytics, opt-in only.
  • Comply with the law (legal obligation — Art. 6(1)(c)): tax records, responding to lawful requests.

4. Who we share it with (sub-processors)

We do not sell or rent your personal data. We share the minimum data necessary with vetted sub-processors:

  • Supabase, Inc. — Postgres database and authentication (data residency: EU/US, configurable).
  • Stripe, Inc. — payment processing (data residency: US/EU).
  • Vercel, Inc. — application hosting and edge delivery.
  • Google LLC — only if you sign in with Google OAuth.

Sub-processors operate under data-processing agreements that include Standard Contractual Clauses where data leaves the EEA / UK.

5. International transfers

Some of our sub-processors are located in the United States. Where personal data is transferred outside the EEA / UK, we rely on the EU Standard Contractual Clauses (and the UK International Data Transfer Addendum) and apply additional technical safeguards (TLS in transit, encryption at rest, RLS access control).

6. How long we keep it

  • Account & content — for as long as your account exists. When you delete your account, all content is permanently erased within 30 days.
  • Billing records — kept for as long as required by tax law (typically 6–10 years), then deleted.
  • Server logs — typically retained for 30 days.

7. Your rights (GDPR / UK GDPR)

You have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data erased (“right to be forgotten”);
  • restrict or object to certain processing;
  • receive a copy of your data in a portable format (JSON / CSV export, available on Premium);
  • withdraw consent at any time, where processing is based on consent;
  • lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner’s Office at ico.org.uk).

Most rights can be exercised directly from Settings → Profile / Danger zone. For anything else, write to contact@hyperlists.appand we’ll respond within one month.

8. Children

Hyperlists is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with information, contact us and we’ll delete it.

9. Security

We use industry-standard practices including TLS in transit, encryption at rest, row-level security on every database row, hashed password storage, and least-privilege access. Read more on our Security page.

10. Changes to this policy

If we make material changes, we’ll notify you by email and/or a prominent in-app notice at least 30 days before they take effect.

11. Contact

Hyperlists Labs LLC
Email: contact@hyperlists.app