Hintyr
Sign InGet Started

Privacy Policy

Your privacy is important to us. This policy explains how Hintyr collects, uses, and protects your data.

Hintyr Privacy Policy

Last updated: August 25, 2025

Thank you for trusting Hintyr. We build AI‑powered eDiscovery and evidence management tools for legal teams. Protecting your privacy and your data is central to our product and our values.

This Privacy Policy explains how we collect, use, disclose, and protect information when you use Hintyr’s websites, products, and services (collectively, the Services). It also describes your privacy rights and how to exercise them.

Plain‑language summary (not a substitute for the full policy):

  • We never sell your personal information or your case data.
  • We do not share data with third parties for their advertising or marketing.
  • We use only strictly necessary cookies for authentication (via Clerk).
  • We process eDiscovery materials as a service provider/processor to our customers.
  • We use Google Cloud Platform (GCP) as our AI model provider; we have a Business Associate Agreement (BAA) in place and contractually prohibit training on your content.
  • You control your content and can request deletion according to this Policy.

1) Who we are & contact information

Hintyr, Inc. ("Hintyr", "we", "us", or "our") is the provider of the Services.
Contact: contact@hintyr.com

If you are located in the EEA/UK/Switzerland, you may have additional rights under applicable law. See Section 12.

1A) Google API Services Limited Use Compliance

Hintyr's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We access your Google account information only to provide features that are prominent and visible in our application interface. We never use your Google data for advertising, marketing, data brokering, or any purpose not disclosed in this Privacy Policy.

2) Scope & roles (Controller vs. Processor)

Hintyr offers enterprise software used by law firms, investigators, and corporate legal departments. We act in different roles depending on the data:

  • Customer Content (e.g., documents, case files, evidence, audio/video, metadata, annotations) processed in a customer workspace: we act as a processor/service provider to our customer (the controller/business). Our processing is governed by our agreement with the customer and, where applicable, our Data Processing Addendum (DPA) and BAA.
  • Service Data (e.g., account registration, billing, support tickets, product telemetry, security logs): we act as a controller/business and determine the purposes and means of processing to operate and secure the Services.

3) Information we collect

A. Information you provide to us

  • Account details (name, email, organization/role).
  • Billing and subscription details processed by Stripe (e.g., billing contact, payment method tokens). We do not store full card numbers.
  • Communications (support requests, feedback, email, in‑product chat).
  • Customer Content you upload or connect (files, transcripts, extracted metadata, notes, tags).

B. Information collected automatically

  • Authentication state and session identifiers (strictly necessary cookies set by Clerk).
  • Device and usage data (e.g., browser type/version, IP address, pages and features used, timestamps, error diagnostics).
  • Security signals (e.g., failed logins, abuse/anti‑fraud telemetry).

C. Information from third parties

  • Identity/authentication provider (Clerk) for sign‑in and account linking.
  • Payment provider (Stripe) for subscription management and invoicing.
  • AI model provider (Google Cloud Platform) to perform inference on Customer Content or prompts as configured by you.

We do not collect information about you from data brokers for marketing and we do not buy or sell personal information.

4) How we use information (purposes & legal bases)

We process information to:

  • Provide the Services: account creation, authentication, workspace provisioning, file ingestion, search/review, AI‑assisted features, and collaboration.
  • Operate, maintain, and secure the platform: monitoring, troubleshooting, incident response, fraud prevention, and abuse detection.
  • Billing and administration: subscriptions, invoicing, and account notifications.
  • Support and improvement: respond to requests, quality assurance, feature development and tuning using de‑identified or aggregated telemetry (never your case content for provider training).
  • Compliance and legal: to comply with law, enforce agreements, and protect rights, safety, and integrity of the Services.

Legal bases (EEA/UK): contract performance; legitimate interests (e.g., security, service improvement); legal obligation; and, where required, consent. You may object to processing based on legitimate interests where we rely on it.

