Privacy Policy
Effective date: April 2, 2026 · Last updated: April 2, 2026
Who we are
hypedar is operated by An Nguyen Xuan, based in Ho Chi Minh City, Vietnam. You can reach us at hello@hypedar.dev.
Data we collect
We collect only what we need to provide and improve the service. Here is a complete list:
| Data | Source | Purpose | Retention | Legal basis |
|---|---|---|---|---|
| Email address | GitHub/Google OAuth | Account identification, notifications | Account lifetime | Consent (OAuth) |
| GitHub username | GitHub OAuth | Display name, profile | Account lifetime | Consent |
| Avatar URL | GitHub/Google OAuth | Profile picture | Account lifetime | Consent |
| GitHub profile info | GitHub OAuth | User segment analytics | Account lifetime | Legitimate interest |
| Skill tags | Your input | Personalized opportunity scoring | Account lifetime | Consent |
| Alert preferences | Your input | Deliver alerts you configured | Account lifetime | Consent |
| Showcases | Your submission | Public showcase display | Account lifetime | Consent |
| Page views | Plausible Analytics | Anonymous product statistics | 90 days | Legitimate interest |
| Session events | Client-side | Product analytics | 90 days | Legitimate interest |
| Payment info | LemonSqueezy | Process payments | Per LemonSqueezy policy | Contract |
Data we do NOT collect
- No passwords — we use OAuth only
- No phone numbers or physical addresses
- No tracking cookies — we use Plausible Analytics (cookie-free, GDPR compliant, EU-hosted)
- No third-party advertising trackers
- No browsing history outside hypedar
- No IP addresses stored — used transiently for rate limiting only, never persisted
How we use your data
- Provide and improve the hypedar service
- Personalize trend scores based on your skill tags
- Send alerts and notifications you configured
- Process payments via LemonSqueezy
- Anonymous aggregate analytics to improve the product
- Detect and prevent abuse (spam, bots, rate limit circumvention)
Data sharing
We do NOT sell personal data. We do NOT share personal data for advertising. Data is shared only with these processors:
- Supabase — database hosting (SOC2 compliant, data in Singapore)
- Vercel — web hosting (GDPR DPA available)
- Fly.io — worker hosting (data in Singapore)
- LemonSqueezy — payment processing as Merchant of Record
- Plausible Analytics — anonymous, cookie-free, EU-hosted
- Telegram — only if you configure Telegram alerts (we send to your chat ID)
- Law enforcement — only if legally compelled by valid legal process
Cookies
We use only essential cookies for authentication. No marketing cookies, no tracking cookies, no third-party cookies. See our Cookie Policy for the complete list.
Your rights
Regardless of where you live, we respect these rights for all users:
- Access — request a copy of your data by emailing hello@hypedar.dev
- Correction — update your profile anytime in your dashboard
- Deletion — delete your account and all personal data is removed within 30 days
- Portability — request data export in machine-readable format
- Objection — opt out of analytics by contacting us
- Restriction — request we limit processing of your data
- Withdraw consent — revoke OAuth access from your GitHub/Google settings at any time
GDPR (EU/EEA residents)
All rights above apply. Our legal bases for processing are: consent (OAuth, user input), contract (paid subscriptions), and legitimate interest (anonymous analytics, abuse prevention).
CCPA (California residents)
We do not sell personal information. Your "Do Not Sell" right is automatically honored. You have the right to know what data we collect, request deletion, and not be discriminated against for exercising your rights.
PDPA (Vietnamese residents)
Data is processed in accordance with Vietnam's Personal Data Protection Decree 13/2023/ND-CP. You have the right to access, correct, and delete your personal data.
Data retention
- Account data: retained until you delete your account
- Analytics events: auto-deleted after 90 days
- Velocity snapshots: auto-deleted after 7 days
- Payment records: retained per tax and legal requirements (typically 7 years)
- After account deletion: personal data removed within 30 days. Showcases are anonymized (author removed) but retained.
Data security
- All data encrypted in transit (HTTPS/TLS 1.3)
- Database encrypted at rest (Supabase)
- OAuth-only authentication — no password storage
- Row Level Security on all private database tables
- Regular dependency scanning and security audits
- See our Security practices for more detail
International data transfers
Data may be processed in Singapore (Supabase, Fly.io), the United States (Vercel), and the European Union (Plausible Analytics). All processors have appropriate data protection agreements in place.
Children
hypedar is not directed at children under 16. We do not knowingly collect data from anyone under 16. If we learn we have collected data from a child under 16, we will delete it promptly.
Changes to this policy
We will notify you of material changes via email or a site banner, with at least 30 days notice. Previous versions are available upon request.
Contact
Privacy questions or data requests: hello@hypedar.dev
We will respond within 30 days.