1. Introduction

This Privacy Policy (“Policy”) describes how Hyperion Intelligence, Inc. (“Hyperion,” “we,” “our,” or “us”) collects, uses, shares, and protects your personal information when you use Hyperion’s products, services, websites, web applications, and platform (collectively, the “Services”). This includes when you use the Hyperion Platform, connect financial accounts, interact with Hyperion-powered applications (“Apps”), or use AI-powered features and tools offered through the Services.

Apps that are powered by Hyperion are built and provided by our technology customers (“Developers”). These Apps offer a range of business services, including business valuation, performance benchmarking, spend management, financing applications, and business insights.

This Policy applies to all end users (“you” or “end users”) of the Services. Please read this Policy carefully—it contains important information about your privacy rights and choices.

What This Policy Does Not Cover. This Policy does not govern the data practices of Developers or third-party Apps. You should review the privacy policies of any third-party Apps you use. This Policy also does not cover data collected through interactions outside of the Services (such as direct emails to Hyperion). Please refer to our Website Terms of Use for additional terms.

2. About Hyperion

Hyperion helps businesses and financial professionals connect accounting and financial accounts (collectively, “financial accounts”) to Hyperion or to third-party Developers in order to provide you with the products and services you request. Hyperion also offers AI-powered analytics, data intelligence tools, and automated insights to help users make informed business and financial decisions.

3. Data We Collect and Sources

The data we collect depends on the Services you use and how you interact with the Hyperion platform. We may collect data from the following categories of sources:

3.1 Data You Provide to Us

When you use the Services, we collect information you directly provide, including:

  • Identifiers: name, email address, entity name, business address, date of entity creation, tax identification number, phone number, and similar identifying information.
  • Login Data: username, password, account number, security tokens, security questions and answers, and one-time passwords (OTPs) required by your account provider.
  • Documents and Statements: financial statements, accounting ledgers, bank statements, and other documents you upload or provide to Hyperion.
  • Usage Information: which Services you use, the dates and times of your use, and which financial institutions and Apps you connect through Hyperion.
  • AI Tool Inputs: queries, prompts, uploaded data, and other content you submit to Hyperion’s AI-powered tools and features.

When you provide login data and account connection information, you authorize Hyperion to act on your behalf to access and transmit data to and from your financial institution.

3.2 Data from Financial Institutions

Depending on the Services in use, we may collect the following data from your financial institutions:

  • Account Data: financial institution name, account name, account type, ownership, account number, entity identification number, and tax identification number.
  • Balance Data: current and available balances.
  • Credit Account Data: due dates, balances owed, payment amounts and dates, transaction history, credit limit, repayment status, and interest rate.
  • Loan Account Data: due dates, repayment status, balances, payment amounts and dates, interest rate, guarantor, loan type, payment plan, and terms.
  • Investment Account Data: transaction information, asset type, identifying details, quantity, price, fees, and cost basis.
  • Account Owner Data: name, email address, phone number, and address information of account owner(s).
  • Transaction Data: amount, date, payee, type, quantity, price, location, involved securities, and transaction descriptions.
  • Payroll and Tax Data: income data and tax form information.

Data collected from financial accounts may include information from all accounts accessible through a single set of account credentials.

3.3 Data from Your Devices

When you use a device to interact with the Services, we may collect:

  • Internet protocol (IP) address
  • Timezone setting and geolocation data
  • Hardware model and operating system
  • Browser type and version
  • Network data
  • Features within the Services that you access
  • Device identifiers, settings, and preferences

3.4 Data from Developers

Developers of Apps powered by Hyperion may provide us with identifiers and commercial information about you, such as your name, unique identifier, email address, phone number, or information about your financial accounts and transactions, when needed to provide the Services.

3.5 Data from Other Sources

We may receive data about you from third parties, including your wireless carrier, identity verification services, fraud prevention services, agents, and our service providers, when needed to provide the Services or to protect against fraud, abuse, or security threats.

3.6 Derived and Inferred Data

We may derive or infer additional information about you from the data we collect, including through the use of AI and machine learning models, to provide and improve the Services, detect fraud, and personalize your experience.

4. How We Use Your Data

We use your data for the following business and commercial purposes:

  • Provide Services: To operate, provide, service, process, and maintain the Services, including AI-powered features and tools.
  • Develop and Improve Services: To improve, enhance, modify, and further develop the Services, including training and improving AI and machine learning models that power Hyperion’s features.
  • AI Processing: To process inputs you submit to AI Tools, generate AI-powered outputs, and improve the accuracy, quality, and performance of AI features. AI processing may involve automated decision-making; however, Hyperion does not use AI to make decisions that produce legal or similarly significant effects on you without appropriate human oversight.
  • Fraud Prevention and Security: To verify your identity and help protect you, Developers, partners, Hyperion, and others from fraud, malicious activity, and security threats.
  • Develop Insights: To develop insights from your data, including transaction data, financial data, and account connection data, to provide a faster, more personalized experience and to detect and prevent fraud.
  • Provide Support: To provide customer support and respond to your inquiries.
  • Communicate With You: To send you technical notices, updates, security alerts, and administrative messages.
  • Investigate Misuse: To investigate violations of our terms, criminal activity, or other unauthorized access to the Services.
  • Legal Purposes: To comply with applicable law, respond to legal process, and establish or defend legal claims.
  • With Your Consent: For other purposes with your consent or at your direction.

We may also collect, use, and share data that has been aggregated or de-identified in a manner that does not reasonably identify you for any purpose permitted by applicable law, including developing new products, facilitating research, and analytics.

