Privacy Policy

Effective: October 2, 2025

This Privacy Policy explains how HYPERPLAN (“we”, “us”) collects and processes personal data when businesses use our product to connect their Instagram and WhatsApp accounts, submit menus and opening hours, and have AI-generated replies sent to their incoming messages. It also covers our website and analytics.

Who we are

Controller: HYPERPLAN. For most website analytics and our direct customer account data, we act as an independent controller.

Processor: For messages received by our customers via Instagram/WhatsApp, we act as a processor on behalf of the business that connected the account. The business remains the controller for its end customers’ data.

Contact: contact+privacy_policy@hyperplan.net

What we process

• Business account identifiers and contact details (e.g., name, email, Instagram Business identifiers).
• Instagram/WhatsApp message content, identifiers, contact details and metadata necessary to receive, generate, and send replies.
• Menus, opening hours, and business instructions submitted to the product.
• Operational logs and security signals (e.g., IP address, timestamps, error logs).
• Product and website analytics (events, page views) without third‑party advertising tracking.

Purposes and legal bases

• Provide and operate the service (account setup, integrations, message handling, AI replies) – Art. 6(1)(b) GDPR (contract) with our customer; for end‑customer messages we process as a processor under the customer's instructions.
• Security, abuse prevention, reliability, and debugging – Art. 6(1)(f) GDPR (legitimate interests).
• Product analytics and improvement – Art. 6(1)(f) GDPR (legitimate interests). Where required, we will seek consent – Art. 6(1)(a).
• Legal compliance (e.g., tax/audit, requests from authorities) – Art. 6(1)(c) GDPR.

Where we process and store data

Our application runs on Cloudflare in the closest region possible to users. Persistent data is stored in the European Union on Supabase, and analytics are stored in the EU with PostHog.

Processors and sub-processors

• Cloudflare – hosting, edge runtime, networking, security.
• Supabase (EU) – database and authentication.
• PostHog (EU) – product and website analytics (cookie-less).
• OpenAI – provides AI models for generating message replies. For this purpose, it acts as our sub-processor. As explained below, OpenAI may also use conversation content to improve its models, for which it acts as an independent controller.
• Optional integrations you enable (e.g., Meta APIs for Instagram/WhatsApp; Google Drive for menus).

Each provider processes data under a data processing agreement and appropriate safeguards. We only share data with processors necessary to provide the service, under documented instructions.

International transfers

We use recognized safeguards for transfers outside your jurisdiction:

• EEA (EU/EEA): where a provider is certified, we rely on the EU–US Data Privacy Framework (DPF). Otherwise, we use the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with appropriate supplementary measures. We also conduct transfer impact assessments (TIAs).
• UK: we use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, and the UK Extension to the DPF where applicable.
• Switzerland: we use the FDPIC‑compatible SCCs or the Swiss–US DPF where applicable.

For AI inference and model improvement, OpenAI may process data in the United States. Conversation content may include personal data provided by users in messages. We rely on the safeguards above for these transfers.

AI model improvement (OpenAI)

To generate replies, we send conversation data to OpenAI. Under its terms, OpenAI may use this data to train and improve its models. This section provides transparency on that practice.

• Scope: conversation content and related metadata required to generate a reply. We do not add enrichment; data reflects what users and businesses submit in chats and configurations.
• Status: always on; no product toggle is offered. You may contact us to object. Where feasible with our provider, we will honor objections; otherwise we may discuss alternatives or limits on use of the feature.
• Legal basis: legitimate interests (Art. 6(1)(f) GDPR) in improving the service and underlying models. You have the right to object at any time (Art. 21). Where local law requires consent for this use, we will obtain it via the relevant controller.
• Safeguards: contractual restrictions (DPAs/SCCs/DPF, as applicable), provider security controls, and transfer safeguards noted above.

Analytics and cookies

We use PostHog in a cookieless mode for product and website analytics. We do not use third-party advertising cookies or cross-site tracking via PostHog. Our legal basis is legitimate interests (Art. 6(1)(f) GDPR). Where local law requires consent for analytics, we will honor that requirement.

Retention

We keep personal data only as long as necessary for the purposes above. Typical periods:

• Operational logs: up to 90 days unless required longer for security or legal reasons.
• Business account data and configurations: while your subscription or contract is active, then deleted or anonymized within 90 days.
• Message content required to operate automations: retained per your settings and deleted when no longer needed.
• Analytics: aggregated or anonymized after a short retention suitable for trend analysis.

Security

We implement technical and organizational measures appropriate to the risk, including encryption in transit, network protections via Cloudflare, access controls, and least‑privilege principles. Access to end‑customer messages is restricted and audited.

Your rights

Under GDPR, you (or your end customers via the controller) may have the right to access, rectify, erase, restrict processing, object, and data portability. Where we act as a processor, please contact the relevant business/controller first; we will support their request. For matters where we are the controller (e.g., your repp.ly account or website analytics), contact us at contact+privacy_policy@hyperplan.net.

You can lodge a complaint with your local authority. Our lead authority is the CNIL (France): cnil.fr.

Children

Our service is for businesses and not directed to children. We do not knowingly collect children’s data.

Changes

We may update this Privacy Policy from time to time. When we do, we will publish an updated version and effective date on this page, unless another type of notice is required by applicable law.

Contact

HYPERPLAN – Privacy inquiries: contact+privacy_policy@hyperplan.net