This Privacy Policy explains how Hypena (“we”, “our”) collects, uses, and shares personal information when you visit hypena.com, use the Hypena marketplace, or otherwise interact with us. It also describes the rights you have over your personal information under applicable laws, including the Republic of Armenia Law on the Protection of Personal Data (Law No. HO-49-N), the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act / CPRA.
1. Information We Collect
1.1 Information you provide
- Account data (name, email, phone, password hash, preferred locale).
- Profile data (business information for vendors; delivery addresses for buyers).
- Order content (artwork files, order specs, messages exchanged with a vendor).
- Payment data (we never store full card numbers; details below).
1.2 Information collected automatically
- Log data (IP address, user agent, request paths and timestamps).
- Device data (operating system, browser, screen resolution).
- Cookies and similar technologies (see the Cookie Policy).
1.3 Information from third parties
- Identity / business verification providers, where you register as a vendor.
- Fraud-prevention partners, when assessing the risk of a payment.
- Authentication providers, if you sign in via a social-login method (when supported).
2. How We Use Your Information
- To create and operate your account, fulfil orders, and provide customer support.
- To process payments and disbursements, prevent fraud, and resolve disputes.
- To send transactional messages (order updates, account notices, security alerts).
- To improve and secure the Platform (analytics, performance monitoring, abuse detection).
- To comply with legal obligations (tax reporting, sanctions screening, lawful requests).
- To send marketing communications, where you have opted in (you can opt out at any time).
3. Legal Bases for Processing
We rely on the following legal bases under the GDPR / UK GDPR: contract (to fulfil orders and run your account), legitimate interests (to secure the Platform, prevent fraud, and improve our services), consent (for non-essential cookies and marketing email), and legal obligation (for tax, anti-money-laundering, and other statutory requirements). For users in Armenia, we process personal data on the equivalent bases recognised under the RA Law on the Protection of Personal Data — principally your consent and the necessity of the processing to perform our contract with you or to comply with a legal requirement.
4. How We Share Your Information
4.1 With other users
When you place an order, we share the order details (including buyer name, delivery address, contact email, and uploaded artwork) with the relevant vendor so they can fulfil it. Vendors agree to handle this information confidentially under the Vendor Agreement.
4.2 With service providers
We share information with processors that act on our instructions, including:
- Payment gateways (e.g. IDBank or equivalent acquirer) to charge cards and pay out to vendors.
- Delivery / logistics partners (e.g. Yandex Delivery) to dispatch and track shipments.
- Cloud infrastructure (object storage, databases, observability) to operate the Platform.
- Email / messaging services (e.g. Resend) to send transactional notifications.
- Analytics & security providers to detect abuse and measure usage.
4.3 For legal reasons
We may disclose information if compelled by a binding legal request, to protect the safety or rights of a person, or to enforce our terms.
4.4 In a corporate transaction
If Hypena is involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction; we will notify you of any change in ownership or material change in use of your information.
5. International Transfers
Where personal information is transferred outside the European Economic Area or the United Kingdom, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (and the UK Addendum), supplemented where necessary by additional technical and organisational measures.
6. Data Retention
We retain personal information for as long as we have an account relationship with you and for a reasonable period thereafter to satisfy legal, tax, accounting, and dispute-resolution requirements. Specific retention periods are detailed in our internal retention schedule and are available on request.
7. Your Rights
Depending on where you live, you may have the right to:
- Access and obtain a copy of your personal information.
- Correct inaccurate or incomplete information.
- Delete your information (subject to legal retention obligations).
- Restrict or object to certain processing.
- Port your information to another service.
- Withdraw consent at any time (without affecting prior lawful processing).
- Lodge a complaint with your local data-protection authority.
To exercise these rights, email [email protected]. We will respond within the timeframes required by the applicable law.
8. California Residents
California residents have additional rights under the CCPA/CPRA, including the right to know what personal information we collect and how it is used, and the right to opt out of the “sale” or “sharing” of personal information for cross-context behavioural advertising. We do not sell personal information in the traditional sense; details of any sharing for advertising purposes are listed in the Cookie Policy.
9. Children
The Platform is not directed at children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, please contact [email protected] so we can delete it.
10. Security
We use industry-standard administrative, technical, and physical safeguards to protect your personal information, including encryption in transit and at rest, virus scanning on uploaded files, role-based access controls, and audit logging. No system can be guaranteed 100% secure, but we work continuously to reduce risk.
11. Changes to This Policy
We will update this Privacy Policy from time to time. Material changes will be announced in-app or by email at least 14 days before they take effect.
12. Contact
Data-protection enquiries: [email protected]. Our operating address and full contact details are set out under “Company & contact details” at the foot of this page.