Privacy Policy
Last updated: February 2026
1. Introduction
Hypergiant Ltd ("Company", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our feature flag and remote configuration platform ("Service").
We are the data controller for personal data collected through our Service. We are registered in England and Wales and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
By using our Service, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller Contact Information
If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:
- Data Protection Contact: privacy@runcfg.com
- General Enquiries: support@runcfg.com
3. Personal Data We Collect
We collect the following categories of personal data:
3.1 Account Information
- Email address
- Name (first and last)
- Account credentials (stored securely via our authentication provider)
- Organisation name and details
3.2 Billing Information
- Payment card details (processed by Stripe; we do not store full card numbers)
- Billing address
- Transaction history
3.3 Usage Data
- IP addresses
- Browser type and version
- Device information
- Pages visited and features used
- API call logs and usage metrics
- Feature flag evaluation counts
3.4 Communications
- Support ticket contents
- Email correspondence
- Feedback and survey responses
3.5 Content You Provide
Any personal data contained within your feature flags, configurations, or secrets is your responsibility as a data controller. We process such data solely on your behalf as a data processor.
4. How We Collect Personal Data
We collect personal data through:
- Direct collection: When you create an account, subscribe to our Service, or contact us
- Automated collection: Through cookies, server logs, and analytics tools when you use our Service
- Third parties: From our authentication provider (Keycloak) and payment processor (Stripe)
5. Legal Basis for Processing
Under the UK GDPR, we process your personal data based on the following legal grounds:
| Purpose | Legal Basis |
|---|---|
| Providing and managing the Service | Contract performance |
| Processing payments | Contract performance |
| Responding to support requests | Contract performance |
| Sending service-related communications | Legitimate interests |
| Improving the Service | Legitimate interests |
| Security and fraud prevention | Legitimate interests |
| Marketing communications | Consent |
| Legal compliance | Legal obligation |
6. How We Use Your Personal Data
We use your personal data to:
- Create and manage your account
- Provide, maintain, and improve the Service
- Process your subscription and payments
- Send you important service updates and notifications
- Respond to your enquiries and support requests
- Monitor usage patterns and optimise performance
- Detect, prevent, and address technical issues and security threats
- Comply with legal obligations
- Send marketing communications (with your consent)
7. Data Sharing and Disclosure
We do not sell your personal data. We may share your data with:
7.1 Service Providers
- Stripe: Payment processing (US-based, Privacy Shield certified)
- Keycloak: Authentication services (self-hosted)
- Cloud infrastructure providers: Hosting and data storage
- Email service providers: Transactional emails
7.2 Legal Requirements
We may disclose your data if required by law, court order, or governmental regulation, or to protect our rights, property, or safety.
7.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such change.
8. International Data Transfers
Some of our service providers may process data outside the UK. When transferring data internationally, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the UK ICO
- Transfers to countries with UK adequacy decisions
- Binding Corporate Rules where applicable
9. Data Retention
We retain your personal data only as long as necessary for the purposes outlined in this policy:
- Account data: For the duration of your account plus 2 years after deletion
- Billing records: 7 years (legal requirement)
- Usage logs: 12 months
- Support tickets: 3 years after resolution
- Marketing consent records: Until consent is withdrawn plus 2 years
After these periods, data is securely deleted or anonymised for statistical purposes.
10. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
Right of Access
Request a copy of the personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete data.
Right to Erasure
Request deletion of your personal data in certain circumstances.
Right to Restrict Processing
Request that we limit how we use your data.
Right to Data Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests or for marketing.
Right to Withdraw Consent
Withdraw consent at any time where processing is based on consent.
To exercise these rights, contact us at privacy@runcfg.com. We will respond within one month. Complex requests may require an extension of up to two additional months.
11. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- RSA-2048 encryption for stored secrets
- Regular security assessments and penetration testing
- Access controls and authentication requirements
- Regular backups with encrypted storage
- Security incident response procedures
While we strive to protect your data, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.
12. Cookies and Tracking Technologies
We use the following types of cookies:
| Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication and session management | Session |
| Functional | Remembering preferences | 1 year |
| Analytics | Understanding usage patterns | 2 years |
You can control cookies through your browser settings. Disabling essential cookies may affect the functionality of the Service.
13. Children's Privacy
Our Service is not intended for children under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately.
14. Changes to This Privacy Policy
We may update this Privacy Policy periodically. We will notify you of material changes by:
- Posting the updated policy on our website
- Updating the "Last updated" date
- Sending an email notification for significant changes
We encourage you to review this policy periodically.
15. Complaints
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: https://ico.org.uk
- Helpline: 0303 123 1113
We would appreciate the opportunity to address your concerns before you contact the ICO.
16. Contact Us
For privacy-related enquiries or to exercise your rights:
- Email: privacy@runcfg.com
- Support: support@runcfg.com