Privacy Policy

1. Data Controller

The data controller is Hopstec Innovation SAS, 47 rue Vivienne, 75002 Paris, France (SIREN 106 448 988). For any privacy-related request, contact hk@hopstecinnovation.com.

2. Data We Collect

To operate Hopstec Guardian as a fraud investigation workspace, we process the following categories of data:

• Account data: email, hashed password, role, login timestamps.
• Investigation content: emails, transaction records, identity events and any evidence you submit for analysis.
• Operational data: case notes, analyst actions, audit trail, IP addresses associated with submissions.
• Telemetry: error logs, API usage metrics, agent execution timings (no commercial profiling).

3. Purposes & Legal Bases

• Service delivery — performance of the contract (Art. 6(1)(b) GDPR).
• Security & fraud prevention — legitimate interests (Art. 6(1)(f) GDPR).
• Legal obligations — compliance with anti-money-laundering and tax law (Art. 6(1)(c) GDPR).
• Customer communications — legitimate interests in operating the relationship (Art. 6(1)(f) GDPR).

4. Retention

• Account data: for the lifetime of your account + 3 years after closure (legal evidence).
• Investigation content: retained as long as the case is open; archived for up to 5 years to support AML auditability, then purged.
• Audit logs: 24 months rolling.
• Telemetry: 90 days rolling.

5. Sub-processors

We rely on the following sub-processors. Each is bound by a Data Processing Agreement (DPA) compliant with Art. 28 GDPR.

• Railway Corp. (USA) — application hosting and managed PostgreSQL. Transfers to the USA are covered by the European Commission's Standard Contractual Clauses.
• Anthropic, PBC (USA) — Claude AI inference for agent verdicts. SCCs in place. Anthropic does not train on customer data per its commercial terms.
• Resend (USA) — transactional and victim-notification email delivery (optional, only if enabled by your administrator).
• Temporal Technologies (USA) — durable workflow orchestration. Self-hosted by default; cloud option available with separate DPA.

6. Your Rights

Under the GDPR, you have the right to:

• Access the personal data we hold about you.
• Request rectification of inaccurate data.
• Request erasure ("right to be forgotten") subject to our legal retention obligations.
• Restrict or object to processing.
• Request portability of your data in a structured, machine-readable format.
• Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact hk@hopstecinnovation.com. We respond within 30 days.

7. Right to lodge a complaint

You have the right to lodge a complaint with the French supervisory authority for personal data protection: CNIL (Commission Nationale de l'Informatique et des Libertés), 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France — cnil.fr.

8. Security

We implement industry-standard technical and organisational measures: encrypted transport (TLS 1.2+), at-rest encryption on the hosting platform, role-based access control, audit logging, principle of least privilege for sub-processors, and routine review of access.

9. Children

Hopstec Guardian is a B2B platform and is not intended for use by individuals under 16. We do not knowingly collect personal data from minors.

10. Changes

We may update this policy to reflect changes in our service or in applicable law. Material changes will be communicated by email or via a notice in the application at least 30 days before they take effect.