Hyper Tracking
Sign inStart free trial
All legal documents

Privacy Policy

Version: 1.0 Last updated: 19 June 2026 Effective date: upon publication

This Privacy Policy describes how OMESTA SYSTEMS LLC, a Wyoming limited liability company operating the Hyper Tracking service ("Hyper Tracking", "we", "us", "our"), collects, uses, and shares personal information about the following audiences:

  • Visitors — people who browse hypertracking.io (the marketing site).
  • Leads — people who fill out a contact / demo / waitlist form.
  • Customers — people who sign up for the Hyper Tracking service on behalf of a business ("Merchant Personnel").
  • Dashboard users — Merchant Personnel using the dashboard at app.hypertracking.io.

This policy does NOT describe how we process end-user data on behalf of our merchant customers. When a person visits a merchant's website that uses Hyper Tracking, the merchant is the Controller of that processing under GDPR (and the Business under CCPA/CPRA). Each merchant publishes its own privacy policy. Hyper Tracking acts as a Processor / Service Provider under a Data Processing Agreement (DPA) with the merchant. See § 9 below and Appendix B for the copy-paste disclosure clauses we provide our merchants.

1. Who we are and how to contact us
Legal entity OMESTA SYSTEMS LLC, a Wyoming limited liability company, operating the Hyper Tracking service
Registered address 5830 E 2nd St, Ste 7000 #33555, Casper, Wyoming 82609, United States
Email privacy@hypertracking.io
Postal mail OMESTA SYSTEMS LLC, Attn: Privacy, 5830 E 2nd St, Ste 7000 #33555, Casper, Wyoming 82609, United States
Data Protection Officer Not appointed. OMESTA SYSTEMS LLC does not currently meet the GDPR Art. 37 thresholds for a mandatory DPO. Privacy enquiries go to privacy@hypertracking.io.
EU representative (Art. 27 GDPR) Not yet appointed. Where Art. 27 applies to our processing, we will designate an EU representative; in the interim, EU data subjects may contact privacy@hypertracking.io.
UK representative (UK GDPR Art. 27) Not yet appointed. Where Art. 27 applies, we will designate a UK representative; in the interim, UK data subjects may contact privacy@hypertracking.io.

If you have questions about this policy or how we handle your information, email privacy@hypertracking.io. We aim to respond within 7 business days.

2. Quick summary

The short version, in plain English:

  • We collect basic information from people who visit our marketing site, fill out a form, or use our dashboard. The dashboard collection is what's necessary to operate the service (your account, your billing, your activity).
  • We do NOT sell your personal information to anyone, ever.
  • We do NOT use third-party advertising trackers on hypertracking.io itself. (We use first-party analytics and a CDN; details in § 4.)
  • We use cookies sparingly: our own marketing site and dashboard set only strictly-necessary cookies (our analytics is cookieless), so we do not show a consent banner of our own. When you run Hyper Tracking on your website, we read the consent signal from your existing consent banner / CMP and only track EU/UK/Swiss visitors after consent is granted.
  • We host customer data on infrastructure in the United States (Cloudflare US edge for the API, Supabase US Postgres for the database, Vercel US for the dashboard). Cross-border transfers from the EEA/UK/Switzerland rely on the EU-U.S. Data Privacy Framework where the vendor is certified, and on the 2021 EU Standard Contractual Clauses otherwise. See § 7.
  • You have the right to access, correct, delete, or export your information. See § 8 (GDPR) and § 9 (CCPA/CPRA).

This summary is for convenience. The binding text is in the full sections that follow.

3. What information we collect

3.1 Information you give us directly

When you fill out a form on hypertracking.io, sign up for an account, or contact us, we collect:

  • Account data — name, work email, work phone (optional), company name, job title (optional), country.
  • Authentication data — password hash (we use Supabase Auth — bcrypt at rest); OAuth tokens if you sign in with Google.
  • Billing data — payment method (handled by Stripe — we receive only card brand + last four digits + expiry, never the full PAN), billing address, VAT ID, billing email, invoice history. The full card number is PCI-DSS-scoped to Stripe; it never touches our servers.
  • Support correspondence — emails, chat transcripts, screenshots you send to support@hypertracking.io.
  • Onboarding data — domains you connect, Cloudflare account ID (we ask for this so we can guide you through the Custom Hostname CNAME), ad-platform account IDs you authorize us to push conversions to.

3.2 Information collected automatically when you use our properties

When you visit hypertracking.io or app.hypertracking.io:

  • Server logs — IP address (used for security, rate-limiting, and abuse-prevention; retained short-term per § 10), user agent, referer (with query string stripped), URL path, HTTP status, response duration, timestamp.
  • Cookies — see § 4.
  • First-party analytics — page views, referrer, screen size, language. We use a self-hosted, cookieless analytics tool (no fingerprinting). No data leaves our infrastructure.
  • Error telemetry — JavaScript exceptions and stack traces. We use Sentry (privacy-mode DSN, IP scrubbing, no replay). Sentry is configured to scrub query parameters and headers.

We do NOT load Google Analytics, Meta Pixel, TikTok Pixel, LinkedIn Insight, or any third-party advertising tracker on hypertracking.io. (You read that right — we sell ad-attribution software and we still don't ship trackers on our own site.)

3.3 Information we get from third parties

  • Stripe sends us payment-method metadata and invoice events.
  • Google / Microsoft OAuth (if you sign in with one) returns your name, email, and profile picture. We don't store the picture.
  • Sales-intelligence / enrichment vendors — we do not currently use a third-party enrichment vendor (e.g. Clearbit / Apollo). If we engage one, we will name it here, identify the lawful basis (legitimate interest), and provide an opt-out.
  • Email-deliverability vendors — bounce / complaint webhooks from our transactional-email provider, which is listed on our sub-processor list when engaged.

3.4 Information we do NOT collect

  • We do not collect biometric data.
  • We do not collect precise geolocation data (we receive country only, from the Cloudflare CF-IPCountry header).
  • We do not collect special categories of personal data (Art. 9 GDPR — race, religion, health, sex life, political opinions, etc.). If you send these to us in a support ticket, we'll redact them. Please don't.
  • We do not knowingly collect data from children under 13 (US — COPPA) or under 16 (EEA — GDPR default). The service is sold business-to-business to merchants; the dashboard is not directed at children.

4. Cookies and similar technologies

4.1 Cookies on hypertracking.io (marketing site)

Cookie Purpose Duration Strictly necessary?
__cf_bm Cloudflare bot management 30 minutes Yes
cf_clearance Cloudflare challenge response 1 year Yes

The marketing site sets only the strictly-necessary Cloudflare cookies above. Our first-party analytics is self-hosted and cookieless (see § 3.2), and we set no advertising cookies. Because the site sets no non-strictly- necessary cookies, it does not display a consent banner.

4.2 Cookies in the dashboard (app.hypertracking.io)

Cookie Purpose Duration Strictly necessary?
sb-access-token Supabase Auth session 1 hour (refreshed) Yes
sb-refresh-token Supabase Auth refresh 7 days Yes
ht_dashboard_pref UI preferences (sidebar collapsed, theme) 1 year Yes (functional)

The dashboard is a logged-in product surface that sets only the strictly- necessary cookies above; consent to this processing is given as part of account signup and is required to use the service. The dashboard sets no non-strictly-necessary cookies, so it does not display a consent banner.

4.3 What we don't do

  • We do not use ad-network cookies.
  • We do not use cross-site tracking pixels.
  • We do not "fingerprint" your browser. Our self-hosted analytics is fingerprint-free.

5. How we use your information

We use the categories above for the following purposes. The "Lawful basis" column applies to people protected by GDPR / UK GDPR / Swiss FADP. People in the U.S. should read § 9 (CCPA/CPRA) instead.

Purpose Lawful basis (GDPR Art. 6)
Provide the service (let you log in, render the dashboard, send conversions to your ad platforms on your merchant's behalf) Contract — Art. 6(1)(b)
Bill you, send invoices, recover overdue payments Contract — Art. 6(1)(b); Legitimate interest for collections — Art. 6(1)(f)
Send service emails (security alerts, billing receipts, breach notifications) Contract — Art. 6(1)(b); Legal obligation for breach notice — Art. 6(1)(c)
Send product update emails (new feature, deprecation, scheduled maintenance) Legitimate interest — Art. 6(1)(f); you can unsubscribe at any time
Marketing emails (case studies, webinars, "you abandoned the signup" sequences) Consent — Art. 6(1)(a). Opt-in checkbox at signup; opt-out link in every email
Detect and prevent fraud, abuse, denial-of-service Legitimate interest — Art. 6(1)(f); Legal obligation — Art. 6(1)(c)
Comply with tax, accounting, and other legal obligations Legal obligation — Art. 6(1)(c)
Defend legal claims Legitimate interest — Art. 6(1)(f)
Aggregate analytics on how people use the marketing site / dashboard, in pseudonymous form Legitimate interest — Art. 6(1)(f)
Improve the product (e.g. read your support tickets to find recurring pain points) Legitimate interest — Art. 6(1)(f)

We do NOT use account data for profiling or automated decision- making within the meaning of GDPR Art. 22.

We do NOT use customer data to train large language models or other machine-learning models, whether ours or a third party's. Our internal AI use (if any — see § 6.6) is purely operational (e.g. assistive code search) and is gated to non-customer data.

6. Who we share your information with

6.1 Sub-processors (vendors that process data on our behalf)

The vendors we use to operate Hyper Tracking are listed in the Hyper Tracking Sub-processor List (canonical at hypertracking.io/legal/subprocessors; mirrored in DPA Annex III). It includes each vendor's purpose, location, and the legal mechanism for any cross-border transfer (DPF / SCCs).

As of the last update of this policy, the list is:

  • Cloudflare, Inc. (US) — edge compute, dispatch namespace, Workers for Platforms, Custom Hostnames SSL. EU-U.S. DPF certified (SCCs as fallback).
  • Supabase, Inc. (US, default data plane US-East; EU data plane for merchants configured for EU residency) — managed Postgres, Auth. 2021 SCCs.
  • Vercel, Inc. (US) — Next.js dashboard hosting. EU-U.S. DPF certified (SCCs as fallback).
  • Stripe, Inc. (US) — payments and billing. EU-U.S. DPF certified (SCCs as fallback).
  • Functional Software, Inc. (Sentry) (US) — error telemetry. 2021 SCCs.

We update the sub-processor list before any new vendor goes live and notify merchants 30 days in advance per the DPA.

6.2 Independent third parties (Controllers in their own right)

These third parties receive personal information for their own purposes, not as our sub-processors. They are NOT listed in the DPA Annex III because they are not our processors:

  • Ad platforms you authorize (Meta, Google, TikTok, and other platforms you connect) — when our merchant customer authorizes us to push conversions, we send hashed identifiers and conversion events to that platform's Conversions API / Offline Conversion Import / Events API. Each ad platform processes that data as an independent Controller under its own privacy policy. This applies to data we push on behalf of our merchants, not to your account data with us.
  • Stripe for payments — when you buy a Hyper Tracking subscription, Stripe processes your card data as an independent Controller (PCI-scoped).

6.3 Service providers we don't call sub-processors

  • Legal counsel, auditors, accountants, bankers, insurance brokers — bound by professional confidentiality obligations.

6.4 In a corporate transaction

If we are acquired, merge with another company, sell some or all of our business, raise debt secured by our assets, or go through bankruptcy, your information may transfer to the surviving / acquiring entity. We will give you notice (by email and a notice on the marketing site) at least 30 days before any such transfer materially changes how your information is handled.

6.5 Compliance with law

We may disclose information to comply with a valid subpoena, court order, search warrant, or other legal obligation. Where legally permitted, we notify the affected user before responding so they can challenge the request.

6.6 Internal AI / ML use

We do not feed account data into third-party LLMs or generative AI products to provide the service to you. Internal use of AI tools (e.g. AI-assisted code review of our own codebase) is performed against our own code, not against customer data. If we ever offer an AI-assisted dashboard feature (e.g. "summarize last week's anomalies"), we will update this policy first, identify the model provider, and offer a per-merchant opt-out.

7. International data transfers

7.1 Where data is hosted

  • Marketing site (hypertracking.io) — Cloudflare global edge.
  • API + Postgres — Cloudflare US edge + Supabase US-East (Virginia); for merchants configured for EU residency, visitor data is stored in and read from an EU Supabase project located in the EU.
  • Dashboard (app.hypertracking.io) — Vercel US edge.
  • Backups — encrypted daily backups of the Postgres database, managed by Supabase (US), retained on a rolling 30-day basis.

This means that if you live in the EEA, UK, or Switzerland, your personal information is transferred to the United States when you use Hyper Tracking.

7.2 Transfer mechanism

For each receiving entity in the U.S. we rely on:

  1. EU-U.S. Data Privacy Framework (and the UK extension and Swiss-U.S. bridge) where the vendor is self-certified — currently Cloudflare, Vercel, and Stripe.
  2. 2021 EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for vendors on which we do not rely on DPF adequacy, accompanied by a Transfer Impact Assessment (TIA) per Schrems II. Currently this covers Supabase and Sentry.
  3. UK International Data Transfer Addendum to the EU SCCs for transfers originating in the United Kingdom.
  4. FDPIC-recognized adapted SCCs for transfers originating in Switzerland.

You can request a copy of the safeguards in place for any specific transfer by emailing privacy@hypertracking.io.

7.3 Schrems / political-risk note

The EU-U.S. DPF's adequacy decision is in force, but its political foundation has been challenged. We monitor this closely. If the adequacy decision is invalidated (a hypothetical "Schrems III"), we will rely on the SCCs (which are already in our DPA's transfer-mechanism cascade) for the affected transfers and notify customers.

8. Your rights under GDPR / UK GDPR / Swiss FADP

If you are in the EEA, UK, or Switzerland, you have the following rights with respect to information for which we are the Controller (i.e. account / billing / dashboard data — for end-user data on a merchant's site, the merchant is the Controller and you exercise your rights with them):

  • Right of access — get a copy of the personal data we hold about you.
  • Right to rectification — correct inaccurate data.
  • Right to erasure ("right to be forgotten") — have your data deleted, subject to legal retention obligations (e.g. tax records).
  • Right to restriction of processing — pause processing while a dispute is resolved.
  • Right to data portability — receive your data in a machine-readable format (we provide JSON).
  • Right to object — object to processing based on legitimate interest; always opt out of direct marketing.
  • Right to withdraw consent — where processing relies on consent (e.g. marketing emails), you can withdraw it at any time without affecting the lawfulness of pre-withdrawal processing.
  • Right not to be subject to automated decision-making with legal or similarly significant effects (Art. 22). We don't do this.
  • Right to lodge a complaint with your local supervisory authority. A list is at https://edpb.europa.eu/about-edpb/about-edpb/members_en. In the UK: https://ico.org.uk. In Switzerland: https://www.edoeb.admin.ch.

To exercise any right, email privacy@hypertracking.io. We respond within 30 days (extendable by 60 days for complex requests, with notice). We may need to verify your identity (typically by sending a confirmation link to the email address on file).

We do not charge for the first request in any 12-month period. For manifestly unfounded or excessive requests, we may charge a reasonable fee or refuse, as permitted by GDPR Art. 12(5).

9. Your rights under California law (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you the rights below.

9.1 Categories of personal information collected

In the past 12 months we have collected the following categories (Cal. Civ. Code § 1798.140(v) categories):

Category Collected? Purpose
A. Identifiers (name, email, IP, account ID) Yes Account, billing, security
B. Customer records (Cal. Civ. § 1798.80) — name, address, payment metadata Yes Billing
C. Protected classifications (race, religion, sex, etc.) No
D. Commercial information (purchase history of subscription) Yes Billing
E. Biometric information No
F. Internet/network activity (browsing on hypertracking.io, logs) Yes Service operation, security
G. Geolocation (precise) No
G. Geolocation (general — country) Yes Service operation, fraud detection
H. Sensory data (audio, visual) No
I. Professional or employment information Yes (job title at signup, optional) Sales qualification
J. Education information No
K. Inferences Limited (sales-stage tags on leads) Sales / customer success
L. Sensitive personal information (Cal. Civ. § 1798.140(ae)) — gov ID, financial-account login, precise geo, race, religion, health, sexual orientation, communications contents No (except payment-card metadata returned by Stripe — never the PAN) Billing

9.2 Sources

  • Directly from you (signup, support tickets).
  • Automatically (server logs, first-party analytics).
  • From third parties (Stripe, OAuth providers).

9.3 Categories disclosed for a "business purpose"

We disclose Categories A, B, D, F, I to the sub-processors listed in § 6.1 strictly to operate the service.

9.4 Sale or sharing of personal information

We do not "sell" personal information. We do not "share" personal information for cross-context behavioral advertising. We have not sold or shared personal information in the prior 12 months and do not plan to.

This applies both to your account / dashboard data and to the merchant end-user data we process under the DPA.

9.5 Use of sensitive personal information

We do not use sensitive personal information for purposes beyond those permitted by Cal. Civ. § 1798.121(a) (e.g. providing the goods or services you requested), so no opt-out right under § 1798.121 applies. The only sensitive PI we touch is payment-card metadata returned by Stripe in the course of billing you, which is exempt under § 1798.121(a)(1).

9.6 Your CCPA / CPRA rights

You have the right to:

  • Know what personal information we have collected, disclosed, sold, or shared (Cal. Civ. §§ 1798.110, 1798.115).
  • Delete personal information we have collected from you (§ 1798.105).
  • Correct inaccurate personal information (§ 1798.106).
  • Opt out of the sale or sharing of personal information (§ 1798.120). We don't do either, so this is mostly informational; we still honor a Global Privacy Control (GPC) signal as a "do not sell or share" request.
  • Limit the use and disclosure of sensitive personal information (§ 1798.121). We don't use it beyond § 1798.121(a) purposes; this is informational.
  • Non-discrimination — we will not deny service or charge a different price because you exercised a privacy right (§ 1798.125).

To exercise any right, email privacy@hypertracking.io or use the form at hypertracking.io/privacy/request. We respond within 45 days (extendable to 90 days with notice). We verify identity by emailing the address on file with a one-time confirmation link.

You may use an authorized agent to make a request on your behalf; we will require written proof of authorization.

9.7 Other state privacy laws

This policy is also intended to satisfy the consumer-rights requirements of the Colorado Privacy Act, Connecticut Data Privacy Act, Virginia Consumer Data Protection Act, Utah Consumer Privacy Act, Texas Data Privacy and Security Act, Oregon Consumer Privacy Act, Florida Digital Bill of Rights, Montana Consumer Data Privacy Act, Iowa Consumer Data Protection Act, and the other state comprehensive privacy laws in force as of the effective date. To exercise a right under any of these laws, contact privacy@hypertracking.io.

10. How long we keep your information

Category Retention
Account profile While your account is active + 30 days after deletion
Authentication tokens Per session; refresh tokens 7 days
Billing records (invoices, receipts, tax exports) 7 years (tax law)
Server logs (incl. IP address) 30 days
Sentry error telemetry 90 days
Support tickets 3 years from last update
Marketing-list signups Until you unsubscribe + 30 days
Closed lead records 24 months
Backups (encrypted database backups) 30 days (rolling)

After the retention period, records are deleted or pseudonymized. Records subject to a litigation hold are retained until the hold is lifted.

For the end-user data we process on behalf of merchants, retention is governed by the DPA — sessions 90 days, purchases 24 months, audit logs 36 months. Those rules are enforced by an automated daily retention sweep.

11. Security

We follow industry-standard technical and organizational measures, set out in detail in DPA Annex II. Highlights:

  • TLS 1.2+ in transit; AES-256 at rest. Customer secrets (ad-platform tokens, Stripe keys) wrapped in AES-256-GCM with a key managed in Cloudflare Workers Secrets.
  • Multi-factor authentication required for all production access by Hyper Tracking personnel.
  • Postgres Row-Level Security on every customer-data table; every query filters by merchant_id.
  • Automated dependency-vulnerability scans; independent penetration testing is planned and a sanitised summary will be made available once completed.

