What Is SEO? Why It Matters More Than Ever —
And How you can approach SEO with AI.
// Hyper Agency
Hyper Agency Privacy Policy
What Is SEO? Why It Matters More Than Ever —
And How you can approach SEO with AI.
Effective date: 13.08.2025
Who we are: Hyper Agency AB, Org. nr 559520-4537
(“we”, “us”, “our”).
How to contact us about privacy: info@hyperagency.ai
We are committed to the EU General Data Protection Regulation (GDPR) and the Swedish Act with supplementary provisions to the GDPR (SFS 2018:218). EUR-LexRiksdagen
1) What this policy covers
- Our websites and landing pages Hyperagency.ai, sub‑domains, campaign microsites.
- Our LLM AI Audit Tool (the “Tool”).
- Our email communications where you opt in to: Company updates, blog or Marketing information.
- Customer support and business development communications.
This policy does not cover client‑provided datasets we process strictly under a Data Processing Agreement (DPA) (where we act as processor). In such cases, your organisation is the controller and our processing is governed by the DPA.
2) The roles we play
- Website & marketing – we act as controller.
- Tool accounts for individuals or teams – we act as controller for account data and security logs; we typically act as processor for content you upload into the Tool if you are a business customer and have a DPA with us.
- We maintain internal records and agreements with our processors (hosting, email delivery, analytics, etc.).
3) The data we collect
A. Account & contact data
- Name, email, role, company, password (hashed), marketing preferences ( box you selected), timestamps and proof of consent/unsubscribe.
- Support requests and correspondence.
B. Tool data (“AI LLM audit”)
- Inputs you provide (prompts, files, configuration), generated outputs, evaluation results and performance metrics, and technical metadata (timestamps, user IDs, request/response sizes, latency, IPs).
- Sensitive data: the Tool is not intended for special categories of data (e.g., health, biometrics, political opinions). Please avoid entering such data unless your contract with us expressly permits it and you have a lawful basis.
C. Device & browsing data
- Server logs (IP address, user‑agent, referrer, time, pages viewed).
- Cookies & similar technologies (including local storage, SDKs, pixels) as explained in §8 below.
D. Sourcing data
- Public business contact information (e.g., LinkedIn/company sites) for B2B outreach, in line with legitimate interests and local marketing rules.
4) Why we process your data (purposes) and our legal bases
| Purpose | Typical data | Legal basis |
|---|---|---|
| Provide the Tool and website | Account, Tool data, logs | Contract (GDPR Art. 6(1)(b)) & legitimate interests for uptime, security (Art. 6(1)(f)) |
| Security, fraud & abuse prevention | Logs, IPs, usage patterns | Legitimate interests (Art. 6(1)(f)) |
| Product analytics & improvement (e.g., aggregate performance stats) | Aggregated/limited Tool metadata, diagnostics | Legitimate interests (Art. 6(1)(f)). Where tracking requires consent under e‑privacy rules, we only measure after consent (see §8). |
| Service communications (account, incidents, policy updates) | Contact details | Contract / legal obligations |
| Marketing emails (blog updates, new tools, marketing info) | Contact details, preferences | Consent (Art. 6(1)(a)). AvSeparate granular box. You can withdraw any time (§10). EDPB guidance clarifies consent must be freely given, specific, informed and unambiguous. European Data Protection Board |
| Compliance & record‑keeping | Minimal necessary data | Legal obligations (Art. 6(1)(c)) |
Children: Where information society services are offered directly to a child living in Sweden, the child can consent from age 13; below that, parental consent is required. Our services are not directed to children. rkrattsbaser.gov.se
5) How we use the Tool data responsibly
- Default posture: We process Tool content to run evaluations and deliver results only for your account/organisation.
- Model training: We do not use your identifiable Tool content to train third‑party foundation models. If we offer optional model‑improvement features, they will be off by default and subject to a separate, clear opt‑in.
- Minimisation: Where possible, we store aggregate metrics and strip or hash identifiers.
- Customer controls: Admins can configure retention windows and export/delete project data (see §9 for retention; §10 for rights).
6) Who we share data with
- Processors under written contracts: cloud hosting, security & logging, email/SMS providers, analytics/consent tools, and (if enabled) trusted AI infrastructure providers used to run evaluations.
- Within your organisation: when your account is part of a team/enterprise tenant.
- Legal & safety: courts, regulators or law enforcement where required.
- Business changes: in case of a merger or acquisition, with appropriate safeguards.
We require processors to implement appropriate technical and organisational measures and we audit/update our sub‑processor list. A current list is available at [link to /subprocessors].
7) International data transfers
We prefer to host and process in the EU/EEA. Where we transfer personal data outside the EEA, we use GDPR Chapter V safeguards such as the EU Standard Contractual Clauses (SCCs) (Commission Implementing Decision (EU) 2021/914), plus transfer risk assessments and supplementary measures as needed. EUR-Lex
For transfers to certified U.S. organisations, we may rely on the EU–U.S. Data Privacy Framework (DPF) adequacy decision (EU 2023/1795). Publications Office of the EU
8) Cookies & similar technologies (Sweden / EU rules)
Under Swedish Electronic Communications Act (LEK), storing or accessing information on a user’s device (cookies and similar) generally requires prior consent, except for strictly necessary cookies. PTS (the Swedish authority for electronic communications) confirms consent must be active and withdrawable. PTS
PTS’s decisions further clarify that if you present “Accept all”, users must be able to reject non‑essential cookies just as easily, in the same view and at the same time, and it must be as easy to withdraw as to give consent. We follow these principles on our sites and CMP. PTS
- Essential cookies (always on): security, load balancing, user authentication.
