Privacy Policy
Last updated: March 7, 2026
GDPR Compliant CCPA Compliant
We respect your privacy. This Privacy Policy explains how Hynobo ("we," "us," or "our") collects, uses, discloses, and safeguards your personal information when you visit our website or use our services. This policy complies with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
1. Data Controller
The data controller responsible for your personal information is:
- Company: Hynobo (IE Shepard Victoria Ekaterinovna)
- Email: vshepard@hynobo.com
2. Information We Collect
2.1 Information You Provide
We collect information you voluntarily provide when you:
- Fill out contact forms on our website
- Request a consultation or assessment
- Subscribe to our newsletter
- Communicate with us via email or messaging apps
This information may include:
| Category | Examples | CCPA Category |
|---|---|---|
| Identifiers | Name, email address, phone number | Category A |
| Professional Information | Company name, job title, industry | Category B |
| Communication Content | Messages, project descriptions, inquiries | Category H |
2.2 Information Collected Automatically
When you visit our website, we may automatically collect:
- IP address (anonymized)
- Browser type and version
- Device information
- Pages visited and time spent
- Referring website
3. How We Use Your Information
We use collected information for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Respond to your inquiries and provide consultations | Legitimate Interest / Contract Performance |
| Send requested materials and resources | Consent / Contract Performance |
| Provide and improve our services | Contract Performance / Legitimate Interest |
| Send marketing communications (with consent) | Consent |
| Analyze website usage and improve user experience | Legitimate Interest |
| Comply with legal obligations | Legal Obligation |
4. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights:
- Right of Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your personal data ("right to be forgotten")
- Right to Restriction: Request limitation of processing of your data
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests or direct marketing
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
- Right to Lodge a Complaint: File a complaint with a supervisory authority
To exercise any of these rights, contact us at vshepard@hynobo.com. We will respond within 30 days.
5. Your Rights Under CCPA
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to Know: Request disclosure of what personal information we collect, use, disclose, and sell
- Right to Delete: Request deletion of your personal information
- Right to Opt-Out: Opt out of the sale of your personal information
- Right to Non-Discrimination: Not receive discriminatory treatment for exercising your rights
We Do Not Sell Your Personal Information. Hynobo does not sell, rent, or trade your personal information to third parties for monetary consideration. We have not sold any personal information in the preceding 12 months.
5.1 How to Submit a CCPA Request
California residents can submit requests by:
- Email: vshepard@hynobo.com
- Subject line: "CCPA Request"
We will verify your identity before processing your request and respond within 45 days.
5.2 Categories of Personal Information (CCPA)
In the past 12 months, we have collected the following categories of personal information:
| Category | Collected | Sold | Disclosed for Business Purpose |
|---|---|---|---|
| A. Identifiers | Yes | No | Yes (service providers) |
| B. Personal Information (CA Civil Code) | Yes | No | Yes (service providers) |
| F. Internet Activity | Yes | No | No |
| H. Audio/Electronic/Visual Info | No | No | No |
| I. Professional Information | Yes | No | No |
6. Data Retention
We retain your personal information only as long as necessary for the purposes outlined in this policy:
- Contact form submissions: 3 years from last contact
- Client data: Duration of business relationship plus 5 years
- Marketing preferences: Until you unsubscribe
- Analytics data: 26 months (anonymized)
7. Data Sharing and Disclosure
We may share your information with:
- Service Providers: Email services, CRM systems, hosting providers who assist in our operations
- Legal Requirements: When required by law, court order, or government request
- Business Transfers: In connection with a merger, acquisition, or sale of assets
All service providers are contractually obligated to protect your data and use it only for specified purposes.
8. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence. When we transfer data outside the EEA, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses approved by the European Commission
- Binding corporate rules
- Your explicit consent
9. Analytics
Privacy-focused analytics. We use our own first-party analytics system that minimizes data collection. IP addresses are not stored in our database — country codes are determined by the CDN provider at the network level and passed to us without the IP address. Analytics data is pseudonymized and cannot reasonably be used to identify a specific visitor.
9.1 Our Analytics System
We use our own PostgreSQL-based analytics system to collect pseudonymized visit data:
- Page views
- Traffic sources (referrer information)
- Time on site
- Button and link interactions
- Scroll depth
- Visitor country code (determined by CDN provider)
9.2 Legal Basis for Analytics (GDPR)
We process analytics data based on our legitimate interest (Article 6(1)(f) GDPR) to improve our services and understand visitor needs. We have conducted a balancing test and determined that:
- The data collected is minimal and pseudonymized
- IP addresses are not stored in our systems
- The processing does not significantly impact visitor privacy
- Visitors can easily opt out (see section 9.7)
9.3 How Country Detection Works
Visitor country is determined by our CDN provider (Cloudflare, Vercel) at the network infrastructure level. The provider passes only a two-letter country code (e.g., "US", "DE") to our server via HTTP header. The IP address is not transmitted to or stored by our analytics system.
9.4 What We Do NOT Store in Analytics
Our analytics database does not contain:
- Visitor IP addresses
- Names, email addresses, phone numbers
- Precise geolocation (only country code)
- Form submission data (processed separately per sections 2-6)
- Cross-site tracking identifiers
- Device fingerprints
9.5 Events Tracked
We collect the following pseudonymized events:
- Page views
- Button and link clicks
- External link clicks
- Scroll depth milestones (25%, 50%, 75%, 90%)
- Time on page milestones (30s, 1min, 2min, 5min)
9.6 Local Storage
For analytics functionality, we use browser localStorage:
| Key | Purpose | Duration |
|---|---|---|
| _hynobo_sid | Random session identifier (UUID v4) | 30 minutes |
This identifier is a randomly generated string not linked to your identity.
9.7 How to Opt Out
You can opt out of analytics collection:
- Use your browser's Incognito/Private mode
- Disable JavaScript in your browser settings
- Use script-blocking extensions (uBlock Origin, NoScript)
- Enable Global Privacy Control (GPC) in your browser — we honor GPC signals
9.8 Global Privacy Control (CCPA)
We recognize and honor Global Privacy Control (GPC) signals as required by the California Consumer Privacy Act (CCPA). When your browser sends a GPC signal, we treat it as a valid opt-out request.
9.9 Analytics Data Deletion
Because analytics data is pseudonymized and does not contain information that can identify a specific visitor, we cannot locate and delete "your" data — it is indistinguishable from other visitors' data. This is by design and serves as an additional privacy safeguard. If you wish to prevent future data collection, please use the opt-out methods described in section 9.7.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal information:
- HTTPS encryption for all data transmission
- Access controls and authentication
- Regular security assessments
- Employee training on data protection
- Secure data storage with encryption at rest
11. Children's Privacy
Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.
12. Do Not Track Signals
Some browsers have a "Do Not Track" feature that signals to websites that you do not want to have your online activity tracked. We honor Do Not Track signals and do not track, plant cookies, or use advertising when a Do Not Track browser mechanism is in place.
13. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of any material changes by:
- Posting the new policy on this page
- Updating the "Last updated" date
- Sending an email notification (for significant changes)
14. Contact Us
For privacy-related questions, to exercise your rights, or to file a complaint:
Email: vshepard@hynobo.com
Subject: Privacy Inquiry
Response Time: Within 30 days (GDPR) / 45 days (CCPA)
14.1 Supervisory Authority
If you are in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.