HydraCoreHydraCore
TermsSign in

Privacy Policy

Effective date: 20 February 2026

1. Introduction

HydraCore Pty Ltd ("HydraCore", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose and safeguard your information when you use our platform, website, APIs and related services (collectively, the "Service").

We comply with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) and, where applicable, the General Data Protection Regulation (GDPR) for users in the European Economic Area.

2. Information We Collect

2.1 Information You Provide

  • Account information: Email address, password (hashed) and organisation name when you register
  • Billing information: Payment details processed securely by Stripe - we do not store full card numbers
  • Profile information: Display name, avatar and preferences you choose to set
  • Support communications: Messages, feedback and correspondence you send to us
  • Customer Data: Configuration, conversation logs and other data you upload to or generate through your AI agent instances

2.2 Information Collected Automatically

  • Usage data: Pages visited, features used, API calls made and interaction patterns
  • Device information: Browser type, operating system, device identifiers and screen resolution
  • Network information: IP address, approximate geographic location (city-level) and referring URLs
  • Performance data: Page load times, errors and service performance metrics

2.3 Cookies and Tracking

We use strictly necessary cookies for authentication and session management. We do not use third-party advertising cookies or cross-site tracking. Our analytics, if enabled, use privacy-respecting, cookieless methods.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate and maintain the Service
  • Process transactions and manage your subscription
  • Authenticate your identity and secure your account
  • Send transactional emails (account verification, password resets, billing receipts)
  • Respond to your support requests and communications
  • Monitor and improve the performance, security and reliability of the Service
  • Detect, prevent and address fraud, abuse and technical issues
  • Comply with legal obligations and enforce our Terms of Service

We will never sell your personal information to third parties. We will never use your Customer Data to train machine learning models without your explicit consent.

4. Legal Basis for Processing (GDPR)

For users in the EEA, we process personal data on the following legal bases:

  • Contract performance: Processing necessary to provide the Service you requested
  • Legitimate interests: Improving our Service, preventing fraud and ensuring security
  • Legal obligation: Compliance with applicable laws and regulations
  • Consent: Where you have given explicit consent (e.g., marketing communications)

5. Data Sharing and Disclosure

We may share your information with:

5.1 Service Providers

Third-party companies that perform services on our behalf, including:

  • Stripe: Payment processing and billing
  • Cloud infrastructure providers: Hosting and compute (Hetzner, Vultr and similar)
  • Resend: Transactional email delivery
  • Error tracking services: Application monitoring and debugging

These providers are contractually obligated to use your information only for the purposes of providing their services to us and are bound by appropriate data protection agreements.

5.2 Legal Requirements

We may disclose your information if required to do so by law, or in the good faith belief that such action is necessary to comply with a legal obligation, protect our rights or safety, investigate fraud, or respond to a government request.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. After account deletion, we retain certain data for up to 30 days to allow for recovery, after which it is permanently deleted.

We may retain anonymised, aggregated data indefinitely for analytics and service improvement purposes. Billing records are retained as required by Australian tax law (typically 5–7 years).

7. Data Security

We implement industry-standard security measures to protect your information, including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Bcrypt password hashing with per-user salts
  • Row-Level Security (RLS) for multi-tenant data isolation
  • JWT-based authentication with short-lived access tokens
  • Regular security audits and penetration testing
  • Infrastructure hardened with firewalls, fail2ban and VPN tunnels

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

8. Your Rights

8.1 All Users

You have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete information
  • Delete your account and associated data
  • Export your data in a portable format
  • Withdraw consent for optional processing at any time

8.2 Additional Rights (EEA/UK)

If you are located in the EEA or UK, you additionally have the right to:

  • Restrict processing of your personal data
  • Object to processing based on legitimate interests
  • Data portability - receive your data in a structured, machine-readable format
  • Lodge a complaint with your local data protection authority

8.3 Australian Privacy Rights

Under the Privacy Act 1988, you have the right to access and correct your personal information. You may also complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs.

9. International Data Transfers

Your information may be transferred to and processed in countries other than Australia, including countries where our cloud infrastructure providers operate. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required by GDPR.

10. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete it promptly.

11. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email. Your continued use of the Service after such changes constitutes acceptance of the updated policy.

13. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your rights, or want to make a complaint, please contact us at:

HydraCore Pty Ltd
Privacy Officer
Melbourne, Australia
privacy@hydracore.io

For complaints that are not resolved to your satisfaction, you may contact the Office of the Australian Information Commissioner at www.oaic.gov.au.