5) AI/LLM features and providers

  • We use Google Cloud Platform (GCP) as a subprocessor to provide generative and analytical capabilities (e.g., classification, entity extraction, summarization).
  • We have a Business Associate Agreement (BAA) in place with Google Cloud for processing.
  • We configure and contractually prohibit our model provider from using Customer Content or prompts for training their foundation models.
  • Customer Content is transmitted to the model provider only as necessary to fulfill the requested feature and is encrypted in transit.
  • Logs and model outputs are stored within your workspace according to your retention settings.
  • You can disable specific AI features at the workspace level (where supported).

Your responsibility: Do not input content that violates law or third‑party rights. Ensure you have a lawful basis to process any personal data in Customer Content uploaded to the Services.

5A) Google OAuth and API Data Collection

What Google Data We Access

We use Google OAuth 2.0 to enable you to connect your Google Account to Hintyr. When you choose to connect your Google Account, we request access to the following information:

  • OpenID Connect (openid scope): We use this to verify your identity with Google and securely authenticate you.

  • Email Address (email scope): We access your primary Google Account email address to create and manage your Hintyr account, send you service notifications, and enable communication features within our application.

  • Profile Information (profile scope): We access your name, profile picture, and other public profile information from your Google Account to personalize your experience and display your identity within the application.

  • Google Drive Files (drive.file scope): We access only the specific Google Drive files that you explicitly select using Google's file picker when you choose to import evidence or documents into your eDiscovery workspace. We can only read the files you select; we cannot access other files in your Drive, and we cannot modify, delete, or create new files in your Google Drive.

How We Use This Google Data

Email and Profile Data:

  • Creating and maintaining your user account
  • Authenticating your identity for secure access
  • Personalizing your user experience within Hintyr
  • Sending service-related notifications and updates
  • Displaying your identity to authorized collaborators within your workspace

Google Drive Data:

  • Importing selected Drive files as evidence into your eDiscovery cases
  • Storing imported file contents within your Hintyr workspace for review, annotation, and analysis
  • Enabling search, AI-assisted review, and other eDiscovery features within your workspace
  • Providing user-facing features that are prominent and visible in our application interface

We use your Google data only to provide the eDiscovery and case management features you see and interact with in Hintyr.

Prohibited Uses

We do NOT use your Google data for:

  • Serving advertisements or enabling advertising
  • Retargeting, personalized advertising, or interest-based advertising
  • Selling or transferring to data brokers, advertising platforms, or information resellers
  • Credit worthiness assessment or lending purposes
  • Determining eligibility for credit, insurance, employment, or housing
  • Any purpose not disclosed in this Privacy Policy

Data Storage and Retention

Email and Profile Data: We store your email address and profile information in our secure database for as long as your account remains active. This data is encrypted at rest using industry-standard AES-256 encryption and transmitted over secure HTTPS connections using TLS 1.2 or higher.

Google Drive Data: When you import files from Google Drive into a Hintyr workspace:

  • We store the complete file contents within your workspace to enable eDiscovery review, annotation, search, and AI-assisted analysis
  • File data is encrypted at rest using AES-256 encryption
  • Retention is controlled by your workspace and case-level retention settings
  • You (or your workspace administrator) can delete imported files at any time
  • When you delete imported files, they are permanently removed from our production systems within 30 days
  • Backup copies are deleted within 90 days during the next backup cycle

All Google user data is:

  • Encrypted in transit using TLS 1.2 or higher
  • Encrypted at rest using industry-standard AES-256 encryption
  • Stored on secure cloud infrastructure with restricted access
  • Protected by comprehensive security measures including role-based access controls, audit logging, intrusion detection, and security monitoring

Data Sharing

We do NOT share, sell, or transfer your Google user data to third parties, except in the following limited circumstances:

