Privacy Policy
How we handle your data.
Last updated: {{LAUNCH_DATE}}
This is Hatchik's privacy policy, written in plain English to be readable rather than impenetrable.
1. Who we are
Hatchik is operated by {{LEGAL_ENTITY_NAME}} ({{COMPANIES_HOUSE_NO}}), registered in the United Kingdom at {{REGISTERED_ADDRESS}}.
For privacy questions or to exercise your rights under the UK GDPR or EU GDPR, email privacy@hatchik.com.
We are the data controller for the personal data described in this policy.
2. What this policy covers
This policy covers personal data we collect when you:
- Visit hatchik.com
- Sign up to use Hatchik
- Email us at any
@hatchik.comaddress - Interact with us on social media
3. What we collect, when, and why
Visiting our website
- Standard server log data (IP address, browser type, referrer, the pages you viewed, timestamp). Used to monitor service health and protect against abuse. Retained for 30 days then deleted.
- Anonymous usage analytics (cookie-less, no personal identifiers, aggregated only). Helps us understand which pages are popular. Retained for 12 months.
We do not use third-party advertising trackers, cross-site fingerprinting, or any cookies that require consent under UK/EU cookie law. No cookie banner.
Signing up
- Email address — to send Hatchik updates and operational notifications.
- Product name and description — what you told us you want to build.
- Region and domain preferences (for paid customers).
We use this data to provision and operate your Hatchik. We do not sell or share it. You can request deletion any time.
Paying customers
- Billing details — handled by Paddle as our Merchant of Record (we never see your card number). If you opt to bring your own Stripe to charge your end-users, that account is yours and your customers' card data flows directly to Stripe.
- Deployment metadata — region, VPS IP, domain, project ID. Used to operate the service.
- App data and customer data — stays on your dedicated VPS, encrypted at rest, accessible only to you.
4. Legal basis (UK GDPR / EU GDPR)
- Legitimate interest — server logs, security, abuse protection
- Contract necessity — fulfilling your Hatchik subscription
- Consent — marketing emails (you can opt out any time)
- Legal obligation — tax records once we have revenue
5. Your rights
Under the UK GDPR and EU GDPR you have the right to:
- Access the personal data we hold about you — email privacy@hatchik.com, we'll respond within 30 days
- Correct inaccurate data
- Delete your data ("right to erasure") unless we have a legal obligation to keep it
- Object to processing
- Data portability — we'll send you a structured export
- Withdraw consent at any time
- Complain to the ICO (UK) or your local supervisory authority (EU)
6. Sub-processors
We use these third parties to deliver Hatchik:
- Hetzner Cloud (Germany) — VPS hosting for the marketing site, customer dashboard, and customer sandbox deployments (additional regions open on demand)
- Cloudflare — DNS, CDN, anti-abuse (Turnstile)
- Paddle (Paddle.com Market Ltd, UK) — Merchant of Record for Hatchik subscription payments
- Resend (USA) — transactional email delivery
- Infomaniak (Switzerland) — mailbox hosting on customer custom domains (Launch tier)
- OpenRouter (optional, if you enable AI passthrough) — AI provider gateway
We have written agreements with each that require them to protect your data and not use it for purposes other than providing the service to us.
We do not share your data with advertising networks, data brokers, or anyone for marketing purposes outside Hatchik.
Automated off-site backup storage (planned: Backblaze B2, encrypted with customer-specific keys) is on the near-term roadmap and is not yet in use. We'll update this policy and email account holders before turning it on.
7. Where your data lives
Hatchik's marketing site and all current customer sandboxes are hosted in Nuremberg, Germany, on Hetzner Cloud. Additional regions (Finland, US East, US West, Singapore) open on demand as Launch-tier customers request them.
Some sub-processors (Resend) operate from the USA under Standard Contractual Clauses for UK/EU data transfers. Paddle's data processing is governed by its own terms; refer to paddle.com for details.
8. Security
- HTTPS for all traffic (TLS 1.2+)
- Encrypted-at-rest storage with all sub-processors
- Customer-specific encryption keys for backups
- Limited access to customer data — only when needed for support, only with the customer's consent
If we have a data breach we'll tell you within 72 hours per UK GDPR.
9. Children
Hatchik is not designed for or intended to be used by anyone under 16.
10. Changes to this policy
We may update this policy as the product evolves. When we make a material change we'll email everyone with a Hatchik account before it takes effect.
11. Contact
For anything privacy-related: privacy@hatchik.com.
For everything else: hello@hatchik.com.