Privacy Policy

1. Overview

This Privacy Policy explains how HyperDraft, Inc., a Delaware corporation ("HyperDraft", "we", "us", or "our"), collects, uses, and protects information in connection with the Docker HyperDraft Customer Deployment Portal (the "Portal").

The Portal is an operator tool. It is intentionally designed so that the sensitive deployment configuration you enter — AWS account IDs, hostnames, Firebase credentials, Google OAuth client IDs, network identifiers, and similar values — is processed entirely in your browser. HyperDraft does not receive those values, and they are not transmitted to or stored on HyperDraft systems.

This Policy covers the operator information HyperDraft does process in order to authenticate authorized operators and operate the Portal. It does not cover personal data processed inside the HyperDraft software you subsequently deploy into your or your customer's AWS account; that processing is governed by the agreement (such as the master subscription agreement or evaluation agreement) between HyperDraft and the relevant customer.

2. Our role

For the operator information described in this Policy, HyperDraft acts as the data controller (or, under United States privacy laws, as the business). For any personal data processed by HyperDraft software running inside a customer's AWS account after deployment, the customer organization is the controller (or business) and HyperDraft is a processor (or service provider) acting on the customer's documented instructions under the applicable customer agreement.

3. Information we collect

3.1 Operator account information

When HyperDraft provisions Portal access for you, we record your operator email address, the engagement or customer it is tied to, the role assigned, and the date your access was granted. When you request an access code, we record the request timestamp and the email address it was sent to.

3.2 Authentication and security events

We log Portal sign-ins, access-code deliveries, and access-code verifications for security, auditing, and abuse-prevention purposes. These records typically include the operator email, the time of the event, the outcome (success or failure), and basic request metadata such as IP address, approximate geo-region, and user-agent string.

3.3 Operational telemetry

The Portal records minimal server-side telemetry about navigation between secured routes (for example, which guided-deployment step was reached) so that HyperDraft can improve the operator flow and respond to support requests. This telemetry is keyed to the operator account and never includes configurator field values.

3.4 Support communications

If you contact HyperDraft for support (for example, via legal@hyperdraft.ai, privacy@hyperdraft.ai, or security@hyperdraft.ai), we retain the contents of your message and any attachments for as long as needed to respond and document the resolution.

3.5 Information we do not collect

• Values entered into the Terraform configurator (AWS profiles, account IDs, Firebase keys, OAuth client IDs, SAML metadata, certificates, secrets, and similar inputs).
• The contents of generated tfvars.json files, helper bash scripts, or any other downloaded artifact.
• Personal or business data produced by the HyperDraft software running inside your or your customer's AWS account after deployment.
• Behavioral advertising or cross-site tracking data.

4. How we use information

We use the information described above to:

• Authenticate authorized operators to the Portal and maintain a verified session.
• Deliver access codes and operational notifications to the operator email on file.
• Detect, investigate, and respond to suspicious, abusive, or unauthorized activity.
• Improve the Portal, the guided deployment flow, and the deployment tutorials.
• Respond to operator support requests and document those interactions.
• Meet HyperDraft's legal, regulatory, contractual, and audit obligations.

5. Legal bases for processing (EEA / UK)

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with similar requirements, HyperDraft relies on the following legal bases under the EU and UK General Data Protection Regulations:

• Contract — to provision Portal access, deliver access codes, and operate the Portal at your or your organization's request.
• Legitimate interests — to secure the Portal, prevent abuse, maintain audit logs, and improve the Portal in ways that do not override your fundamental rights.
• Legal obligation — to comply with applicable laws, lawful regulatory requests, and contractual audit commitments.
• Consent — where consent is required by law, in which case you may withdraw it at any time without affecting the lawfulness of prior processing.

6. How we share information

HyperDraft does not sell operator information and does not share it for behavioral advertising. We share operator information only with:

• Service providers / subprocessors that help us operate the Portal (such as cloud hosting, transactional email delivery, error monitoring, and artifact distribution), bound by appropriate confidentiality and data-protection terms.
• The customer organization or partner you are operating on behalf of, for example to confirm continued authorization.
• Legal and regulatory authorities when required by law, valid legal process, or to protect HyperDraft's rights, property, or the safety of others.
• Acquirers in connection with a merger, acquisition, financing, or sale of all or substantially all of HyperDraft's assets, subject to appropriate confidentiality protections.

