1. Who we are (Controller)
Hyv Systems GmbH Commercial Register: HRB 302659 (Register Court: Munich) VAT ID: DE456101400 Registered address: Friedenstr. 8h, 85221 Dachau, Germany Email: support@thehyv.io If you have questions about this Policy or wish to exercise your rights, please contact us by email. Data Protection Officer: Not appointed (no statutory requirement under Art. 37 GDPR currently applies).
2. Scope of this Policy
This Policy applies to:

• Website Visitors of www.thehyv.io (“Website”).
• Merchant Contacts & Platform Users (employees/agents who access the Platform or communicate with us).
• Prospects (business contacts reached for demos or events). For End‑Consumers/Debtors whose data our merchants upload to the Platform, we act as Processor (see Section 6).

3. Categories of data we process as Controller Depending on your interaction, we process:
3.1 Website usage data Data: IP address, device identifiers, browser type/version, time zone, referrer URL, pages viewed, date/time, and similar log data. Purpose: Provide and secure the Website (fraud prevention, troubleshooting, load balancing); compile aggregated statistics. Legal basis: Art. 6(1)(f) GDPR (legitimate interests) — operation, security, and optimization of our Website. Retention: Server logs typically 30–90 days unless an incident requires longer retention.
3.2 Cookies & similar technologies Strictly necessary cookies to operate the Website/Platform. Analytics/functional cookies only with your consent via our consent banner. Legal framework: Art. 6(1)(a) GDPR for non‑essential cookies; Art. 6(1)(f) GDPR for essential cookies; storage/access on your device is governed by § 25 TTDSG. Details: See our Cookie Settings (link in footer) for cookie list, providers, purposes, and expiry.
3.3 Contact and demo requests Data: Name, business email, company, role, phone (optional), message content. Purpose: Respond to inquiries and schedule demos. Legal basis: Art. 6(1)(b) GDPR (pre‑contractual steps) or Art. 6(1)(f) (legitimate interests in responding to B2B queries). Retention: Typically 12 months after last interaction, unless a contract is concluded or legal retention applies.
3.4 Account & Platform user data (Merchant staff) Data: Business contact details, user ID, role/permissions, authentication logs, activity logs, support tickets. Purpose: Provide and secure the Platform; authorize users; support; audit trail. Legal basis: Art. 6(1)(b) GDPR (contract) and Art. 6(1)(f) (security and abuse prevention). Retention: For the contract term; key logs kept 6–24 months for security/audit.
3.5 Marketing communications (B2B) Data: Business contact details, engagement metrics (opens/clicks) where permitted. Purpose: Send product updates, event invites, or newsletters. Legal basis: Art. 6(1)(a) (consent) or Art. 6(1)(f) in conjunction with § 7 UWG (existing customer exception, if applicable). Opt‑out: You can unsubscribe at any time (link in email).
4. Sources of data

• Directly from you (forms, emails, contracts).
• Automatically via your device/browser (see 3.1).
• From publicly available B2B sources or events (prospects only).

5. Recipients and international transfers
Service providers/Subprocessors: Hosting, analytics (with consent), customer support tools, email delivery, logging/monitoring. We conclude data processing agreements (Art. 28 GDPR) and ensure appropriate safeguards. Affiliates: For internal administration where applicable. Authorities/courts: Where required by law. International transfers: Where data is transferred outside the EEA, we implement EU Standard Contractual Clauses (SCCs) and additional measures as needed. Our primary hosting location is EU/EEA – Frankfurt (Germany).

We maintain a current list of Subprocessors here: Data Processors and Sub-Processors We use trusted third-party providers to host, store, and operate our service. All providers follow strict security and privacy standards (including GDPR) and process data only within the EU where possible. If any data is transferred outside the EU/EEA, it is protected by Standard Contractual Clauses (SCCs) and additional safeguards.
Core Infrastructure

• Hosting & Storage: Our platform runs on Amazon Web Services (AWS) in Frankfurt (eu-central-1). AWS provides the infrastructure for hosting the app, storage, and automated backups. Data is encrypted at rest and in transit and stays within the EU region.
• Database: We use AWS RDS (Aurora PostgreSQL) for structured data storage. It stores merchant and debtor-related information with encryption and point-in-time recovery enabled.
• Backend: Our backend is a Java application deployed on AWS EC2 servers in Frankfurt. These servers handle API requests, data processing, and integrations.
• Email Delivery: Transactional emails (for notifications and system messages) are sent via Amazon SES (EU region). Data processing remains in the EU whenever possible.
• Monitoring & Logs: We use AWS CloudWatch, and may optionally use Datadog (EU) or Grafana Cloud (EU) for performance and error monitoring. Personal data is masked in logs, and access is restricted.

