Skip to main content

HyperFound — Privacy Policy

Last updated: 25 June 2026 · Effective: 25 June 2026 · Version 1.0 Binding language: English. Any translation is provided for convenience only.

This Privacy Policy explains how HyperFound — a trade name (nombre comercial) of Tom Marx, an individual entrepreneur (empresario individual / autónomo) established in Spain, tax ID Y7134879V (NIE), business address Avenida la Reserva S/N, 12/1B, URB. Senda Chica, 11310 Sotogrande (San Roque, Cádiz), Spain ("HyperFound", "we", "us", "our") — collects, uses, shares, and protects personal data in connection with our AI-search / answer-engine-optimisation ("AEO") platform (the "Service"), our website, and our sales and marketing activities. The legal data controller is the named individual; "HyperFound" is the brand under which they operate.

We sell to businesses only (no consumers). The Service is not directed to individuals under 18.

This Policy meets the EU General Data Protection Regulation ("GDPR") and Spain's Ley Orgánica 3/2018 ("LOPDGDD"); the UK GDPR; the Swiss FADP; and, for our U.S. customers, the California Consumer Privacy Act as amended by the CPRA ("CCPA") and other U.S. state privacy laws. Where we process personal data on behalf of a customer (Customer Content — see §3), the customer is the controller and our Data Processing Addendum ("DPA") governs.


1. Who we are; controller vs processor

HyperFound plays two roles:

  • Controller — for the personal data of our customers' users and contacts (account, billing, usage, marketing). This Policy governs that processing.
  • Processor — for personal data in Customer Content, including data our embeddable tracking script collects about a customer's website visitors. Here the customer is the controller and the DPA governs; this Policy is informational.

Data-protection contact: tom@hyperfound.ai (subject line "DATA PROTECTION REQUEST"). Postal: Avenida la Reserva S/N, 12/1B, URB. Senda Chica, 11310 Sotogrande (San Roque, Cádiz), Spain. We have not appointed a Data Protection Officer; one is not required at our current scale and processing profile.

2. The personal data we process, and why

2.1 Account & identity — name, work email, avatar, role, organisation/workspace, authentication identifiers, onboarding progress, notification preferences. Purpose: create and operate accounts, authenticate users, deliver and support the Service. Legal basis: contract (Art. 6(1)(b)); legitimate interests in administering accounts (Art. 6(1)(f)).

2.2 Billing & financial records — billing contact, VAT/tax ID, Stripe customer reference, plan/subscription events, and limited card metadata (brand, last four, expiry). Full card data is collected and stored by Stripe; we never store full card numbers. Purpose: process payments, maintain statutory accounting records. Legal basis: contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) for tax/accounting retention.

2.3 Usage & service telemetry — features used, actions taken, queries run, session and device metadata, IP address, error logs, performance/cost telemetry, and audit-trail records. Purpose: operate, secure, debug, and improve the Service; detect and prevent abuse; attribute usage and cost. Legal basis: legitimate interests (Art. 6(1)(f)).

2.4 AI-visibility & capture data — the brand-visibility measurements we generate by running synthetic, platform-generated queries (e.g., "best [industry] tools", "[brand] vs [competitor]") against AI engines and analysing the public outputs. These queries contain brand/competitor/industry terms — not your end-users' real queries and not personal data about you. Legal basis: contract (Art. 6(1)(b)).

2.5 Competitive-intelligence content (data about individuals who appear in public AI/web content) — see §5 (our GDPR Art. 14 transparency disclosure).

2.6 Connected-integration data — if you connect Google Search Console, Google Analytics 4, or Slack, we access data from your own accounts to provide the Service. OAuth tokens are stored encrypted (AES-256-GCM with per-provider key separation). You control scope and may disconnect at any time. Legal basis: contract (Art. 6(1)(b)); you control the connected-account data.

2.7 Marketing & prospect data — business-contact details from you or from public sources, and email-engagement metrics. Purpose: relevant B2B communications. Legal basis: legitimate interests (Art. 6(1)(f)); consent (Art. 6(1)(a)) where required. Opt out anytime via any email's unsubscribe link or tom@hyperfound.ai.

2.8 Error & security logs — application-error and content-security-policy reports, which may incidentally contain IP addresses, URLs, or other identifiers. We scrub secrets and known sensitive fields from these logs and keep them only for a limited period. Legal basis: legitimate interests (Art. 6(1)(f)) in security and integrity.

2.9 Website cookies & analytics — see our Cookie Policy. Non-essential analytics load only with your consent; until then our analytics run in a cookieless mode that sets no analytics cookies. Legal basis: consent (Art. 6(1)(a)) for non-essential cookies; legitimate interests for strictly-necessary cookies.

3. Customer Content (our processor role)

To deliver the Service we host, store, and process the data, files, prompts, queries, URLs, and other content you or your users submit ("Customer Content"), and data our tracking script collects about your website visitors (session identifier, user-agent, referrer, page URLs; for AI-crawler detection, the crawling bot's IP address — we do not collect your human visitors' IP addresses). We process this only on your documented instructions as your processor under the DPA. You are responsible for your lawful basis and for any notices/consents your end users require.

4. Artificial intelligence & model training

The Service uses third-party large language models (sub-processors) to process content at inference time. HyperFound does not use Customer Content or the personal data we process to train, fine-tune, or develop machine-learning models — we operate no model-training pipeline. We contractually require the AI providers that process Customer Content not to use it to train their models, save for limited, provider-side abuse-monitoring retention. AI engines we merely measure (e.g., DeepSeek, Perplexity, Google) receive only synthetic, non-personal queries (§2.4) and never your personal data.