  1. With Your Explicit Consent: When you specifically authorize sharing with a third-party service or integration

  2. For Security Purposes: To investigate security incidents, abuse, fraud, or violations of our Terms of Service

  3. Legal Compliance: When required by law, court order, subpoena, or government regulation

  4. Business Transfer: In the event of a merger, acquisition, or sale of assets, only after obtaining your explicit prior consent and ensuring equivalent data protection

We never share your Google user data with:

  • Advertising platforms or ad networks
  • Data brokers or information resellers
  • Third-party marketing services
  • Analytics providers (beyond aggregated, de-identified usage metrics)
  • Credit bureaus or lending institutions

Your Google Data Rights

You have the following rights regarding your Google account data:

Access: You can view what Google data we have stored by visiting your Account Settings page within Hintyr or by contacting us at contact@hintyr.com.

Deletion: You can request deletion of your Google account data at any time by:

  • Using the "Delete My Data" or "Disconnect Google Account" option in Account Settings
  • Emailing contact@hintyr.com with subject line "Delete Google Data"

We will delete your Google data within 30 days of your request, except where retention is required by law or to comply with legal hold obligations.

Revoke Access: You can revoke Hintyr's access to your Google account at any time by:

  1. Visiting your Google Account Permissions page
  2. Finding "Hintyr" in the list of connected apps
  3. Clicking "Remove Access"

When you revoke access:

  • We can no longer access any of your Google account data
  • We will delete any stored Google profile data within 30 days
  • Imported Drive files that are part of active eDiscovery cases will remain in your workspace (as they are now Customer Content), but you can delete them via workspace controls
  • You can continue using Hintyr with limited functionality (without Google Drive import capability)

Data Portability: You can request a copy of your imported Drive files and Google profile data in a portable format (JSON or CSV) by contacting contact@hintyr.com. We will provide the export within 30 days.

Correction: If any of your Google profile data is inaccurate, you can update it in your Account Settings or contact us for assistance.

Security Measures for Google Data

We implement comprehensive security measures to protect your Google user data:

  • Encryption: All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access Controls: Strict role-based access controls limit employee access to user data on a need-to-know basis
  • Authentication: Multi-factor authentication required for administrative access
  • Monitoring: Continuous monitoring for security threats, anomalies, and unauthorized access attempts
  • Audit Logging: Comprehensive logs of all access to Google user data
  • Incident Response: Established procedures for detecting, responding to, and reporting security incidents
  • Vendor Management: All subprocessors handling Google data are contractually bound to equivalent security standards

Changes to Google Data Practices

If we change how we use your Google user data, we will:

  1. Update this Privacy Policy with the new practices and indicate the effective date
  2. Notify you via email and/or prominent notice within the application
  3. Request your explicit consent before implementing changes that materially affect how we use your Google data
  4. Allow you to opt out, revoke access, or delete your data if you don't agree to the changes

You can review the current version of this Privacy Policy at any time at https://www.hintyr.com/legal/privacy.

6) Cookies & similar technologies

Hintyr uses only strictly necessary cookies to enable secure sign‑in and session management via Clerk (e.g., session and CSRF cookies). These cookies are required for the Services to function and cannot be disabled without impacting your ability to log in. We do not use analytics or advertising cookies. Your browser settings may block third‑party cookies; however, doing so could break authentication.

Analytics without cookies

We use Vercel Web Analytics, a privacy‑focused analytics service that operates entirely without cookies. This service:

  • Does not use cookies: Visitors are identified by a daily‑rotating hash of request parameters (not persistent identifiers)
  • Does not collect personal data: No personally identifiable information is tracked or stored
  • Automatically resets daily: Visitor hashes are reset every 24 hours, preventing any long‑term tracking
  • No cross‑site tracking: Visitors cannot be tracked between different websites or across multiple days
  • Collects only aggregate metrics: Page views, referrers, browser types, operating systems, device categories, and country‑level geographic regions
  • Automatically redacts sensitive URLs: Dynamic IDs and parameters are sanitized before transmission

This cookie‑free approach means no consent banner is required for analytics, and your privacy is protected while we gather essential insights to improve our service performance and user experience.

