Privacy Policy
Effective Date: March 2024
Last Updated: February 2026
1. Introduction
This Privacy Policy explains how Hypa Apps (“Hypa”, “we”, “us”, “our”), a trading name of Glass Atlas Limited (Company No. 06655970), collects, uses and protects personal data when you install or use our BigCommerce applications, access hypaapps.com, or otherwise interact with us.
We operate globally and serve merchants across North America, the United Kingdom, Europe, Australia, New Zealand and other regions.
We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws.
For the purposes of data protection law, Glass Atlas Limited is the Data Controller for the personal data described in this policy.
2. Controller and Processor Roles
When you use our website or contact us directly, we act as a Data Controller.
When you install and use our BigCommerce applications, we may process certain data on your behalf. In these circumstances, we act as a Data Processor, and the merchant remains the Data Controller for their customer data. Processing in this context is governed by our applicable terms and, where required, a Data Processing Addendum.
3. Categories of Personal Data We Process
Merchant Account and Contact Data
When you install or use our apps, we may collect:
- Merchant name
- Business name
- Contact email address
- Billing details
- Store identifiers
Merchant Customer and Order Data (Processed on Your Behalf)
Depending on the functionality of the app, we may process:
- Customer name
- Customer email address
- Customer postal address
- Marketing or newsletter subscription status
- Order information, including order items and transaction details
We process this data solely to provide the functionality of our applications and in accordance with your instructions as the Data Controller.
Technical and Usage Data
We collect technical information necessary to operate and secure our services, including IP address, device and browser information, application log data and feature usage metrics.
Support and Communications Data
When you contact support or provide feedback, we may process communications via systems such as HelpScout, HubSpot and Google Workspace.
Payment Data
We do not store or process payment card details. Payments are handled directly by our third-party payment processor, Stripe, who comply with PCI-DSS standards.
4. Lawful Basis for Processing
We process personal data under the following lawful bases:
| Purpose | Lawful Basis |
|---|---|
| Providing and operating our apps | Contractual Necessity |
| Merchant support and account management | Contractual Necessity |
| Service improvement and security | Legitimate Interests |
| Marketing communications | Consent |
| Legal and regulatory compliance | Legal Obligation |
Where we rely on legitimate interests, we assess and ensure that such interests are not overridden by your rights and freedoms.
5. Data Hosting, Storage and Security
Primary application hosting is located within European Union data centres via Heroku infrastructure.
Data is transmitted via HTTPS and stored in encrypted PostgreSQL databases. Data at rest is encrypted in accordance with industry standards.
We maintain role-based access controls, access logging and monitoring, continuous database rollback capability for four days, daily backups retained for 30 days, documented disaster recovery and incident response procedures, and formal vetting and contractual safeguards for subprocessors.
Deleted data may remain in encrypted system backups for up to 30 days before being permanently purged.
6. Data Retention
We retain personal data only for as long as necessary to provide our services, meet contractual obligations, and comply with legal or regulatory requirements.
Our retention framework is designed to minimise unnecessary data storage and includes both automated and manual controls.
In general:
- Customer and order data processed on behalf of merchants is retained only for as long as required to provide the relevant application functionality.
- Data associated with inactive or uninstalled stores is deleted within a defined period following termination of the service.
- Soft-deleted records are permanently removed within a limited time window.
- Marketing consent data is retained until withdrawn.
- Account and billing records may be retained for a period following termination in order to verify contractual and financial records.
Where merchants request deletion of data, or where end customers exercise data protection rights through the merchant, we assist in fulfilling those requests in accordance with applicable law.
Deleted data may remain in encrypted system backups for a limited period before being permanently purged.
7. International Data Transfers
We operate globally, and some of our service providers are located outside the United Kingdom and European Union.
Subprocessors may include Heroku (cloud hosting), HelpScout (support services), HubSpot (CRM), Google Workspace (communications), and SendGrid (transactional email delivery).
SendGrid is based in the United States and does not operate EU data centres. Where personal data is transferred outside the UK or EU, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses and the UK Addendum to the EU SCCs or the UK International Data Transfer Agreement (IDTA).
We assess transfers to ensure personal data receives a level of protection consistent with UK data protection requirements.
8. Cookies and Website Tracking
When you visit hypaapps.com, we may use cookies and similar technologies to analyse website performance and improve user experience.
Non-essential cookies are activated only where you provide consent, and you may withdraw consent at any time using our cookie preferences tool.
9. Your Data Protection Rights
Under applicable data protection laws, you may have the right to access your personal data, rectify inaccurate data, request erasure, restrict processing, object to processing, request data portability, and withdraw consent.
We respond to legitimate requests within one month.
Contact: data-protection@glassatlas.com
Address: Glass Atlas Limited t/a Hypa Apps, Colony, Jactin House, 24 Hood Street, Manchester, M4 6WX
10. Complaints
If you have concerns about how we handle personal data, please contact us first. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk.
11. Governing Law
This Privacy Policy is governed by the laws of England and Wales. Any disputes relating to this policy shall be subject to the exclusive jurisdiction of the courts of England and Wales.