1. Who We Are
Hypersign operates through three legal entities depending on the jurisdiction of the customer or end user. The entity that acts as data controller or processor for your data depends on where you or your end users are located.
| Region | Entity | Registered Address |
|---|---|---|
| European Union & EEA | Hypermine Labs UG | 21 Wasserturmstrasse, Trudering-Reim, Munich, Germany |
| Asia-Pacific | Hypermine Technologies Private Ltd | 2214, 21st Floor, Tower 2, Sobha City, Bengaluru, India |
| Middle East & Africa | Hypermine MEA FZCO | A2, Building 2, Dubai Silicon Oasis, Dubai, UAE |
When in doubt about which entity governs your data, contact us at privacy@hypermine.de and we will direct your request to the correct entity.
Contact Points
- General privacy: privacy@hypermine.de
- Data Protection Officer: dpo@hypermine.de
- Security incidents: security@hypermine.de
- Legal & contracts: legal@hypermine.de
2. Scope and Our Role
This policy applies to:
- Visitors to hypersign.id and all associated web properties
- Customers using the Hypersign API, dashboard, or SDKs
- Business contacts and partners
- End users who go through an identity verification flow powered by Hypersign
Hypersign acts in one of three roles depending on context:
| Role | Context |
|---|---|
| Controller | When we process data to operate our own website, marketing, support, and business relationships |
| Processor | When we process end-user verification data on behalf of a customer (the customer is the controller) |
| Independent Controller | When we process data for platform security, fraud prevention, and regulatory compliance |
3. Categories of Personal Data We Process
4. How We Use Personal Data
5. Legal Bases for Processing
| Legal Basis | When We Use It |
|---|---|
| Contract performance | Processing necessary to deliver the services described in our Terms |
| Legitimate interests | Platform security, fraud prevention, model improvement, business communications |
| Consent | Marketing emails, cookies, biometric processing where required by local law |
| Legal obligation | Regulatory reporting, responding to lawful authority requests |
| Legal claims | Establishing, exercising, or defending legal claims |
Where we rely on legitimate interests, we carry out a balancing test. The results are available on request at privacy@hypermine.de.
6. How We Disclose Personal Data
Hypersign does not sell, lease, trade, or otherwise profit from biometric identifiers or biometric information.
7. International Transfers
Where personal data is transferred outside the country of collection, Hypersign relies on:
- EU: Adequacy decisions, Standard Contractual Clauses (SCCs), and intra-group data transfer agreements
- India: Transfers governed by the Digital Personal Data Protection Act 2023 (DPDP) and associated rules
- UAE: Transfers governed by the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL)
Customers can configure data residency to keep verification data within the EU by default (AWS eu-central-1, Frankfurt).
8. Retention
| Data Category | Default Retention |
|---|---|
| Verification session data | Configurable: 30 days to 10 years, or indefinite |
| Biometric data | Subject to stricter caps under GDPR Art. 9, BIPA, CUBI, Washington H.B. 1493 |
| Account and billing data | Duration of the customer relationship plus applicable statutory period |
| Marketing and communication data | Until opt-out or 3 years from last interaction |
| Recruitment data | 6 months from final decision unless consent is given for longer |
Per-session deletion is available via API. Customers can configure their own retention window from the dashboard.
9. Your Rights
Depending on your jurisdiction, you may have the following rights:
- Access — Request a copy of the personal data we hold about you.
- Correction — Request that inaccurate data is corrected.
- Deletion — Request erasure of your personal data.
- Restriction — Request that we stop actively processing your data.
- Objection — Object to processing based on legitimate interests.
- Portability — Receive your data in a machine-readable format.
- Withdraw consent — At any time where processing is based on consent.
- Automated decisions — Request human review of any automated decision.
How to exercise your rights: Email privacy@hypermine.de. We will respond within 30 days (EU: one calendar month).
When Hypersign acts as a processor: Rights requests relating to verification data must be directed to the customer who conducted the verification. Hypersign will assist customers in responding to those requests where required.
Supervisory Authorities
| Region | Authority |
|---|---|
| Germany / EU | Bavarian State Office for Data Protection Supervision (BayLDA) or the Federal Commissioner for Data Protection (BfDI) |
| India | Data Protection Board of India (under DPDP Act 2023) |
| UAE | UAE Data Office |
11. Anonymised Model Training and Fraud Detection — Your Opt-Out
Hypersign may use pseudonymised or anonymised verification data to improve its fraud detection and identity verification models. This is based on legitimate interests. Data used for this purpose cannot reasonably be linked back to an identifiable individual.
Opt-out. Submit a deletion request via the Hypersign API, or email privacy@hypermine.de with the subject line "Model Training Opt-Out." Opt-outs apply prospectively from the date of the request.
DPDP Addendum
Applies to customers and end users located in India under the Digital Personal Data Protection Act 2023.
In addition to the rights in Section 9:
- You have the right to appoint a nominee to exercise your data rights in the event of death or incapacity.
- Hypersign will notify the Data Protection Board and affected individuals in the event of a personal data breach.
- Children's data (under 18) will not be processed without verifiable parental consent.
- Hypersign does not engage in behavioural monitoring of children.
CCPA / CPRA Addendum
Applies to California residents under the California Consumer Privacy Act and California Privacy Rights Act.
Hypersign does not sell or share personal information as defined by the CCPA/CPRA. Sensitive personal information is used only for permitted purposes. California residents have the right to know, delete, correct, and obtain portability of their personal information, and will not be discriminated against for exercising these rights.
14. Security
Hypersign applies administrative, technical, and organisational safeguards appropriate to the sensitivity of the data processed:
- AES-256 encryption at rest; TLS 1.3 in transit
- Biometric data stored under a separate Customer Master Key (KMS)
- Role-based access control and environment separation
- Continuous monitoring and alerting
- Quarterly penetration testing
Hypersign maintains the following security certifications:
Full details are set out in the Information Security Policy.
15. Children
Hypersign's public website and standard API services are not directed at children under 16 (or the applicable minimum age in the relevant jurisdiction). Customers may use Hypersign for age verification purposes only with an appropriate legal basis and in compliance with applicable children's privacy laws.
16. Changes to This Privacy Policy
Hypersign updates this policy periodically. The effective date is shown at the top of the page. Material changes will be communicated by email to registered customers and/or by a prominent notice on the website, as required by applicable law.
Have questions about this Privacy Policy?
Email the right team directly — we route you to the correct contact.