7) How we share information

We do not sell personal information and do not share personal information for cross‑context behavioral advertising. We disclose information only to:

  • Subprocessors / Service providers we use to operate the Services under written contracts, limited to the purposes described here:
    • Clerk — user authentication and identity management (account identifiers, session data).
    • Stripe — payments and invoicing (billing contact info, payment tokens; Hintyr does not store full card numbers).
    • Google Cloud Platform (GCP) — AI model inference and cloud infrastructure (Customer Content as required for processing; governed by BAA/DPA).
    • Vercel — hosting infrastructure and cookie‑free web analytics (anonymized usage metrics only; no personal data).
  • Affiliates and professional advisors for corporate, compliance, accounting, and legal purposes.
  • Compliance/Legal: to comply with applicable law, lawful requests, or to protect rights, safety, and property.
  • Business transfers: in the event of a merger, acquisition, or asset sale, subject to this Policy’s promises continuing or equivalent protections.

We maintain an internal list of subprocessors and will provide notice of material changes as required by our DPA.

8) Data retention

  • Customer Content: retained for the term of your subscription and according to your workspace or case‑level retention settings. You can delete content at any time; residual copies may remain in backups for a limited period.
  • Account & billing records: retained while your account is active and as needed for legal, tax, audit, and compliance obligations.
  • Security and operational logs: retained for a limited period to investigate and ensure platform integrity.
  • Backups: stored on a rolling basis and purged on a schedule; backups are not used for any other purpose.

Google Account Data Retention

  • Google Email and Profile Information: Retained for the duration of your account plus 30 days after account deletion to allow for account recovery and to comply with legal obligations. You may request immediate deletion by contacting contact@hintyr.com.

  • Google Drive Files: When you import files from Google Drive into your Hintyr workspace, they become part of your Customer Content and are retained according to your workspace or case-level retention settings. You (or your workspace administrator) control retention and can delete imported files at any time. When deleted, files are permanently removed from production systems within 30 days and from backups within 90 days.

  • After Revoking Google Access: If you revoke Hintyr's access to your Google account via Google Account Permissions, we will delete your Google email and profile data within 30 days. Previously imported Drive files will remain in your workspace as Customer Content (subject to your workspace retention settings) unless you separately delete them.

Where we act as processor/service provider, we retain and delete data according to the customer's instructions and our agreement.

9) Security

We implement administrative, technical, and physical safeguards designed to protect information, including encryption in transit, hardened infrastructure, role‑based access controls, least‑privilege practices, audit logging, and vendor access controls. No method of transmission or storage is 100% secure; we cannot guarantee absolute security. If we learn of a security incident impacting your information, we will notify you and relevant authorities as required by law and our agreements.

10) International data transfers

Hintyr may process data in the United States and other jurisdictions where we or our subprocessors operate. Where required, we use appropriate safeguards for cross‑border transfers (e.g., EU Standard Contractual Clauses and the UK International Data Transfer Addendum) and implement supplementary measures as needed. By using the Services, you understand your information may be transferred to, stored, and processed in these locations.

11) Your privacy rights

A. EEA/UK/Swiss residents (GDPR/UK GDPR/FADP)

Subject to applicable law, you may have the right to request: access, rectification, erasure, restriction, portability, and to object to certain processing. Where we rely on consent, you may withdraw it at any time. You also have the right to lodge a complaint with your data protection authority. If we process your data as a processor for a customer, we will forward requests to the relevant customer/controller.

B. United States — California (CCPA/CPRA) notice at collection

We collect the following categories of personal information for the business purposes described in Sections 4 and 7. We do not sell personal information and we do not share personal information for cross‑context behavioral advertising.