Security & Reliability

• Error Tracking: We use Sentry (EU region) or a self-hosted alternative to detect and fix application errors. Sensitive data is not recorded.
• Web Protection: Cloudflare (EU POPs) provides DNS, CDN, and firewall protection. Only minimal data is logged, and routing stays in the EU.
• Security Scanning: GitHub Advanced Security and Snyk (EU plans) help us detect software vulnerabilities. These tools analyze code only and do not access customer data.

Customer Support & Operations

• Helpdesk: We use Zendesk (EU hosting) or Intercom (EU) for customer support. These tools process merchant contact details and case references only.
• CRM: HubSpot (EU data residency) is used to manage relationships with merchant partners. No debtor data is stored in CRM systems.
• Service Status: We may use Instatus (EU) or Better Stack (EU) to publish service uptime and incident updates.
• Billing & Payments: Payments are processed by Stripe (Ireland). Stripe acts as an independent controller for payment information and ensures GDPR compliance.

Additional Information

• Data is encrypted at rest and in transit (TLS 1.2+).
• Access to systems is protected by role-based permissions and multi-factor authentication.
• Backups remain within the EU.
• We review all providers regularly for security and privacy compliance.

6. Processing of End‑Consumer/Debtor data as Processor
Our merchant customers upload debtor/consumer Case data (e.g., identifiers, contact details, amounts owed, account status) to the Platform. For this processing, the Merchant is the Controller and Hyv Systems GmbH is the Processor. Key points:

• The processing is governed by a Data Processing Addendum (Art. 28 GDPR) between the Merchant and us.
• We do not determine the purposes of processing; we act on the Merchant’s documented instructions.
• We implement suitable security measures and confidentiality obligations, and only engage Subprocessors with the Merchant’s authorization.
• If we receive a request from a debtor/consumer to exercise GDPR rights, we will forward the request to the relevant Merchant (Controller) and assist as required by the DPA.
• Communications to debtors (e.g., email) sent via the Platform are initiated and controlled by the Merchant; we provide the technical means and logs.

7. Retention
We retain personal data only as long as necessary for the purposes described, or as required by law (e.g., commercial/tax retention). After expiry of retention periods, data is deleted or anonymized per our retention policy.
8. Your rights under GDPR
Subject to conditions and legal limitations, you have the following rights:

• Access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and objection (Art. 21).
• Where processing is based on consent, you may withdraw consent at any time with future effect (Art. 7(3)). To exercise your rights for processing where we are Controller, contact contact@thehyv.io. For processing where we act as Processor on behalf of a Merchant (Section 6), please contact the Merchant (Controller) directly; we will assist the Merchant as required. You also have the right to lodge a complaint with a data protection supervisory authority. The authority competent for our registered office is [Supervisory Authority, State]; a list of authorities is available at https://www.bfdi.bund.de.

9. Security
We apply appropriate technical and organizational measures to protect personal data, including encryption in transit/at rest, access controls (SSO/MFA), role‑based permissions, logging/monitoring, vulnerability management, backups, and incident response procedures.
10. Children
Our Website and Services are not directed to children and are intended for B2B use. We do not knowingly collect data from children.
11. Changes to this Policy
We may update this Policy to reflect legal, technical, or business developments. We will post the updated Policy with a new “Last updated” date and, where appropriate, notify you by email or via the Platform.
12. Contact
For any questions or requests, please contact:
Hyv Systems GmbH
Email: support@thehyv.io
Address: Friedenstr. 8h, 85221 Dachau, Germany

Annex A — Overview of Controller Processing Activities (Summary Table)


Note: Processing of debtor/consumer Case data is performed as Processor (see Section 6 and the DPA).