7. Cookies and local storage

The Portal sets a first-party session cookie after a successful access-code verification so that the secured terminal recognizes you on subsequent requests in the same browser session. The Portal may also use first-party localStorage to remember your preferred theme (light or dark) and the most recent guided-deployment step, so you can resume where you left off. HyperDraft does not set third-party advertising, analytics, or cross-site tracking cookies on the Portal.

8. Third-party services

The Portal is hosted on Vercel. Email access codes are delivered through a transactional email provider HyperDraft has retained. Docker images and downloadable artifacts are served from HyperDraft-controlled object storage. Once you deploy the HyperDraft software into your AWS account, the resulting environment interacts with the third-party services you configured (for example, Google Workspace for OIDC or SAML, Firebase, Stripe, or DocuSign). Those services are governed by their own privacy policies and terms; their privacy practices are outside the scope of this Policy.

9. Data retention

We retain operator information for the periods set out below, or for a longer period where required by law, by contract, or to resolve disputes:

• Operator account records — for as long as Portal access is active and for up to twelve (12) months after access is revoked, to support audit and incident response.
• Authentication and security logs — for up to twenty-four (24) months from the date of the event.
• Support communications — for up to thirty-six (36) months after the most recent interaction.
• Operational telemetry — for up to twelve (12) months from the date the event was recorded.

We will delete or anonymize records sooner on a verifiable written request, except where we are legally or contractually required to retain them.

10. Security

HyperDraft maintains administrative, technical, and physical safeguards designed to protect operator information, including encryption in transit, scoped access controls for HyperDraft personnel, and logging of access to operator records. No method of transmission or storage is fully secure, and HyperDraft cannot guarantee absolute security. We promptly investigate suspected security incidents and will notify affected operators and customers where required by law or by contract.

11. Your privacy rights

Depending on where you live, you may have some or all of the following rights with respect to the operator information HyperDraft holds about you:

• Access — request a copy of the operator information we hold about you.
• Correction — request that we correct inaccurate or incomplete information.
• Deletion — request that we delete operator information, subject to legal and contractual retention requirements.
• Restriction or objection — request that we restrict or stop certain processing of your operator information.
• Portability — request a machine-readable copy of operator information you have provided to us, where applicable.
• Withdrawal of consent — withdraw any consent you previously gave, without affecting the lawfulness of prior processing.
• Non-discrimination — exercise any of these rights without retaliation, where required by law.
• Complaint — lodge a complaint with a data-protection authority in your jurisdiction.

To exercise any of these rights, email privacy@hyperdraft.ai. We may need to verify your identity, typically by confirming control of the operator email address on file, before acting on a request. We will respond within the timeframes required by applicable law.

California residents. The California Consumer Privacy Act gives California residents additional rights, including the right to know what categories of personal information we collect and the purposes for collecting it (as described in this Policy), the right to request deletion, and the right to non-discrimination for exercising those rights. HyperDraft does not sell or share operator information for cross-context behavioral advertising.

12. No use by minors

The Portal is a professional operator tool and is not directed to, nor intended for use by, anyone under the age of 18. HyperDraft does not knowingly collect personal information from children. If you believe a minor has accessed the Portal or provided personal information through it, contact privacy@hyperdraft.ai and we will delete the information.

13. International data transfers

HyperDraft is based in the United States, and the operator information described in this Policy is processed in the United States. If you access the Portal from outside the United States, you understand that operator information will be transferred to, stored, and processed in the United States, where data-protection laws may differ from those in your jurisdiction.

Where required for transfers from the European Economic Area, the United Kingdom, or Switzerland, HyperDraft relies on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum, where applicable) with its subprocessors. You can request more information about these safeguards at privacy@hyperdraft.ai.

14. Changes to this Policy

HyperDraft may update this Privacy Policy from time to time. We will post the revised Policy on this page, update the "Last updated" date, and, for material changes, use commercially reasonable efforts to notify operators through the Portal or by emailing the operator email on file in advance.

15. Contact

For privacy questions, rights requests, or complaints, contact: