Privacy
1. Who we are and how to contact us
Hypeline is a small, solo-led team based in Sweden, within the EU. If you have any question about this notice or about how we handle data, email us at hello@hypeline.io.
2. What we process
We process two very different kinds of data, and it helps to keep them separate.
Public source content
The engine ingests only free, open, unauthenticated, publicly available web content: RSS, Atom and JSON feeds, feed-less HTML pages that we diff, and public push sources such as Bluesky, Wikimedia and Mastodon. We never fetch login-walled or paid content. This ingestion is unauthenticated and untracked at the visitor level, so it is not personal data about you as a site visitor.
Account data
If you register for an account, we store your email address, a password hash produced with argon2id (a hashing algorithm built for low-entropy human passwords), and single-use, replay-proof session, verification and reset tokens. A used or expired token is rejected.
3. Why we process it
For ingesting public web content, our lawful basis is legitimate interest, assessed through a three-part balancing test that weighs the purpose, the necessity, and the balance against the interests of the source and rights holder. For account features, if you register, the basis is performance of a contract.
4. How long we keep it
The ingested content event log is kept in a rolling, time-bounded retention window (a time-to-live), not indefinite storage. Older events age out of that window.
5. Your rights and how to exercise them
You can ask us to access, correct, or delete your data. We have already built a real erasure path: we can remove stored events by source URL or by source on request. Deleting your account cascades and removes your sessions, tokens and API keys; that deletion path is entirely separate from the append-only content event log, so deleting your account never touches the ingested content stream. To exercise any of these rights, email hello@hypeline.io.
6. How we protect it
We use TLS everywhere, an SSRF-safe pin-IP dialer for every fetch, scoped and hashed API keys, HMAC-signed webhooks, and argon2id password hashing. See our security page for the full detail.
7. Changes to this policy
This notice may change while the service is a free preview. The last-updated date shown at the top of this page always reflects the current version.