Privacy Policy

This Privacy Policy explains how we collect, use and protect your personal data when you use Hypnotype and our related services.

By creating an account or using the Service, you acknowledge that you have read this Privacy Policy.

1. Data controller

The data controller responsible for your personal data is:

• Company name: BOCO
• Legal form: Micro Entreprise
• Registration number (SIRET): 89531108200021
• Country: France
• Contact email: contact@muware.xyz

For questions or requests regarding this Privacy Policy, you can contact us at the email above.

2. Data we collect

We may collect and process the following categories of personal data:

2.1 Account data

• Email address (required to create and access your account)
• Basic account metadata (creation date, plan type, subscription status)

2.2 Content and project data

When you use Hypnotype, we process content that you upload or generate, which may include personal data:

• Audio files you upload
• Transcriptions generated from your audio using OpenAI Whisper
• Word level timestamps and derived technical data
• Project settings, templates and style choices
• Rendered videos and associated metadata

2.3 Billing and payment data

For paid plans, payments are handled by Stripe. We receive from Stripe limited billing information such as:

• Stripe customer ID
• Subscription and plan identifiers
• Payment status, invoices and events

We do not store your full payment card information. This data is processed directly by Stripe in accordance with their own privacy policy.

2.4 Usage, technical and analytics data

We may collect information about how you access and use the Service, for example:

• IP address
• Browser type and version
• Device information
• Pages visited, features used and time spent
• Clicks, interactions and navigation within the app
• Crash reports and performance metrics

This data may be collected using server logs and analytics tools such as Google Analytics and PostHog.

2.5 Tracking and marketing data

We may use tracking and marketing tools, such as:

• Google Analytics
• Meta (Facebook) Pixel
• PostHog or similar product analytics

These tools may collect information about:

• Your visits to our website and app
• Actions you take (for example sign up, upgrade, render a video)
• Campaign performance and conversions

They may use cookies and similar technologies to recognize your device and your interactions over time and across websites.

2.6 Communication data

When you contact us or when we communicate with you, we may collect:

• Your email address
• The content of your messages (support queries, feedback, etc.)
• Metadata related to email delivery and interactions (opens, clicks)

We also send authentication emails (magic login links) and transactional messages related to your account and subscription.

3. How we use your data and legal bases

We process your personal data for the following purposes and under the following legal bases (under the GDPR):

3.1 To provide and operate the Service

• Creating and managing your account
• Authenticating you via email magic links
• Uploading, storing, transcribing and rendering your audio and projects
• Allowing you to preview, edit and download your content

Legal basis: performance of a contract (Article 6(1)(b) GDPR).

3.2 To process payments and manage subscriptions

• Processing subscription fees via Stripe
• Managing plan upgrades, downgrades and renewals
• Handling failed payments and access restrictions

Legal basis: performance of a contract (Article 6(1)(b) GDPR) and compliance with legal obligations for accounting (Article 6(1)(c) GDPR).

3.3 To communicate with you

• Sending transactional emails (login links, billing notifications, important service information)
• Responding to your questions and support requests

Legal basis: performance of a contract (Article 6(1)(b) GDPR).

3.4 Email communication and marketing

We send two types of emails:

• Transactional emails: These are necessary for the service to function (login links, billing notifications, important service information). You cannot opt out of these emails as they are essential for your account.
• Marketing emails: These include product updates, tips, best practices, surveys, and promotional offers. We only send these emails if you have explicitly consented during account creation or later opted in.

You can unsubscribe from marketing emails at any time using the unsubscribe link in the message or by contacting us at contact@muware.xyz.

Legal basis: For transactional emails, the legal basis is performance of a contract (Article 6(1)(b) GDPR). For marketing emails, the legal basis is your consent (Article 6(1)(a) GDPR), which you can withdraw at any time.

3.5 Analytics, product improvement and security

• Monitoring usage and performance of the Service
• Understanding how users interact with features to improve the product
• Detecting, preventing and responding to security incidents
• Aggregating and anonymizing data for statistics and business insights

Legal basis: our legitimate interest in operating, securing and improving the Service (Article 6(1)(f) GDPR).

3.6 Legal compliance

• Complying with tax, accounting and legal obligations
• Responding to lawful requests from public authorities

Legal basis: compliance with legal obligations (Article 6(1)(c) GDPR).

4. Use of OpenAI and audio processing

Hypnotype uses the OpenAI Whisper API to transcribe audio files.

When you upload an audio file:

• The audio is stored on our infrastructure hosted by OVH SAS
• We send the audio (or a processed version) to OpenAI via their API
• OpenAI returns transcription data, including word level timestamps
• We store that transcription and associated metadata in our database to generate previews and final videos

Important points:

• Your audio and transcripts may be processed on servers operated by OpenAI and its sub processors, potentially located outside the European Union
• OpenAI acts as a service provider that processes the data on our behalf in order to provide the Service to you
• Your use of Hypnotype in relation to transcription is also subject to OpenAI's terms and privacy practices

You are responsible for ensuring that you have a valid legal basis to upload any audio that contains personal data of third parties (for example interviewees, customers or collaborators).

If you request deletion of a project or your account, we will delete the associated audio and transcription data from our systems, subject to technical backups and retention needs described below. We do not control the independent data retention policies of OpenAI.

