Privacy Policy

We collect only what we need to run the Services:

• Account data. Name, email, workspace name, role and profile image from your identity provider (e.g. Google).
• Workspace content. Protocols, proposals, memos, chat messages and votes that you and your team create inside Hiperlinks.
• Connected integrations. With your consent, metadata and message content from connected sources (Gmail, Slack, Google Calendar) strictly to evaluate governance triggers.
• Usage data. Log and device information such as IP address, browser type, timestamps and actions taken within the product.
• On-chain data. When a protocol records a decision on-chain, the decision hash and transaction reference are public by design.

• To provide, maintain and secure the Services.
• To detect governance triggers and surface proposals to authorised signatories.
• To keep an auditable record of decisions for your organisation.
• To communicate with you about changes, incidents, and support.
• To improve the product, in aggregate and de-identified form.

We do not sell personal data. We do not use your workspace content or integration data to train general-purpose AI models.

Hiperlinks' use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Hiperlinks operates two separate Google OAuth clients. You see a Google consent screen the first time you authorise each one:

• Sign-in client. Requests the standard OpenID Connect scopes openid, email, and profile so you can sign in to Hiperlinks with your Google account. We use this data only to authenticate you, populate your display name and avatar, and send transactional account emails.
• Gmail connector (governance triggers). Requests https://www.googleapis.com/auth/gmail.readonly after an admin opts in via Settings → Integrations → Gmail → Connect. We read inbound messages in the connected mailbox's INBOX label so our rules engine can detect governance-relevant events and create proposals for your team to vote on. We fetch the subject, sender, body, thread ID, and timestamp of each new message. We do not send, modify, label, draft, archive, trash, or delete messages, and we do not access any other Gmail API.

How we use Google user data. Gmail message content, metadata, and derived embeddings are used strictly to (a) detect governance triggers against clauses in your organisation's adopted protocols, (b) generate the resulting proposal for human review and voting, and (c) maintain an auditable record of which events were ingested.

How we do not use Google user data. We do not use Google user data for advertising, do not sell it, do not share it with third parties except the minimum set of sub-processors listed below acting on our behalf, and do not use it to train, develop, or improve general-purpose AI or machine-learning models. Human access to Google user data is restricted to (i) with your explicit consent, (ii) for security operations or to comply with applicable law, (iii) for aggregated and anonymised use in service health metrics, and (iv) as strictly necessary to operate internal-facing customer support or to resolve a specific bug you report.

Storage, retention, and deletion. Google user data is stored encrypted at rest in our primary Postgres database and is associated only with your Hiperlinks workspace. Refresh tokens are stored encrypted. You can disconnect the Gmail integration at any time from Settings → Integrations → Gmail → Disconnect; on disconnect we revoke the refresh token with Google and stop all polling. When a workspace is deleted or a user requests deletion, all associated Google user data (messages, tokens, embeddings) is removed within 30 days. You may also email privacy@hiperlinks.io to request immediate deletion.

Revoking access directly with Google. You can revoke Hiperlinks' access to your Google account at any time at myaccount.google.com/permissions.

We rely on a small set of trusted sub-processors:

• Google (OAuth, Gmail, Calendar) — identity and source integrations.
• Slack — workspace messaging integration.
• Anthropic — language model inference for chat and proposal summaries.
• Vercel — web hosting.
• Railway — API and worker hosting.
• Neon / Postgres — primary database.
• Upstash (Redis) — job queue.
• Resend — transactional email.
• Alchemy / Base — on-chain infrastructure for decision hashes.

Workspace content is retained for as long as your workspace is active. You may delete specific items (chats, proposals) at any time from the product. When a workspace is deleted, we remove associated personal data within 30 days, except where retention is required by law or where data has been committed to a public blockchain (which is immutable by design).

Data is encrypted in transit (TLS) and at rest. Access to production systems is limited to authorised personnel. Integration tokens are stored encrypted and scoped to the minimum permissions required. We log administrative access and review it regularly.

Depending on your location, you may have the right to access, correct, export or delete your personal data, and to object to certain processing. To exercise any of these rights, email privacy@hiperlinks.io. We respond within 30 days.

We operate primarily from the United States. If you access Hiperlinks from outside the US, you consent to processing in the US and any other jurisdiction where our processors operate.

Hiperlinks is not directed to children under 16 and we do not knowingly collect their data.

We may update this policy from time to time. Material changes will be announced in-product and by email to workspace admins at least 14 days before they take effect.

Questions? Email privacy@hiperlinks.io.