Skip to content
Privacy Policy

Privacy Policy

Privacy Policy

Last updated: April 4, 2026

This policy explains how we collect, use, and protect your personal data when you use Hush and our website. We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR) and applicable Cyprus data protection law.

Data Controller

RYVESA LTD

Terpsichoris 15, ELEFTHERIOU HILL RESIDENCE, Flat/Office 202, 2102 Aglantzia, Nicosia, Cyprus

Registration Number: HE489886

Privacy inquiries: contact@hushtweak.com

Data Protection Officer

We have not appointed a Data Protection Officer (DPO) as our core processing activities do not meet the thresholds requiring one under GDPR Art. 37 (large-scale systematic monitoring or large-scale processing of special categories of data). For all privacy inquiries, contact us at contact@hushtweak.com.

Data We Collect

  • Account data — Email address, collected when you create an account through our authentication provider (Clerk). Used for account management and communication.
  • License data — Your license key (generated on purchase), subscription plan, and status. Used to manage your subscription and validate your license.
  • Device data — A unique hardware identifier, device model, iOS version, jailbreak type, and installed software version. Collected when your device first connects to our license server. Used for per-device license binding and compatibility verification.
  • Device security data — A device-generated public key used for cryptographic authentication during license validation. Used to prevent unauthorized license use.
  • Subscription data — Your Whop membership ID, received via webhook when you subscribe. Used to link your payment subscription to your license.
  • Binary integrity data — A cryptographic hash of the software binary, collected during license validation to verify software integrity and detect tampering. No personal content is derived from this hash.
  • Validation logs — A unique device identifier, an internal license reference, and success/failure status for each license validation request. Used for fraud prevention. Automatically deleted after 30 days.
  • Website analytics data — Aggregated, non-identifying usage data collected via Vercel Web Analytics when you visit our website: pages visited, referrer URL, country/region (derived from your IP address, which is not stored), device type, operating system, and browser. No cookies or persistent identifiers are used. Approximate unique visitor counts are derived from a non-reversible, daily-rotating hash that is discarded after 24 hours.
  • Preferences — Your theme preference (dark/light mode), stored locally in your browser's localStorage. Never sent to our servers.

Data We Do Not Collect

  • We do not store IP addresses in our own database. Our service providers (Clerk, Convex, Whop) may process IP addresses as part of their standard infrastructure operations; see their respective privacy policies.
  • We do not collect location data.
  • We do not collect any data from your Snapchat account.
  • We do not use advertising, targeting, or cross-site tracking technologies.
  • We do not collect crash logs or error reports.

Legal Bases for Processing

  • Contract performance (GDPR Art. 6(1)(b)) — Processing of your account data, license data, device data, and payment data is necessary to provide you with the Hush service and manage your subscription.
  • Legitimate interest (GDPR Art. 6(1)(f)) — Validation logs are processed for fraud prevention and license abuse detection. These logs are minimal (device identifier and success status only) and automatically deleted after 30 days. Website analytics data is processed to understand traffic patterns and improve our website. This processing is minimal (no cookies, no persistent identifiers, no cross-site tracking) and does not involve profiling or automated decision-making.

Third-Party Services & Data Recipients

  • Clerk (Clerk Inc., United States) — Handles user authentication. Processes your email and login credentials. Certified under the EU-US Data Privacy Framework. Clerk Privacy Policy.
  • Convex (Convex Inc., United States) — Hosts our database. Stores your account data, license data, and device data on our behalf. Protected by Standard Contractual Clauses (Module Two). Convex Privacy Policy.
  • Whop (Whop Inc., United States) — Processes payments. When you check out via Whop, Whop acts as an independent data controller for your payment information (credit card details, billing address). You agree to Whop's Privacy Policy at checkout. We only receive your Whop membership ID and subscription status — we never see or store your payment card details.
  • Vercel (Vercel Inc., United States) — Hosts our website and provides cookieless web analytics (Vercel Web Analytics). For hosting, Vercel may process visitor IP addresses and request metadata as part of standard web serving. For analytics, Vercel collects aggregated page view data (pages visited, referrer, country, device type, browser). IP addresses are used transiently for geographic lookup and daily visitor deduplication via a non-reversible hash, then discarded — they are not stored in analytics data. No cookies or persistent identifiers are used. Vercel Privacy Policy.

International Data Transfers

Your data is processed by service providers based in the United States. These transfers are protected by the following mechanisms in accordance with GDPR Chapter V:

  • Clerk: EU-US Data Privacy Framework (adequacy decision) + Standard Contractual Clauses
  • Convex: Standard Contractual Clauses (Module Two — controller to processor)
  • Whop: Standard Contractual Clauses
  • Vercel: Standard Contractual Clauses

Data Retention

  • Account data is retained for the duration of your active account, plus 30 days after account deletion to handle any outstanding matters.
  • License and device data is retained for the duration of your active subscription. Device data is cleared when you unbind your device or your license expires.
  • Validation logs are automatically deleted after 30 days.
  • Payment data is managed by Whop according to their own retention policy.
  • Theme preferences are stored in your browser and persist until you clear your browser storage.

Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Access (Art. 15) — Request a copy of your personal data.
  • Rectification (Art. 16) — Request correction of inaccurate data.
  • Erasure (Art. 17) — Request deletion of your data ("right to be forgotten").
  • Restriction (Art. 18) — Request that we restrict processing of your data.
  • Portability (Art. 20) — Receive your data in a structured, machine-readable format.
  • Objection (Art. 21) — Object to processing based on legitimate interest.

To exercise any of these rights, contact us at contact@hushtweak.com. We will respond within 30 days. For complex requests, we may extend this by an additional 60 days, in which case we will inform you of the delay.

You also have the right to lodge a complaint with the supervisory authority: Commissioner for the Protection of Personal Data, 1 Iasonos Street, 1082 Nicosia, Cyprus (commissioner@dataprotection.gov.cy).

Cookies & Local Storage

  • Authentication cookies — Set by Clerk for session management. These are strictly necessary for the website to function and are exempt from consent requirements under ePrivacy Directive Art. 5(3).
  • Theme preference — Stored in your browser's localStorage when you toggle dark/light mode. This is a user-initiated functional preference and is never sent to our servers.
  • Web analytics — Vercel Web Analytics does not use cookies, localStorage, or any other client-side storage. No consent banner is required for this processing under ePrivacy Directive Art. 5(3).
  • We do not use any advertising or tracking cookies.

Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you (GDPR Art. 22). Our license validation system uses automated checks (rate limiting, challenge-response verification) for security purposes, but these do not constitute decisions with legal effect — they are technical access controls.

Children's Data

Hush is not intended for persons under the age of 14 (in accordance with Cyprus Law 125(I)/2018). We do not knowingly collect personal data from children under 14. If you believe we have collected data from a child under 14, please contact us and we will promptly delete it.

Data Security

  • All connections are encrypted using HTTPS/TLS.
  • Licenses are validated using cryptographic authentication to prevent unauthorized access.
  • Rate limiting is applied to all API endpoints to prevent abuse.
  • Validation logs are automatically purged after 30 days.

Data Breach Notification

In the event of a personal data breach, we will notify the Cyprus Commissioner for Data Protection within 72 hours (GDPR Art. 33). If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay (Art. 34).

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via the email address associated with your account. The "Last updated" date at the top of this page indicates the most recent revision.

Contact

RYVESA LTD

Terpsichoris 15, ELEFTHERIOU HILL RESIDENCE, Flat/Office 202, 2102 Aglantzia, Nicosia, Cyprus

Email: contact@hushtweak.com

See also our Terms of Service.