Hopx Privacy Policy

Controller (account, website, billing, support data):
Bunnyshell Inc., a Delaware corporation.
Contact: privacy@hopx.ai

EEA/UK representative (for GDPR contact):
Bunnyshell S.R.L., 14 Dr. Ernest Djuvara Str., Bucharest, Romania.
Contact: privacy@hopx.ai

Processor (Customer Content processed on your behalf):
For data you or your agents execute/store inside sandboxes/micro-VMs, Hopx acts as a processor under the Data Processing Addendum (DPA) available at https://hopx.ai/legal/dpa (incorporated by reference).

This Policy covers: our website, dashboards, docs, SDK portals, and your account usage. For cookie details, see §10.

A. Data you provide to us (controller)

Account & profile: name, email, company, role, password hash, auth IDs (e.g., GitHub/GitLab/Google if you SSO).

Billing: business address, tax/VAT IDs, payment method tokens (processed by PCI-compliant providers).

Support & surveys: tickets, chat, emails, call recordings (where permitted), feedback.

Marketing (optional): newsletter preferences, event registrations, referral info.

B. Data we collect automatically (controller)

Usage & telemetry: page views, clicks, referrer, device/browser, OS, language, coarse region, session IDs.

Service metrics: API calls, SDK versions, errors, latency; basic resource counters tied to your account (e.g., number of sandboxes, aggregate CPU/RAM/disk usage for billing).

Security logs: auth success/failure, IP addresses, user/role IDs, timestamp, audit trails.

C. Customer Content (processor)

Code, files, data, artifacts, process logs inside sandboxes/micro-VMs.

We process this only to provide the Services (execution, storage, networking, security, troubleshooting under your direction). We do not use Customer Content to train foundation models or to improve unrelated products without your explicit opt-in.

Controller data (GDPR Art. 6)

Provide & secure Services (contract; legitimate interests): account creation, authentication, access control, fraud/abuse prevention, availability, incident response.

Billing & collections (contract; legal obligation).

Product operations (legitimate interests): debugging, analytics, capacity planning, feature measurement (aggregated/de-identified where possible).

Communications (contract/legitimate interests): service notices, incidents, updates.

Marketing (consent/legitimate interests): newsletters, events—unsubscribe anytime.

Compliance & disputes (legal obligation; legitimate interests).

Processor data (under the DPA)

Execute your instructions: run code, store files, snapshots, networking, logs; provide support; maintain integrity/security.

We share the minimum necessary with:

• Infrastructure & security providers (cloud/IaaS, monitoring, logging, backups, DDoS/CDN, email delivery).
• Payments & billing processors (controllers for payment data).
• Support tools (ticketing, chat, incident management).
• Analytics (product analytics limited to controller data; no Customer Content).
• Professional advisors (legal, audit, accounting).
• Corporate transactions (M&A, reorgs) subject to safeguards.
• Authorities where required by law or to protect rights/safety.

Our current subprocessors list and locations is published at https://hopx.ai/legal/subprocessors (we'll notify material changes per DPA).

We operate globally. Where personal data is transferred outside the EEA/UK/Switzerland, we rely on appropriate safeguards (e.g., EU Standard Contractual Clauses, UK Addendum, and supplementary measures). Details: privacy@hopx.ai.

Account & billing records: for the life of the account and up to 7–10 years where required (tax/audit).

Security & audit logs: typically 12–36 months (longer if needed for security/compliance).

Support data: 24–36 months.

Marketing data: until you unsubscribe or request deletion.

Customer Content (processor): as configured by you; we delete per your instructions, your retention settings, or after account termination + standard grace period.

We may keep minimal logs where required by law or to establish/defend legal claims.

EEA/UK (GDPR)

You may access, correct, delete, restrict, port, or object to processing of your personal data, and withdraw consent at any time (without affecting prior processing). We'll respond within 1 month (extendable by 2 months for complex requests). You can lodge a complaint with your local DPA (e.g., ANSPDCP in Romania).

U.S. State Privacy (e.g., CA/VA/CO/CT/UT, etc.)

Depending on your state, you may request access, deletion, correction, portability, and opt-out of:

• targeted advertising,
• sale/sharing of personal information,
• profiling with legal/similarly significant effects.

We do not sell personal information. Submit requests at privacy@hopx.ai. You may appeal a decision via the same channel.

We will verify requests (account login, email check, or reasonable verification). Authorized agent requests must include proof of authority.

The Services are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact privacy@hopx.ai and we will delete it.

We use industry-standard organizational and technical measures to protect personal data (network isolation, encryption in transit/at rest where applicable, access controls, audit logging, vulnerability management, backups, incident response). No method is 100% secure; please safeguard your credentials and report suspected issues to security@hopx.ai. Information about our certifications and practices (e.g., SOC 2, ISO) is available at https://hopx.ai/security.

We use cookies and similar tech to:

• keep you signed in,
• remember preferences,
• measure product usage (aggregate),
• improve performance and security.

Where required, we present a cookie banner allowing you to manage non-essential cookies. You can also adjust browser settings. For details, see https://hopx.ai/legal/cookies.

We do not engage in automated decision-making that produces legal or similarly significant effects without human involvement.

Our Services may link to third-party sites, docs, models, or SDKs. Their privacy practices are governed by their own policies. Review those policies before providing personal data.

We may update this Policy periodically. If we make material changes, we will notify you (email/in-app/website) and state the effective date. Your continued use after the effective date means you accept the updated Policy.

Privacy: privacy@hopx.ai

Security incidents: security@hopx.ai

Postal (Bunnyshell Inc.): 2093 PHILADELPHIA PIKE #6991, CLAYMONT, DE 19703

EEA users may also contact Bunnyshell S.R.L. (see §1) or your local authority.

We do not sell personal information. We may "share" limited personal information for product analytics/measurement (as defined under some state laws) and honor applicable opt-out rights. To exercise rights (access, delete, correct, portability, opt-out), email privacy@hopx.ai. We will not discriminate for exercising your rights.

Lawful bases: Art. 6(1)(b) contract, 6(1)(c) legal obligation, 6(1)(f) legitimate interests, and where applicable, 6(1)(a) consent.

Transfers: safeguarded via SCCs/UK Addendum and supplementary measures.

Processor terms: see DPA at https://hopx.ai/legal/dpa (includes subprocessor list & notice procedures).