Privacy Policy

What we collect

When you chat with our AI intake on hydras.ai, we collect the messages you send, your name, email address, and country (you choose when to share these), and basic technical metadata (IP address and browser user-agent) for security and abuse prevention.

Once you accept a quote and open your project room, we also collect: the messages you exchange with our AI inside the project timeline, any images you upload (Figma screenshots, inspiration, mockups), your password (stored as a salted scrypt hash — we never see the plain text), and the locked decisions that form the scope of work.

If Hydras is building on a GitHub repo we have linked to your project, we additionally store commit metadata from that repo — commit messages, author name and email (from the git logrecord), commit SHAs, URLs, and file-change counts. We never store your actual source code. This metadata is used solely to generate the plain-English Build Log cards you see in your Project Room. It's pruned automatically 180 days after processing unless still referenced by an active or shipped feature card.

Your project's shipped Build Log features are also visible at a sharable URL that includes your project token (/project/<token>/changelog). The page only renders features that have been explicitly published — drafts, thread messages, images, and round contents are never exposed. The token acts as the access control: anyone who has the link can read, which is the intent (send it to your team or investors). If you'd prefer the page be private, ask us to archive the project or rotate the token.

Why we collect it

Your intake conversation + contact details let us prepare a precise quote. Your project-room conversations + images let us lock down each feature correctly. Technical metadata is used to rate-limit abuse and comply with Malaysian PDPA and EU GDPR.

How we use it

We send your conversations to our AI provider (a third-party processor) to extract structured facts, draft a quote, and run each project-room round. We never sell your data and never share it with unrelated third parties. Only a small number of authorised Hydras team members can see your conversations in our internal admin panel.

We send notifications — emails (via Resend), push notifications (if you install our project room as a web app), and Telegram messages (admin-only, for our own team) — so no one misses an update. Project-room images are stored in Supabase Storage as sanitised PNGs with EXIF metadata stripped; original uploads are accessible only to Hydras admins with an audit trail.

Cookies + sessions

Your project room uses a signed session cookie (project_sess_<token>) that lasts 30 days. It is HttpOnly, Secure, SameSite=Lax, and contains only an HMAC signature of your project token + an expiry timestamp — no personal data. We don't use tracking cookies, third-party analytics cookies, or advertising cookies.

Audit logs

Every administrative action (creating a round, locking a decision, reopening a round, editing a summary) is logged with the admin's email and a timestamp. This exists for accountability and debugging. It is never visible to other clients and never used for marketing.

How long we keep it

If you never submit the intake chat, the draft is deleted automatically after 90 days. Once a quote is sent, your intake conversation and extracted project details are stripped after 30 days; only the quote itself (category, price, dates) remains. Active project rooms are kept for the project's lifetime; once a project is marked completed or archived, the full thread is archived and deleted after an additional 180 days.

Your rights

You can export all data we hold on you, or request deletion of your entire project room, at any time. Inside your project room you'll find a Download my data button (returns everything as a JSON bundle) and a Delete my project button (client-initiated request; we confirm and wipe within 14 days, or you can cancel during that window). For pre-project (intake-only) data, use /api/me/export and /api/me/delete — you'll receive a 6-digit email verification code first.

Hydras Partners — referral program data

If you sign up to our partner program at hydras.ai/partners, we additionally collect: your legal name, country of tax residence, national identification or passport number, residential address, bank name, bank account number, account holder name, and optionally your tax identification number. You provide these once via our Claim your earnings form — before that the partner dashboard only stores your email, display name (optional), and ref code.

How it's protected. Payout identity + bank details are encrypted at rest with AES-256-GCM. The encryption key lives in an environment variable, not in the database — even a full database dump cannot reveal the plaintext. Only the admin running a payout wire can decrypt the blob server-side at the moment of the wire. Nothing is decrypted inside your partner dashboard or sent to the browser.

What we share with third parties. Malaysian law (LHDN Form CP58) requires us to report commissions paid ≥ RM 5,000 per year to the Inland Revenue Board. We file your legal name, IC/passport, address, and paid amounts on that annual return. Equivalent filings apply in other tax jurisdictions. Beyond tax authorities and the bank handling the wire, we do not share partner data with anyone.

Referral attribution cookie. When a visitor lands on hydras.ai/?ref=<code>, we set an HttpOnly first-party cookie (hydras_ref) that lasts 30 days. The cookie contains only the 8-character ref code. We use it to credit the partner who sent you if you later submit our AI intake. The cookie is set once per browser and is never shared with third parties.

Client → referrer visibility. When you submit the AI intake after being referred, you see a checkbox labeled “Share anonymous progress with my referrer.” The checkbox is off by default. If you turn it on, your referring partner sees only the stage of your project (e.g. “build phase”) — never your name, company, email, or any project details. You can opt out later by emailing adrian@hydras.ai.

How long we keep partner data. Active partner accounts: until you request deletion. Tax-filing records: 7 years, as required by Malaysian tax law — we cannot delete these earlier even on request. Partner accounts that never verify their email and never earn a commission are auto-archived after 30 days of inactivity.

Hydras Autoport — technical error + feedback collection on client sites

Hydras Autoport is our after-service system: a widget + admin panel that runs on websites and apps we build for clients. When an end user of a client's site reports a technical issue through the “Powered by hydras.ai” footer, or when their browser hits a JavaScript error, Autoport collects the information needed to diagnose + fix the problem and funnels it to our admin panel.

What Autoport collects. Error messages and stack traces; the URL of the page (with secrets like token,access_token, password, authorization, jwt,session stripped from the query string); user-agent + locale; breadcrumbs of the last 20 clicks and navigations (no fetch bodies, no request headers); optional email and screenshot when the user submits a report; anonymous per-session id. No access tokens, cookies, or form values are captured unless the client site explicitly attaches them via our programmatic API.

Where it's stored. In our Supabase-hosted Postgres (EU/US dual-region), encrypted at rest. Screenshots live in a private bucket and are only visible via short-lived signed URLs generated for admin review.

How long we keep it. Individual error events are automatically deleted after 90 days. Aggregated crash groups (title, first/last seen, counts) are retained indefinitely so we can track regressions. Support tickets are retained until closed; screenshots on closed tickets are deleted 90 days after resolution.

Hydras is not the business. When you submit a report through the Autoport widget on a site we built, the report comes to Hydras, the company that maintains the site's technology. We cannot help with the site owner's products, services, orders, bookings, refunds, or payments — for that, please contact the site owner directly. Their contact details are shown in the report form.

Your rights on Autoport data. You can request deletion at hydras.ai/autoport/privacy-request. We confirm deletion within 7 days.

Contact

Questions about this policy? Email adrian@hydras.ai or reach out via the WhatsApp button on the home page. We respond within 24 hours, Malaysia time.