Hyra
Start freeStart
Back to Hyra
CCPA (United States) variant for United States

Privacy Policy

Last updated: June 28, 2026

Hyra ("Hyra," "we," "us") provides a hosted loyalty-card platform that local businesses ("merchants") use to run stamp-card reward programs with their customers ("customers"). This policy describes what we collect from each group, why we collect it, where it is stored, and how we protect it.

1. The two relationships

Hyra sits between two distinct relationships, and our role is different in each:

  • Hyra ↔ merchants: we are a service provider. A merchant signs up directly with us, pays us, and is the data controller for the customer information they collect through Hyra.
  • Merchants ↔ customers: when a customer scans a merchant's QR or sticker, they enter a relationship with that merchant. Hyra is the processor — we hold the data on the merchant's behalf and never use it for our own marketing.

2. What we collect from merchants

  • Account details: name, email, business name, business type, phone, city, optional website and social handles.
  • Subscription data: plan, status, Stripe customer id, billing history (handled and stored by Stripe — we keep only references).
  • Operational data: campaigns created, locations added, sticker batches generated, support tickets opened.
  • Authentication metadata: hashed credentials (never plaintext passwords), session tokens, sign-in timestamps.

3. What we collect from customers

  • Identifiers a customer voluntarily provides on a join form: name, email, phone (all optional).
  • Loyalty events: when they joined a program, every stamp they earned, every reward they redeemed.
  • Wallet sync state: which device-side wallet (Apple, Google) holds the customer's pass, so updates push correctly.
  • Last-active timestamp derived from event history. We do not collect location history or device identifiers beyond what's required for Apple/Google Wallet to function.

Customer data is scoped per merchant. If a customer joins two different merchants' programs, those records are isolated and never linked or merged across merchants.

4. What we never collect

  • Bank account or credit card numbers — Stripe handles all payment processing on its servers; we only see references to Stripe-issued ids.
  • Government identification (passport numbers, SSNs, driver's licenses).
  • Continuous geolocation. Geo-push notifications run locally on the customer's device against a saved merchant location; we never see where a customer is in real time.
  • Browsing history, cross-site tracking pixels, or third-party advertising identifiers.

5. How we use the data

  • Run the loyalty program: render the customer's pass, count stamps, sync to wallets, deliver merchant-authored notifications.
  • Operate the merchant dashboard: render analytics, billing, support tickets, reports.
  • Communicate operationally: account verification, billing receipts, support replies, security alerts.
  • Comply with law: tax, accounting, and legal-hold requirements.

We do not sell any data. We do not share data with third parties for their own marketing. We do not train AI models on merchant or customer data.

6. Where data lives

  • Database: Supabase Postgres in the us-east-1 region, with row-level security enforced for every table touching customer or merchant data.
  • Static assets: Vercel edge network (logos, generated stamp art).
  • Email delivery: Resend.
  • Wallet pass generation: WalletWallet API.
  • Payments: Stripe.
  • AI features (theme suggestions, sticker quotes, help-center chat): OpenAI, with abuse-rate-limit caps. We do not send personally identifiable information into prompts.

7. How we protect it

  • TLS 1.2+ on every connection, HSTS enforced on app.hyralabs.com and hyralabs.com.
  • Database access requires service-role credentials kept in environment variables and never shipped to the browser.
  • Every mutation is gated by a server-side ownership check (the merchant's business_id must match the row).
  • Daily Supabase backups; 7-day point-in-time recovery on the production project.
  • Multi-factor authentication available on every merchant account.

8. Your rights under the CCPA / CPRA

California residents have specific rights under the California Consumer Privacy Act (as amended by the CPRA):

  • Right to know what personal information we collect, use, disclose, and sell or share.
  • Right to delete personal information we collect from you, subject to legal-retention exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of personal information. Hyra does not sell personal information; we offer this control by default.
  • Right to limit use of sensitive personal information.
  • Right to non-discrimination for exercising any of the above.

To exercise any of these rights, email hi@hyralabs.com. We will verify your request and respond within 45 days. If we cannot fulfill the request we will tell you why.

Customers and merchants may also, at any time:

  • Request a copy of their data (export endpoint available on the dashboard for merchants; email request for customers).
  • Correct inaccurate data through the dashboard.
  • Delete their account. Customer records (with cascading passes + events) are removed within 30 days. Merchants' deletions remove their business and all customer data; aggregated, non-identifying analytics survive deletion.
  • Withdraw marketing consent. Operational email (billing, security) will still be sent.

9. Retention

Operational data (passes, stamps, redemptions) is retained for the life of the merchant's account plus 30 days after cancellation. Billing records are retained for 7 years to satisfy accounting and tax obligations. Audit logs are retained for 365 days.

10. International users

Hyra is operated from the United States. By using the service, EU/UK/EEA users consent to transfer and processing in the U.S. We rely on Standard Contractual Clauses for cross-border data transfers where applicable.

11. Children

Hyra is not directed at children under 13. We do not knowingly collect data from anyone under 13. A merchant's program is their responsibility to age-gate where applicable.

12. Updates

We'll post material changes here and bump the "Last updated" date at the top. For substantial changes (introducing a new processor, expanding data collection) we'll email every active merchant at least 14 days before the change takes effect.

13. Contact

Privacy questions, data requests, or security concerns: hi@hyralabs.com.

For California residents who believe their CCPA / CPRA rights have not been honored, you may also contact the California Attorney General's office at oag.ca.gov/privacy or 1-800-952-5225.

Partner Program

If you join the Hyra Partner Program (as an influencer, reseller, or referring merchant), we collect the account details you provide — name, email, phone, country, and the referrals you generate — to run the program, attribute sign-ups, and calculate what you've earned. Payouts are handled through Stripe Connect: when you set up payouts, Stripe collects your banking and tax information directly and acts as the processor for those payments. Hyra never sees or stores your bank account details; we hold only a Stripe-issued account reference and the commission records tied to your referrals. We do not sell partner data, and we share it only with Stripe as needed to pay you and meet tax-reporting obligations.

SMS Communications & Consent

If you opt in to receive SMS messages from Hyra or one of our merchant partners, message frequency varies and may include up to 6 messages per week per merchant. Msg & data rates may apply. Reply STOP to cancel at any time. Reply HELP for help, or email hi@hyralabs.com.

Supported carriers include AT&T, Verizon, T-Mobile, Boost, US Cellular, Cricket, MetroPCS, and other US wireless carriers.

Hyra does not sell, rent, share, or otherwise disclose your phone number to any third party for marketing purposes. Phone numbers are stored only to deliver the SMS program you signed up for. Carriers are not liable for delayed or undelivered messages.