We do not currently hold a SOC 2 Type II report or an ISO/IEC 27001 certification. If we obtain either, we will update this section.

No system is impenetrable. If we suffer a security breach affecting your information we will notify you within the timeframes required by law (72 hours under GDPR Art. 33; without unreasonable delay under U.S. state breach-notification laws), and we will tell you what happened, what data was affected, what we're doing about it, and what you can do.

12. Children

The service is sold business-to-business. The marketing site and dashboard are not directed at children. We do not knowingly collect personal information from anyone under the age of 13 (United States — COPPA) or under the age of 16 (EEA — GDPR Art. 8(1) default; Member States may set a lower age between 13 and 16). If you believe a child has provided information to us, email privacy@hypertracking.io and we will delete it.

13. Do Not Track and Global Privacy Control

We do not currently respond to browser-level "Do Not Track" headers because there is no industry consensus on what they require. We do honor the Global Privacy Control (GPC) signal as a CCPA / CPRA "do not sell or share" request and, where it accompanies a request that includes verifiable identity information, as a GDPR objection. (We also don't sell or share, so GPC is mostly belt-and-suspenders.)

14. Changes to this policy

We may update this policy from time to time. When we do:

  • Material changes (new categories of processing, new third-party recipients, change in lawful basis, change in retention) — we email all active customers at least 30 days before the change takes effect. Where consent is required for the new processing, we ask for it before the new processing begins.
  • Non-material changes (clarifying language, fixing typos, updating contact info) — we update the "Last updated" date at the top.

We keep prior versions in our public document archive at hypertracking.io/legal/archive.

15. Jurisdiction-specific notices

15.1 Nevada (SB 220)

Nevada residents have the right to opt out of the sale of certain "covered information" under NRS 603A. We do not sell covered information. To submit a verified opt-out request anyway, email privacy@hypertracking.io.

15.2 Brazil (LGPD)

If you are in Brazil, the LGPD gives you rights similar to those under GDPR. To exercise your rights, email privacy@hypertracking.io.

15.3 Canada (PIPEDA / Quebec Law 25)

If you are in Canada, PIPEDA and Quebec's Law 25 give you rights to access, correction, withdrawal of consent, and (in Quebec) data portability. Email privacy@hypertracking.io.

15.4 Australia (Privacy Act 1988)

If you are in Australia, the Australian Privacy Principles (APPs) apply. We comply with APPs 1–13, including notification of data breaches that are likely to result in serious harm.

Appendix A — CCPA disclosure summary (Cal. Civ. § 1798.130(a)(5))

Consolidated view of the categories collected, the business purpose, the categories of recipients to whom each was disclosed for a business purpose, and whether each was sold or shared. None were sold or shared.

Category (§ 1798.140(v)) Collected Business purpose Disclosed to (categories of recipients) Sold / Shared
A. Identifiers Yes Account, billing, security Cloud-infrastructure, payment, and error-telemetry sub-processors No
B. Customer records (§ 1798.80) Yes Billing Payment and cloud-infrastructure sub-processors No
C. Protected classifications No No
D. Commercial information Yes Billing Payment and cloud-infrastructure sub-processors No
E. Biometric information No No
F. Internet / network activity Yes Service operation, security Cloud-infrastructure and error-telemetry sub-processors No
G. Geolocation (general — country) Yes Service operation, fraud detection Cloud-infrastructure sub-processors No
H. Sensory data No No
I. Professional / employment info Yes Sales qualification Cloud-infrastructure sub-processors No
J. Education information No No
K. Inferences Limited (sales-stage tags) Sales / customer success Cloud-infrastructure sub-processors No
L. Sensitive PI (§ 1798.140(ae)) No (except Stripe-returned payment-card metadata) Billing Stripe (payments) No

Appendix B — Copy-paste clauses for merchants

Note: This appendix exists for our merchant customers. If you are using Hyper Tracking on your website, you are required by GDPR Art. 13 /14 and CCPA § 1798.130 to update your own privacy policy to disclose us. The clauses below are drafted to be dropped into your privacy policy with minimal editing. Substitute "[Merchant]" with your business name. These are templates only — your own counsel should review.

