Privacy Policy

Hypefill ("we", "us", or "our") operates a B2B SaaS platform for e-commerce fulfillment management and analytics. This Privacy Policy explains how we collect, use, and protect data processed through our platform, in compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable data protection laws.

The data controller is Fyonda S.R.L., the company operating the Hypefill platform. For any privacy-related inquiries, you can contact us at the email address provided in the Contact section below.

• Art. 6(1)(b) GDPR — Contractual necessity: processing required to provide the platform services you subscribed to, including fulfillment management, analytics dashboards, and integration with third-party services.
• Art. 6(1)(a) GDPR — Consent: for optional features such as connecting third-party accounts (Shopify, Meta/Facebook) and receiving email notifications.
• Art. 6(1)(f) GDPR — Legitimate interest: for platform security, abuse prevention, rate limiting, and service improvement.

We collect and process the following categories of data:

• Account information: email address, first name, last name, phone number, and business address provided during registration or profile setup. All personal identifiable information (PII) is encrypted at rest using PGP symmetric encryption.
• Authentication data: information from Google OAuth sign-in or Magic Link email authentication, including session tokens (JWT).
• Shopify store data: orders, products, inventory levels, customer shipping addresses, and financial data (prices, taxes, shipping costs) synced from your connected Shopify stores via API.
• Marketing data: ad account information, campaign performance metrics (spend, clicks, impressions, conversions) synced from connected Meta/Facebook ad accounts.
• Shipping and logistics data: shipment tracking information, delivery statuses, courier details, and warehouse data from integrated logistics providers (e.g., Postis).
• Usage data: platform interactions, user preferences (language, currency, theme), and configuration settings.

We process your data for the following purposes:

• Providing fulfillment dashboards and order management services.
• Generating analytics, KPI reports, and business insights across your connected stores.
• Displaying marketing performance data from connected ad accounts.
• Managing shipping workflows, tracking deliveries, and calculating logistics costs.
• Authenticating users and managing role-based access control across your organization.
• Synchronizing data with third-party services (Shopify, Meta, logistics providers) on your behalf.
• Maintaining platform security through rate limiting, audit logging, and abuse prevention.

We implement the following security measures to protect your data:

• PGP symmetric encryption for all personal identifiable information (PII) stored in our database.
• SHA-256 hashing for email address lookups, ensuring emails cannot be read from hash values.
• Role-based access control (RBAC) with granular permissions to ensure users only access data they are authorized to view.
• Rate limiting on authentication endpoints to prevent brute-force attacks.
• JWT-based session management with configurable token expiration.
• Soft-delete patterns ensuring data can be recovered in case of accidental deletion while maintaining data integrity.

We do not sell your data. Data may be shared with the following third-party services solely for the purpose of providing platform functionality:

• Shopify — Order, product, and inventory data is synced via the Shopify GraphQL API to provide fulfillment and analytics services.
• Meta/Facebook — Marketing metrics are synced via the Meta Graph API when you connect your ad accounts.
• Postis — Shipment and tracking data is exchanged with the Postis logistics platform for delivery management.
• Google — Used for OAuth authentication when you choose to sign in with Google.
• Email provider — Used to deliver Magic Link authentication emails and platform notifications.

We retain your data for as long as your account is active or as needed to provide our services. When data is deleted, we use a soft-delete mechanism that marks records as inactive. Soft-deleted data may be retained for a reasonable period to allow recovery and to comply with legal obligations. Upon account termination, your personal data will be permanently deleted within 90 days, except where longer retention is required by law (e.g., fiscal or accounting obligations).

We use only essential technical cookies and local storage required for the platform to function. We do not use profiling or advertising cookies.

• Session cookie: a secure, HTTP-only cookie containing an encrypted JWT token for authentication. Expires when the browser session ends or after the configured token lifetime.
• Local storage: user preferences such as language, currency, and theme are stored locally on your device and are never transmitted to our servers.
• CSRF token: a security token to protect against cross-site request forgery attacks.

Under GDPR Articles 15-22, you have the following rights:

• Right of access (Art. 15): obtain confirmation of processing and a copy of your personal data.
• Right to rectification (Art. 16): correct inaccurate or incomplete personal data.
• Right to erasure (Art. 17): request deletion of your personal data (right to be forgotten).
• Right to restriction (Art. 18): request restriction of processing under certain circumstances.
• Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
• Right to object (Art. 21): object to processing of your data on legitimate interest grounds.
• Right to lodge a complaint: file a complaint with your national Data Protection Authority (in Italy: Garante per la Protezione dei Dati Personali — www.garanteprivacy.it).

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable regulations. We will notify you of material changes by posting the updated policy on this page with a revised "last updated" date. We encourage you to review this page periodically.

To exercise your rights or for any questions regarding this Privacy Policy, please contact us at: privacy@hypefill.com