Privacy Policy

Who We Are

HYP Yoga is operated by Joshua Judd as a sole proprietorship under the name HYP Yoga, based in the United States. We are a yoga study platform offering classical texts, study tools, and AI-powered companions. When this policy says "we," "us," or "our," it refers to HYP Yoga and its operator.

HYP Yoga is the data controller for the personal data described in this policy. For any privacy-related questions, or to exercise your data rights, you can reach us at namaste@hyp.yoga.

What We Collect and Why

Account information: When you create an account, we collect your email address, display name, username, and optional biography. HYP Yoga uses Sign in with Apple as its sole authentication path. Apple shares with us only your email (which may be a private relay address that forwards to your real inbox) and, on first sign-in, your name — nothing else. We process this data to perform our contract with you (providing the service you signed up for).

Content you create: Journal entries, Sparkmarks, Voice Sparks (audio recordings), profile information, and any other content you create on the platform is stored in our database. Journal entries may be public or private at your discretion. We process this data to perform our contract with you.

AI Companion conversations: Messages you send to SwamiGPT and DharmaGPT are transmitted to third-party AI providers (OpenAI and Anthropic) to generate responses. We track daily message counts for rate limiting but do not permanently store the content of your conversations. We process this data based on your consent, which you provide when you first interact with an AI Companion.

Subscription information: Paid tiers (Aspirant and Teacher) are available exclusively through the HYP Yoga iOS app and are processed by Apple as in-app purchases. We receive from Apple a signed transaction record that contains your subscription product ID, expiration date, and renewal status — nothing more. We never see or store your Apple ID, payment card, or any other payment details. We process this data to perform our contract with you.

Usage data: We collect basic usage data necessary to operate the site, such as authentication sessions and feature usage counts. We process this data based on our legitimate interest in maintaining the security and functionality of the platform. We do not use analytics trackers, advertising pixels, or any form of behavioral tracking. We do not track you for advertising purposes and never will.

Social sharing: When you use the Share feature to send a link to Facebook, Threads, or another platform, your browser opens a direct connection to that platform’s servers. HYP Yoga does not transmit your personal data to these platforms — the share dialog is opened in your browser and governed by the destination platform’s privacy policy. Share links include UTM parameters (e.g., utm_source=facebook, utm_campaign=practitioner-share) that help us understand in aggregate which content practitioners find worth sharing. What the destination platform collects from you in connection with that interaction is governed by their own privacy policy.

Lawful Basis for Processing

Under the EU General Data Protection Regulation (GDPR), we rely on the following legal bases to process your personal data:

Contract performance: Processing your account information, content, and subscription data is necessary to provide you with the HYP Yoga service you signed up for.

Consent: When you interact with our AI Companions (SwamiGPT and DharmaGPT), your messages are transmitted to third-party AI providers. You provide consent for this when you first use these features. You can withdraw consent at any time by simply not using these features; previously processed messages cannot be recalled from the AI providers but no new data will be transmitted.

Legitimate interest: We have a legitimate interest in maintaining the security, integrity, and functionality of the platform, which includes rate limiting, authentication session management, and abuse prevention.

How We Use Your Information

We use your information to provide and improve the HYP Yoga platform: authenticating your account, displaying your content, managing your subscription, enforcing rate limits, and delivering AI Companion responses. That is the extent of it. We do not sell, rent, or share your personal information with advertisers or data brokers. We do not build behavioral profiles. We do not serve ads.

Third-Party Services and Data Processors

We rely on the following third-party services to operate HYP Yoga. Each acts as a data processor on our behalf and has its own privacy practices:

Supabase (United States) provides our authentication system and database hosting. Your account data and content are stored on Supabase infrastructure. Apple Inc. (United States) handles Sign in with Apple authentication and processes all paid subscriptions as in-app purchases through the App Store; we never see your payment details. OpenAI (United States) and Anthropic (United States) process messages you send to our AI Companions. Netlify (United States) hosts and serves the website. Resend (United States) handles transactional email delivery for subscription notifications. Meta Platforms (United States) — when you choose to share content to Facebook or Threads using the Share feature, a browser-initiated request is sent to Meta’s servers. Meta acts as an independent data controller for any data they collect in connection with these sharing interactions; see Meta’s Privacy Policy for details.

All fonts used on HYP Yoga are self-hosted on our own servers. No requests are made to external font providers when you visit the site.