B.1 GDPR-style processor disclosure

[Merchant] uses Hyper Tracking (operated by OMESTA SYSTEMS LLC, a Wyoming limited liability company) as a server-side analytics and conversion-attribution processor. Hyper Tracking processes the following data on our behalf when you visit our website: marketing click identifiers (fbclid, gclid, ttclid, etc.), UTM parameters, our first-party session cookie (_ht_id), browser user agent, page URL (with sensitive query parameters stripped), referrer URL (query stripped), country derived from IP address, and a SHA-256 hash of the IP address. When you make a purchase, Hyper Tracking also processes a SHA-256 hash of the email address you provide at checkout. The raw IP address and raw email address are never stored. Hyper Tracking acts as a data processor under a Data Processing Agreement compliant with GDPR Article 28. Sub-processors used by Hyper Tracking include Cloudflare (US, DPF-certified), Supabase (US, SCCs), Vercel (US, DPF-certified), Stripe (US, DPF-certified for billing only), and Sentry (US, SCCs). For more information see Hyper Tracking's privacy policy at https://hypertracking.io/legal/privacy and sub-processor list at https://hypertracking.io/legal/subprocessors.

B.2 GDPR cookie disclosure

We use a single first-party cookie set by Hyper Tracking, named _ht_id, to identify your visit across pages on our website for the purposes of attributing your eventual purchase to the marketing campaign that brought you here. This cookie is set on our domain (not on hypertracking.io). It contains a randomly generated identifier; it does not contain your name, email, or any directly identifying information. The cookie expires after 365 days. In jurisdictions that require consent for non-strictly-necessary cookies (the EU/EEA, the UK, and Switzerland), this cookie — and all Hyper Tracking processing of your visit — is set only after you grant consent through our consent-management platform (CMP). Hyper Tracking reads the consent signal recorded by our existing cookie banner / CMP (including the IAB TCF v2.2 and Google Additional Consent signals where present) and does not display a banner of its own; until consent is granted, no cookie is set and no data is collected.

B.3 GDPR cross-border transfer disclosure

[Merchant] transfers personal data to OMESTA SYSTEMS LLC (operating Hyper Tracking) in the United States. The transfer relies on the EU-U.S. Data Privacy Framework adequacy decision and, as a fallback, the European Commission's 2021 Standard Contractual Clauses. A copy of the applicable safeguards is available on request from [Merchant].

B.4 GDPR onward-transfer to ad platforms

When [Merchant] authorizes the use of conversion-tracking integrations with third-party advertising platforms (such as Meta, Google, and TikTok), Hyper Tracking sends a hashed identifier (typically the SHA-256 hash of your email address) and the conversion event to the selected ad platforms via their server-to-server APIs (Conversions API, Offline Conversion Import, Events API). These platforms act as independent data controllers under their own privacy policies. You can opt out of personalized advertising via each platform's preferences.

B.5 CCPA-style service-provider disclosure

[Merchant] discloses categories of personal information identified in its Notice at Collection to OMESTA SYSTEMS LLC (operating Hyper Tracking), a service provider as defined in Cal. Civ. Code § 1798.140(ag). Hyper Tracking is contractually prohibited from (i) selling or sharing the personal information, (ii) retaining, using, or disclosing it for any purpose outside the business purpose specified in the contract, (iii) combining it with personal information received from another source for cross-context behavioral advertising. [Merchant] does not sell or share personal information for cross-context behavioral advertising.

B.6 Right-to-delete operationalization

If you submit a deletion or access request to [Merchant] under GDPR Art. 15/17 or CCPA §§ 1798.105/1798.110, [Merchant] will forward the request to Hyper Tracking, which deletes or returns the affected data within 30 days. Hyper Tracking provides [Merchant] with API endpoints (POST /api/data-subject/export and DELETE /api/data-subject) for this purpose.