Privacy Policy
Last updated: June 22, 2026
Hype Forge indexes the metadata in your connected cloud storage so your team can find media fast. Your files stay in your drive — we only read metadata. This policy explains what we collect, why, who we share it with, and the rights you have over your data.
1. Who we are
Hype Forge (“Hype Forge”, “we”, “us”) is a service operated by [TODO: registered legal entity name], based in South Africa. We provide a searchable asset library that indexes video and image metadata from cloud storage you connect. You can reach us at privacy@hype-forge.com.
2. What we access and store
Your files are never copied, moved, or stored by us. When you connect a cloud drive, we request read-only access and read only what we need to build your index.
Connection scopes
- Dropbox —
account_info.read(your email and account ID, to sign you in and identify your account),files.metadata.read, andfiles.content.read(to read file bytes only as needed to extract embedded metadata and generate thumbnails). - Google Drive (optional, when enabled for your account) —
drive.readonly,userinfo.email, andopenid.
Information we store
- Account data — your email address and display name.
- Connection credentials — OAuth access/refresh tokens, stored encrypted at rest (AES-256-GCM). We never see or store your cloud-provider password.
- Asset metadata — file path and name, size, duration, codec/container, resolution, frame rate, camera make/model, lens, capture date, GPS coordinates (when present in the file), and editorial fields written by tools like Adobe Premiere (title, description, scene, shot, take, rating, and similar). We also retain the raw EXIF/IPTC/XMP block we read.
- AI-generated metadata — captions and tags produced by the optional AI tagging feature.
- Workspace data — your workspace, team memberships, and roles; and, if you provide one, your own AI model API key (stored encrypted at rest).
- Billing data — your Stripe customer ID and subscription status. Card details are handled by Stripe; we never see or store them.
3. How we use your data
- To build and maintain your searchable index and thumbnails.
- To cluster geotagged media into locations and (optionally) name those places.
- To generate captions and tags when you enable AI tagging.
- To authenticate you, operate your workspace, and enforce plan limits.
- To process payments, prevent abuse, provide support, and meet legal obligations.
We do not sell your personal information, and we do not use your content to train our own models or for advertising.
4. Sub-processors
We rely on the following service providers to deliver Hype Forge. They process data only as needed to provide their service to us:
| Provider | Purpose | Region |
|---|---|---|
| Dropbox | Cloud storage you connect; sign-in identity and read-only file metadata | United States |
| Google Drive (Google LLC) | Optional cloud storage you connect; read-only file metadata | United States |
| Stripe | Subscription billing and payment processing | United States |
| Vercel | Application hosting, edge delivery, and scheduled jobs | United States / Global |
| Neon | Managed PostgreSQL database storing indexed metadata | United States / EU |
| Vercel AI Gateway → Anthropic / Google | AI image tagging (image bytes processed only to generate captions/tags) | United States |
| Mapbox | Optional reverse-geocoding of photo GPS coordinates into place names | United States |
When you enable AI tagging, image bytes are sent through the Vercel AI Gateway to the selected model provider (Anthropic or Google) solely to generate captions and tags, and are not used to train those providers’ models under their applicable terms.
5. Google API Limited Use
Hype Forge’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use Google Drive data only to provide and improve user-facing features (indexing and search), do not transfer it except as necessary to provide those features or as required by law, do not use it for advertising, and do not allow humans to read it except with your consent, for security, or to comply with the law.
6. Cookies
We use a single first-party session cookie, fp_session, which is httpOnly and expires after 30 days. It holds an opaque session identifier so you stay signed in. We do not use third-party advertising, analytics, or tracking cookies.
7. Security
OAuth tokens and any AI API key you provide are encrypted at rest using AES-256-GCM. Data is transmitted over encrypted connections (HTTPS/TLS). Access to production systems is limited. No system is perfectly secure, but we take reasonable measures to protect your data.
8. Data retention and deletion
We retain your data while your account is active. When you remove a connected folder, we delete the indexed assets for that folder and stop syncing it. When you disconnect a drive or close your account, we delete the associated metadata and encrypted credentials.
To request deletion of your account and all associated data, email privacy@hype-forge.com. We will action verified requests within 30 days.
9. Your rights — POPIA (South Africa)
We process personal information in accordance with South Africa’s Protection of Personal Information Act (POPIA). Our lawful basis is the performance of our contract with you, your consent (for optional features such as AI tagging), and our legitimate interests in operating the service. You have the right to access, correct, or delete your personal information, to object to processing, and to lodge a complaint with the Information Regulator of South Africa.
Our Information Officer is [TODO: Information Officer name]. Some of our sub-processors are located outside South Africa (see Section 4); by using Hype Forge you acknowledge this cross-border processing, which is carried out under appropriate safeguards. Contact privacy@hype-forge.com or write to [TODO: registered business address].
10. Your rights — GDPR (EU / UK)
If you are in the European Economic Area or the United Kingdom, you have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing. Our legal bases are contract, consent, and legitimate interests. International transfers to our US-based sub-processors are made under appropriate safeguards (such as Standard Contractual Clauses). You may lodge a complaint with your local supervisory authority.
11. Your rights — CCPA / CPRA (California)
California residents have the right to know what personal information we collect, to request its deletion, and to correct it. We do not sell or share your personal information as those terms are defined under the CCPA/CPRA, and we will not discriminate against you for exercising your rights. To make a request, email privacy@hype-forge.com.
12. Children
Hype Forge is not directed to children under 16, and we do not knowingly collect their personal information.
13. Changes to this policy
We may update this policy from time to time. Material changes will be reflected by the “Last updated” date above, and where appropriate we will notify you.
14. Contact
Privacy questions: privacy@hype-forge.com. General support: support@hype-forge.com.