- Analytics/Performance (opt‑in): understanding feature usage to improve the Tool and site.
- Marketing (opt‑in): measuring campaign effectiveness and showing relevant content.
A detailed, always‑current list of cookies and vendors appears in our Cookie Policy and in the consent banner (“Manage preferences”).
Note: LEK was updated in 2022 (SFS 2022:482); our practices align with the current law. Riksdagen
9) How long we keep data (retention)
We keep personal data only as long as necessary for the purposes in §4, then delete or irreversibly anonymise it.
- Account data: active account lifetime + [12] months (to support audits and account reactivation), unless law requires longer.
- Tool content: default [30–90] days, configurable for enterprise plans; admins can export or delete earlier. Aggregated, non‑personal metrics may be kept longer.
- Security logs: [12] months, unless investigating incidents.
- Marketing preferences & proof of consent: until you withdraw consent; we keep a minimal suppression record thereafter to honour your unsubscribe.
- Contracts, invoices, compliance records: per statutory limits.
10) Your rights
Under the GDPR you can request: access, rectification, erasure, restriction, portability, objection, and to withdraw consent at any time (withdrawal does not affect prior lawful processing). IMY provides plain‑language explanations of these rights. imy.se
- To exercise your rights, email info@hyperagency.ai
- We may verify identity and will respond without undue delay and within statutory timeframes.
- You also have the right to complain to IMY. imy.se
Automated decisions & profiling: We do not make decisions based solely on automated processing that produce legal or similarly significant effects. We may use profiling (e.g., segmenting subscribers by preference) to personalise communications, based on your consent and settings.
11) Security
We employ appropriate technical and organisational measures, including encryption in transit and at rest (where applicable), access controls/least‑privilege, audit logging, vulnerability management, employee confidentiality and training, and supplier due diligence. We maintain incident response procedures and will notify users and/or authorities where required by law (including under GDPR breach‑notification rules). European Data Protection Board
12) Marketing communications & preferences (granular opt‑ins)
At sign‑up and in other placements on our site you can choose to receive communications from us by ticking a separate box or boxes:
- Blog updates
- Marketing information (e.g., events, offers)
Boxes are unchecked by default; consent is freely given, specific and informed, and you can unsubscribe at any time via the link in each email or by emailing us (see §10). European Data Protection Board
We log consent details (what you agreed to, when, source and IP) to demonstrate compliance.
13) Additional information for organisations using the Tool
If you are a business customer:
- We will sign a DPA covering our processor role for your Tool content.
- You control retention settings and user access; we provide administrative tools for export and deletion.
- If you instruct us to use third‑country processors, we will implement SCCs and supplementary measures or rely on DPF where applicable (§7). EUR-LexPublications Office of the EU
- For high‑risk scenarios, we will support DPIAs and assist with data subject requests.
14) International users
Regardless of where you are located, we handle your personal data according to this policy and applicable EU/EEA laws. Where local law grants stronger protections, we will honour them.
15) Changes to this policy
We will update this policy when our practices or applicable laws change. We will post the new version here and, where appropriate, notify you by email or in‑product.
16) Contact
Controller: Hyper Agency AB, Org. nr 559520-4537
Email: info@hyperagency.ai
Swedish Authority for Privacy Protection (IMY): see imy.se for contact details and how to file a complaint. imy.se
Appendix A – Data map (summary)
| Processing | Data | Recipients | Storage location | Retention |
|---|---|---|---|---|
| Tool operation | Account credentials (hashed), prompts/outputs, metrics, logs | Hosting, security, AI runtime processors (contracted) | EU/EEA by default; third countries with SCCs/DPF if needed | Default [30–90] days for content; logs [12] months |
| Marketing emails | Email, consent status, preferences | Email service provider (processor) | EU/EEA or DPF/SCCs if outside EEA | Until withdraw; suppression list retained to honour opt‑out |
| Analytics (opt‑in) | Pseudonymous IDs, page/app events | Analytics vendor (processor) | As above | As configured in CMP/vendor; see Cookie Policy |
| Security & fraud | IPs, headers, usage anomalies | Security tools (processor) | As above | [12] months (extend for incidents) |
| Support | Contact details, ticket content | Helpdesk provider (processor) | As above | Lifecycle of ticket + [12] months |
Supervisory authority: Sweden’s Integritetsskyddsmyndigheten (IMY) is our lead data protection authority. You may contact IMY if you have concerns. imy.se
Our Services
/ Service 01
// Service 02
/// Service 03
//// Service 04
Let’s connect
We’re a driven team of innovators, strategists, developers, SEO & marketing experts, and creatives—obsessed with keeping our partners future-proof by delivering relevant, results-driven services. We’re excited to connect and explore how we can power your growth together.
Contact us directly at: →info@hyperagency.ai