5. Individuals mentioned in AI/web content (Art. 14)

To measure brand visibility we collect publicly available content from AI engines and the public web. This content may incidentally contain personal data (e.g., names of public figures, authors, or social-media accounts). Source: AI-engine outputs and public web pages — not collected from you directly.

  • Purpose: measuring how brands and topics appear across AI engines.
  • Legal basis: legitimate interests (Art. 6(1)(f)), balanced against data-subject rights in a documented Legitimate Interests Assessment.
  • Your right to object (Art. 21): email tom@hyperfound.ai; we assess each request and, where applicable, suppress or remove the matching data.

6. Cookies

We use a minimal set of cookies and similar technologies, described in our Cookie Policy. The only non-essential technology is analytics, which loads only after consent (statutory basis: LSSI-CE Art. 22.2 and AEPD cookie guidance).

7. Recipients & sub-processors

We share personal data only with providers that help us deliver, secure, or improve the Service, or where required by law. We do not sell personal data and do not share it for cross-context behavioural advertising. Our sub-processors — cloud infrastructure, payments, email, analytics, AI inference, and web-capture providers — are bound by written data-protection terms no less protective than our DPA. Our current Sub-processor List shows each provider's location and transfer mechanism; we give at least 30 days' notice of any new sub-processor.

8. International transfers

We transfer personal data internationally (notably to U.S.-based AI and infrastructure providers). Where data leaves the EEA/UK/Switzerland we rely on:

  • the EU Standard Contractual Clauses (Commission Decision (EU) 2021/914), Modules 2 (C2P) / 3 (P2P) as applicable;
  • the UK International Data Transfer Addendum for UK transfers;
  • the Swiss addendum to the SCCs for Swiss transfers; or
  • an adequacy decision / the EU-US Data Privacy Framework where a provider is certified.

Planned relocation: HyperFound intends to relocate its operating entity to Singapore. After that move, transfers from the EEA/UK/Switzerland to HyperFound will rest on SCCs / the UK IDTA (Singapore has no EU adequacy decision), and Singapore's PDPA will apply to our processing; we will update this Policy accordingly.

9. Retention

We keep personal data only as long as necessary for the purposes above and to meet legal obligations, then delete or anonymise it. We delete personal data when the related account or workspace is deleted. Indicative periods:

CategoryRetention
Account & contact dataLife of the account, then deleted/anonymised
Billing & tax recordsStatutory period — Spain: 6 years (Código de Comercio art. 30; longer where tax law requires); the invoice record is held by Stripe
Usage & telemetryLimited period; pseudonymised/aggregated thereafter
AI-visibility & capture dataLimited period tied to the workspace
Competitive-intelligence personal identifiersMinimised; removed on objection
Error/security logsLimited period
Marketing recordsUntil you object/unsubscribe

10. Your rights (EU/EEA, UK, Switzerland)

You may access, rectify, erase, restrict, and port your data, object to processing based on legitimate interests (including §5 and direct marketing), and withdraw consent at any time. Email tom@hyperfound.ai (subject "DATA PROTECTION REQUEST"); we respond within one month (GDPR Art. 12(3)). You may also complain to your local supervisory authority — in Spain, the Agencia Española de Protección de Datos (AEPD), www.aepd.es — though we'd welcome the chance to resolve it first.

11. U.S. state privacy rights (CCPA/CPRA and other states)

For U.S. customers and their personnel, you may know/access, delete, and correct your personal information; opt out of any "sale" or "sharing" (we do not sell or share personal information as defined by the CCPA, and have not in the preceding 12 months); limit use of sensitive personal information (we do not use SPI beyond permitted purposes); and you will not be discriminated against for exercising these rights.

The categories of personal information we collect are identifiers (e.g., name, email, IP), commercial information (subscriptions, transactions), internet/network activity (usage), and professional information (role, company); we disclose these to our sub-processors for business purposes only. We honour the Global Privacy Control (GPC) signal as an opt-out of sale/share. You may use an authorised agent (with proof of authorisation). To exercise: tom@hyperfound.ai (subject "US PRIVACY REQUEST"). Where we act as a service provider for a customer, we route your request to that customer.

12. Security

We maintain administrative, technical, and physical safeguards appropriate to the risk — including encryption in transit (TLS) and at rest, role-based access controls, network and application controls (including an enforced Content-Security-Policy), logging, and a documented incident-response process. OAuth credentials are encrypted with AES-256-GCM. If we become aware of a personal-data breach affecting your data, we notify the affected customer without undue delay and, where required, the relevant supervisory authority and affected individuals.

13. Children

The Service is B2B and not directed to anyone under 18; we do not knowingly collect children's data.

14. Automated decision-making

We do not carry out automated decision-making that produces legal or similarly significant effects on individuals (GDPR Art. 22). The Service measures and ranks brands/organisations; outputs are presented to our customer's authorised users for human review and may be overridden.

15. Governing law & supervisory authority (Spain)

  • Controller establishment & lead supervisory authority: Spain — the controller is Tom Marx, an individual entrepreneur (autónomo) established in Spain; lead authority is the AEPD (Agencia Española de Protección de Datos). As an EU-established controller, no EU Art. 27 representative is required; we will appoint a UK representative if and when we target UK data subjects.
  • Applicable national law: LOPDGDD (LO 3/2018) alongside the GDPR, and LSSI-CE (Ley 34/2002) for information-society and cookie matters.

16. Changes & contact

We will notify you of material changes by email or a prominent website notice before they take effect; the "Last updated" date reflects the current version. Contact: tom@hyperfound.ai · Avenida la Reserva S/N, 12/1B, URB. Senda Chica, 11310 Sotogrande (San Roque, Cádiz), Spain.