International Data Transfers

HYP Yoga is operated from the United States. If you are accessing the platform from outside the United States, including from the European Economic Area (EEA), the United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States.

Our third-party service providers are all based in the United States. Where required by applicable law, these transfers are supported by appropriate safeguards, including the EU-U.S. Data Privacy Framework, Standard Contractual Clauses, or equivalent mechanisms recognized by the European Commission.

By using HYP Yoga, you acknowledge that your data will be processed in the United States. If you have concerns about international data transfers, please contact us at namaste@hyp.yoga.

Cookies and Local Storage

HYP Yoga uses cookies and browser local storage strictly for functional purposes that are essential to the operation of the site. We do not use advertising cookies, tracking cookies, or third-party analytics cookies.

Authentication session: Supabase stores a session token in your browser's local storage to keep you logged in. This is strictly necessary for the service to function.

Draft autosave: When composing a journal entry, your draft is temporarily saved in local storage so it can be recovered if you navigate away. This data stays in your browser and is cleared when you publish.

AI consent acknowledgment: When you first use an AI Companion, we store a flag in local storage recording that you have acknowledged your messages will be processed by third-party AI providers.

Privacy notice dismissal: When you dismiss the privacy notice banner, we store a flag so it is not shown again.

AI Sparks source preferences: When you configure which wisdom traditions to include in Text AI Sparks, your preferences are saved in local storage so they persist between sessions. This data stays in your browser and is never transmitted to our servers.

Because we only use strictly necessary cookies and storage (no analytics, no advertising, no tracking), no cookie consent is required under the ePrivacy Directive. We provide these details for transparency.

Data Retention

Account and profile data: Retained for as long as your account is active. Upon account deletion, your profile data is permanently deleted within 30 days.

Journal entries, Sparkmarks, and Voice Sparks: Retained for as long as your account is active. Upon account deletion, all content is permanently deleted within 30 days. You may delete individual entries at any time.

AI Companion messages: Message content is not stored by HYP Yoga. Daily message counts are retained for rate-limiting purposes and reset each day. Messages transmitted to OpenAI and Anthropic are subject to those providers' own retention policies.

Subscription data: Subscription status, product ID, expiration date, and the Apple original transaction ID are retained for as long as your account is active so we can verify your tier when you sign in. Apple maintains the underlying payment records under its own retention policies and applicable financial regulations.

Your Data Rights

Regardless of where you are located, HYP Yoga provides the following data rights to all users:

Right of access: You can request a copy of all personal data we hold about you.

Right to rectification: You can update your profile information, journal entries, and other content directly on the site at any time. For data you cannot edit yourself, contact us and we will correct it.

Right to erasure: You may request deletion of your account and all associated data by emailing namaste@hyp.yoga. We will process your request within 30 days.

Right to data portability: You can export your journal entries and Sparkmarks at any time using the built-in export tools on your profile page. For a complete data export in a machine-readable format, contact us.

Right to restrict processing: You can request that we limit how we use your data while a complaint or concern is being resolved.

Right to object: You can object to processing based on our legitimate interests. We will stop processing your data unless we have compelling legitimate grounds that override your interests.

Right to withdraw consent: Where we rely on consent (such as for AI Companion conversations), you can withdraw consent at any time by ceasing to use the feature.

To exercise any of these rights, email us at namaste@hyp.yoga. We will respond within 30 days. If you are in the EEA, you also have the right to lodge a complaint with your local data protection authority (a list is available at edpb.europa.eu).

Data Security

We use industry-standard security practices to protect your data, including encrypted connections (HTTPS with HSTS preloading), secure authentication through Supabase, row-level security on our database, Content Security Policy headers, signed upload URLs for file storage, and server-side validation of all tier-gated features. However, no system is perfectly secure, and we cannot guarantee absolute security.

Children

HYP Yoga is not intended for children under the age of 16 (or the minimum age required by applicable law in your jurisdiction). We do not knowingly collect personal information from children under this age. If you believe a child has provided us with personal information, please contact us at namaste@hyp.yoga and we will delete it promptly.

Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated effective date. For significant changes, we will make reasonable efforts to notify registered users by email at least 14 days before the changes take effect.

Contact

If you have questions about this privacy policy, how your data is handled, or wish to exercise any of your data rights, contact us at namaste@hyp.yoga.