Category (CPRA)ExamplesSourcesBusiness purposesDisclosed to
Identifiersname, email, account ID, IP addressyou; deviceprovide Services; security; customer supportClerk, infrastructure providers
Customer recordsbilling contact, subscription infoyou; Stripebilling; complianceStripe
Internet/technicaldevice/app data, logs, crash/error datadevice; servicessecurity; service operationinfrastructure providers
Commercial infosubscription tier, invoicesStripe; Hintyrbilling; analytics for operationsStripe
Audio/visual (Customer Content)uploaded multimedia evidenceyou; integrationseDiscovery features; search/reviewAI providers as configured; infrastructure
Sensitive personal information (as provided by you)PHI or other sensitive data in Customer Contentyouonly to provide Services under DPA/BAA; securityAI/infrastructure providers under DPA/BAA

Your CPRA rights may include: right to know/access, correction, deletion, and to limit the use of sensitive personal information (where applicable). We do not sell or share personal information and do not use SPI for inferring characteristics beyond providing the Services. We do not retaliate against you for exercising your rights.

Submitting a request: Email contact@hintyr.com. We will verify your identity and respond as required by law. Authorized agents may submit requests with proof of authorization and identity verification.

C. Other U.S. state laws

Residents of certain states (e.g., CO, CT, VA, UT) may have similar rights. Submit requests to contact@hintyr.com.

12) HIPAA and PHI

For customers subject to HIPAA, Hintyr acts as a Business Associate when processing Protected Health Information (PHI) under a signed Business Associate Agreement (BAA). We require our AI and cloud provider to sign a BAA and to use PHI only to provide the contracted services. Customers are responsible for: (a) ensuring a lawful basis to upload PHI; (b) configuring access controls; and (c) honoring individuals' rights under applicable law. Email and general support channels are not intended for PHI unless agreed in writing.

13) Children’s privacy

The Services are not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us to request deletion.

14) Your choices

  • Access & deletion: request via contact@hintyr.com.
  • Workspace controls: admins can configure retention and delete Customer Content.
  • AI features: where available, enable or disable AI features at the workspace level.
  • Cookies: strictly necessary cookies are required for sign‑in; disabling them may break the Services.

15) Third‑party links and integrations

Our Services may link to or interoperate with third‑party services. Their privacy practices are governed by their own policies. Where we act as processor, you are responsible for the lawfulness of any integrations that you enable with your workspace.

16) Changes to this Policy

We may update this Policy to reflect changes to our practices or for legal, technical, or regulatory reasons. If changes are material, we will provide notice (e.g., in‑app banner or email) and indicate the new effective date. Your continued use of the Services after the effective date means that you accept the revised Policy.

17) How to contact us

Questions or privacy requests: contact@hintyr.com
If you are in the EEA/UK/Switzerland, you may also contact your local data protection authority. We will cooperate with authorities as required by law.

Annex A — Subprocessors (core)

  • Clerk — Authentication & identity; personal identifiers and session data; strictly necessary cookies only.
  • Stripe — Payments; billing contact info and payment method tokens.
  • Google OAuth (Google LLC) — OAuth 2.0 authentication and Google Drive file access; processes email address, profile information, and selected Drive files; subject to Google API Services User Data Policy and Limited Use requirements; scopes: openid, email, profile, drive.file.
  • Google Cloud Platform (GCP, including Vertex AI/Gemini) — Cloud hosting and AI inference; Customer Content as necessary; covered by DPA/BAA; no training on Customer Content.

We will update this Annex as our subprocessors evolve and will provide notice where required by the DPA.

Annex B — Definitions

  • Customer Content: files, documents, data, and metadata uploaded into your workspace, including derived outputs.
  • Personal Information / Personal Data: information relating to an identified or identifiable individual, as defined by applicable law.
  • Sensitive Personal Information (SPI): categories defined by law (e.g., health data/PHI, precise geolocation, government IDs).
  • Processor / Service Provider: an entity that processes personal data on behalf of a controller/business.
  • Controller / Business: the entity that determines purposes and means of processing personal data.
  • BAA: Business Associate Agreement under HIPAA.
  • DPA: Data Processing Addendum that sets terms for processing personal data.