5. Cookies and similar technologies

We may use cookies, local storage and similar technologies to:

• Keep you logged in between sessions
• Remember your preferences and settings
• Measure usage and performance of the Service
• Run analytics and marketing campaigns

Where required by law, we will request your consent before placing non essential cookies (for example for analytics and advertising). You can usually manage cookie preferences through:

• Our cookie banner or settings (if available)
• Your browser settings

Disabling cookies may affect your ability to use some features of the Service.

6. How we share your data

We do not sell your personal data.

We may share your data with:

6.1 Service providers

We use the following service providers to operate our service. Each provider processes data under appropriate data processing agreements (DPAs) and privacy safeguards:

• Hosting provider: OVH SAS (OVHcloud) for server and storage infrastructure
  • Location: 2 rue Kellermann, 59100 Roubaix, France
  • Website: OVHcloud
  • DPA: OVHcloud Data Processing Agreement
• AI Transcription: OpenAI (Whisper API) for audio transcription
  • Website: OpenAI
  • DPA: OpenAI Data Processing Addendum
• Payment provider: Stripe for billing and subscription management
  • Website: Stripe
  • DPA: Stripe Data Processing Agreement
• Analytics: Google Analytics for website analytics
  • Website: Google Analytics
  • Data Processing Terms: Google Ads Data Processing Terms
• Product Analytics: PostHog for product analytics and user behavior tracking
  • Website: PostHog
  • DPA: PostHog Data Processing Agreement
• Marketing: Meta Pixel (Facebook Pixel) for marketing and advertising
  • Website: Meta
  • Terms: Meta Business Tools Terms
  • DPA: Meta Data Processing Terms
• Email providers and infrastructure for sending login links and other transactional messages

These providers only receive the data necessary to perform their services and are contractually bound to protect it through appropriate data processing agreements (DPAs) and privacy safeguards.

6.2 Business transfers

If we are involved in a merger, acquisition, sale of assets or similar transaction, personal data may be transferred to the acquiring entity. In such a case, we will take reasonable steps to ensure that the new controller continues to protect your data consistently with this Privacy Policy.

6.3 Legal obligations

We may disclose your data if required by law or if we reasonably believe that such disclosure is necessary to:

• Comply with legal obligations or requests from authorities
• Protect our rights, property or safety, or those of our users or the public
• Detect and prevent fraud, abuse or security incidents

7. International transfers

Our service providers, including OpenAI, Stripe and some analytics providers, may process data in countries outside the European Union, including the United States.

When we transfer personal data outside the European Economic Area, we aim to:

• Rely on an adequacy decision from the European Commission, or
• Use appropriate safeguards such as the Standard Contractual Clauses, or
• Take other measures required by applicable data protection law

Despite these measures, such transfers may be subject to foreign laws that differ from those in your country.

8. Data retention

We retain your personal data only for as long as necessary for the purposes described in this Privacy Policy, in particular:

• Account and subscription data: kept for as long as your account is active and for a reasonable period thereafter for accounting, legal and backup purposes
• Audio, transcripts and project data: kept while your projects remain available in your account; if you delete a project or your account, we will remove associated project data from active systems, subject to backups
• Billing and invoice data: kept for the retention period required by applicable tax and accounting laws
• Analytics and log data: kept for a period that is reasonably necessary to analyze usage, ensure security and improve the Service, typically up to 24 months, after which it is aggregated or anonymized

Backup systems may retain copies of deleted data for a limited time before being overwritten.

9. Your rights

If you are located in the European Union or another jurisdiction with similar data protection laws, you have certain rights regarding your personal data, including:

• Right of access: obtain confirmation as to whether we process your personal data and receive a copy of it
• Right to rectification: correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten"): request deletion of your personal data in certain circumstances
• Right to restriction of processing: request limited use of your data in certain circumstances
• Right to data portability: receive your data in a structured, commonly used and machine readable format and transmit it to another controller
• Right to object: object to certain processing based on legitimate interests, including direct marketing
• Right to withdraw consent: where processing is based on consent, you can withdraw it at any time (for example for marketing emails)

To exercise your rights, please contact us at: contact@muware.xyz

We may ask you for information to confirm your identity before responding to your request.

You also have the right to lodge a complaint with your local data protection authority. In France, this is the CNIL (Commission Nationale de l'Informatique et des Libertés).

10. Children

Hypnotype is not intended for children under 18 years of age. We do not knowingly collect personal data from children under 18.

If you believe that a child has provided us with personal data, please contact us so that we can delete it if appropriate.

11. Security

We take reasonable technical and organizational measures to protect your personal data against loss, misuse and unauthorized access, disclosure, alteration or destruction. These measures include:

• Use of HTTPS/TLS for data in transit
• Access controls and authentication for our systems
• Limited access to personal data to personnel who need it for their work

However, no system is completely secure, and we cannot guarantee absolute security. You are responsible for keeping control of your email account and devices used to access the Service.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the Service, in applicable law or in how we process personal data.

When we make material changes, we will notify you by email or by displaying a notice in the application. The updated Privacy Policy will be effective on the date indicated as "Last updated".

If you continue to use the Service after the updated Privacy Policy becomes effective, you acknowledge the changes.

13. Contact

If you have any questions, comments or requests about this Privacy Policy or about your personal data, you can contact us at:

Email: contact@muware.xyz

We will do our best to respond within a reasonable time.