Privacy Policy

HydraScale is an operations dashboard for multi-store DTC brands. To do its job, it connects to the third-party services you already use — Shopify, Meta Ads, Google Ads, Google Drive, Gmail, Triple Whale, euShipments, Brevo and others — and consolidates the data into one tenant-scoped workspace.

We are committed to handling your data responsibly and transparently. This policy is written in plain English; if anything is unclear, email privacy@hydrascale.io.

2.1 Account information

When you create an account we collect your name, email address, a hashed password (we never see the plaintext), and the organisation you belong to. If you sign in with Google, we additionally store your Google account email and a Google-issued user identifier.

2.2 Data from integrations you connect

When you authorise an integration, HydraScale retrieves only the data needed to run the features you've enabled. Specifically:

• Shopify: orders, line items, customer summaries, fulfilment status, refunds.
• Meta Ads / Google Ads: daily spend, impressions, clicks, conversions per ad account.
• Gmail: message metadata and bodies of threads matching your support filters, used to triage and reply.
• Google Drive: only files inside folders you explicitly authorise — typically supplier invoices.
• euShipments / Triple Whale / Brevo: shipment status, blended marketing aggregates, customer segment membership.

2.3 Usage and diagnostic data

We log basic request data (timestamp, route, response code, anonymised IP) and product analytics (which pages you visit, which features you use) so we can keep the service reliable and improve it. We do not run third-party advertising trackers.

2.4 Payment information

When billing is enabled we store the last four digits and brand of your card, your billing address, and a token issued by our payment processor. We never store full card numbers; they are held by our PCI-DSS-compliant payment processor.

We use the information described above to:

• Provide, maintain and improve the HydraScale service.
• Sync the third-party data you've connected and display it inside your dashboard.
• Detect anomalies and security incidents, and notify you about them.
• Send operational notifications (sync failures, billing receipts, security alerts).
• Respond when you contact us for support.
• Meet our legal, accounting and tax obligations.

We do not sell your personal data. We do not use your data to train generative AI models for third parties. When we use AI features (anomaly explanations, support-email triage), we send only the minimum context needed, using providers that contractually do not use the data to train their own models.

5.1 Within your organisation

Other members of your organisation can see the data inside your workspace, according to their role (owner / admin / member / viewer). You control who has access.

5.2 Subprocessors

We rely on a small number of vendors to operate. They are bound by data-processing agreements and may only use your data on our behalf:

• Cloud hosting: our infrastructure provider (compute, database, object storage).
• Email delivery: transactional email provider for receipts and security notifications.
• AI providers: used to generate anomaly explanations and support-email drafts; data is not used for model training.
• Payment processor: handles card data on our behalf (we never see card numbers).
• Error monitoring: logs anonymised stack traces when something breaks.

A current list of subprocessors is available at /security#subprocessors.

5.3 Legal and safety

We may disclose data if compelled by a valid legal process, to enforce our terms, to prevent fraud or abuse, or to protect the rights and safety of users and the public.

5.4 Business transfers

If we're involved in a merger, acquisition, or asset sale, your data may be transferred to the successor entity. We'll notify you in advance and you'll retain the rights described in this policy.

5.5 We do not sell your data

We do not sell, rent, or trade your personal data — including Google user data — to third parties for marketing or any other purpose.

We keep your data only as long as needed:

• Active account data — kept while your account is active.
• Integration data — synced records are retained while the integration is connected. Disconnecting an integration purges new syncs; existing aggregates are retained until the workspace is deleted.
• Gmail message bodies — processed in-memory for support triage; only metadata + your annotations are persisted, and we hard-purge thread state after 90 days of inactivity.
• Audit logs — 12 months, for security and compliance.
• Billing records — kept for the period required by tax law in State of Delaware, USA (typically 7 years).
• Deleted accounts — workspace data is purged within 30 days of account deletion. Backups roll off within 90 days.

See Data Deletion Instructions for step-by-step guidance.

Regardless of where you live, you have the following rights over your personal data:

• Access: request a copy of the personal data we hold about you.
• Rectification: ask us to correct inaccurate or incomplete data.
• Erasure ("right to be forgotten"): ask us to delete your data. See /data-deletion.
• Portability: receive your data in a machine-readable format.
• Restriction & objection: ask us to stop or limit certain processing.
• Withdraw consent: revoke an integration any time in Settings → Integrations.
• Lodge a complaint: with your local data protection authority (e.g. ICO in the UK, CNIL in France, your state attorney general in the US).

For CCPA / CPRA residents specifically: we do not sell or share personal information as those terms are defined under California law. You may exercise your rights by emailing privacy@hydrascale.io. We will respond within 45 days.

We follow industry-standard practices to protect your data:

• TLS 1.2+ for all data in transit.
• Encryption at rest for the database and object storage.
• Tenant isolation enforced at the data layer — cross-tenant access is blocked and audited.
• Secrets (OAuth tokens, API keys) stored encrypted; access is least-privilege and logged.
• Mandatory code review and automated security checks on every change.
• OAuth state signed with HMAC to prevent CSRF on third-party round-trips.

Full detail at /security. To report a vulnerability, email security@hydrascale.io.

We use cookies for two purposes:

• Strictly necessary: session cookie (hydra_session) keeps you signed in. Without it, the product can't work.
• Preferences: small cookies remember your dashboard preferences (sidebar collapsed, last-selected store).

We do not use advertising cookies or third-party analytics that fingerprint you across sites. You can clear cookies any time in your browser settings; this will sign you out.

Your data may be processed in the country where our cloud provider operates and where our team works. We rely on Standard Contractual Clauses (where applicable) and provider-level safeguards to ensure equivalent protection regardless of where the data is stored.

HydraScale is a B2B product not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us information, email privacy@hydrascale.io and we will delete it.

We'll update this policy as the product evolves. Material changes will be announced in-app and by email to the account owner at least 14 days before they take effect. The "Last updated" date at the top reflects the current version.

For any privacy question or request:

• Email: privacy@hydrascale.io
• Postal: SIMEX LLC, 254 Chapman Road, Newark, Delaware 19702, USA
• Or use the contact form at /contact.

We respond to privacy requests within 1 business day on business days, and formal data-rights requests within the timeframes required by applicable law.