5. How We Share Your Data

We share your data in the following circumstances:

  • With Developers: With the Developer of the App you are using, and as directed by that Developer.
  • Service Providers: With data processors, service providers, partners, agents, or contractors who perform services on our behalf, subject to contractual obligations to protect your data.
  • Financial Institutions: To establish, maintain, or manage connections between your financial accounts and the Services, and to help protect your accounts.
  • AI Sub-Processors: With third-party AI infrastructure providers and sub-processors who assist in delivering AI-powered features, subject to appropriate data processing agreements and security safeguards.
  • Legal Compliance: When we believe in good faith that disclosure is necessary to comply with applicable law, regulation, or legal process.
  • Business Transfers: In connection with a merger, acquisition, reorganization, bankruptcy, or other change in ownership or control of all or part of our business. In such event, we will notify you of any change in applicable terms or practices.
  • Affiliates: Between Hyperion and our current and future parents, affiliates, subsidiaries, and companies under common control or ownership.
  • Safety and Protection: As reasonably necessary to protect against and prevent fraud, unauthorized transactions, or to protect the rights, privacy, safety, or property of you, Developers, partners, Hyperion, and others.
  • Contractual Enforcement: To enforce any contract with you.
  • With Your Consent: For other purposes with your consent or at your direction.

We do not sell your personal information as defined under the California Consumer Privacy Act (CCPA) or share it for cross-context behavioral advertising purposes as defined under the California Privacy Rights Act (CPRA). We do not share your financial data with non-affiliated third parties except as permitted by applicable law (including as authorized by 12 C.F.R. §§ 1016.14 and 1016.15).

6. AI-Specific Data Practices

Hyperion uses artificial intelligence and machine learning technologies to power certain features of the Services. This section provides additional transparency about how we handle data in connection with AI features.

AI Training Data. Hyperion may use aggregated, de-identified, or anonymized data derived from your use of the Services to train, validate, and improve our AI and machine learning models. We implement technical safeguards designed to prevent the reconstruction of personal information from training datasets.

AI Inputs and Outputs. When you use AI-powered features, the inputs you provide (including queries and uploaded data) are processed to generate outputs. Hyperion may retain AI inputs and outputs for quality assurance, debugging, safety monitoring, and service improvement purposes, subject to our retention practices described in this Policy.

Third-Party AI Providers. Hyperion may use third-party AI infrastructure providers to deliver certain AI features. These providers are contractually bound to use your data solely for the purpose of providing services to Hyperion and are subject to confidentiality, security, and data protection obligations.

Automated Decision-Making. Certain features of the Services may involve automated processing, including profiling, to provide insights and recommendations. Hyperion does not use fully automated decision-making that produces legal or similarly significant effects on you without meaningful human oversight. Where required by applicable law, you have the right to request information about the logic involved in automated processing and to contest decisions made through automated means.

Opting Out of AI Data Use. If you do not wish for your data to be used for AI model training and improvement purposes, you may contact us at the contact information below to request exclusion. Please note that opting out may limit the functionality of certain AI-powered features.

7. Cookies and Tracking Technologies

We use cookies, web beacons, pixels, and similar tracking technologies to collect information about your interactions with the Services. These technologies help us:

  • Authenticate users and maintain session security
  • Remember your preferences and settings
  • Analyze usage patterns and improve the Services
  • Detect and prevent fraud
  • Measure the effectiveness of communications and marketing

We may collect and share cookie data with third parties when you visit our websites, or allow third parties to collect cookie data from our sites. You can manage your cookie preferences through your browser settings or through any cookie preference tool we make available on the Hyperion Site. Please note that disabling certain cookies may affect the functionality of the Services.

Do Not Track / Global Privacy Control. Hyperion honors Global Privacy Control (GPC) signals as required by applicable law. When we detect a GPC signal from your browser, we will treat it as a valid opt-out request for the sale or sharing of personal information, where applicable. For more information about GPC, visit globalprivacycontrol.org.

8. Data Retention

We retain your data only as long as it is reasonably necessary to fulfill the purposes for which it was collected. In determining retention periods, we consider the nature of the data, the purposes of collection, applicable legal requirements, and our legitimate business needs.

We may retain your data beyond the initial retention period if:

  • You maintain an active connection with a Developer’s App through Hyperion;
  • Hyperion needs your data to continue providing a Service you have requested;
  • Retention is required by applicable law or regulation;
  • The data is needed to protect against or prevent fraud, provide support, or investigate misuse;
  • The data has been anonymized such that it cannot reasonably be re-identified; or
  • You have specifically consented to extended retention.

When data is no longer needed, we will securely delete or anonymize it in accordance with our data retention schedules and applicable law. For information about exercising your deletion rights, see Section 9 below.

9. Your Privacy Rights

Depending on your jurisdiction, you may have some or all of the following rights with respect to your personal information. We will honor these rights subject to applicable limitations and exceptions provided by law, and you will not be discriminated against for exercising them:

  • Right to Know / Access: You may request information about the categories and specific pieces of personal information we have collected about you, the sources from which it was collected, the purposes for collection, and the categories of third parties with whom it has been shared.
  • Right to Delete: You may request that we delete your personal information, subject to certain exceptions (such as when retention is required by law or necessary to complete a transaction you requested).
  • Right to Correct: You may request that we correct inaccurate personal information we maintain about you.
  • Right to Portability: You may request that we provide your personal information in a structured, commonly used, and machine-readable format. Please note that for an official record of your financial information, you should contact your financial institution directly.
  • Right to Restrict Processing: Under certain circumstances, you may request that we restrict the processing of your personal information.
  • Right to Object: You may object to the processing of your personal information under certain conditions provided by applicable law.
  • Right to Withdraw Consent: Where processing is based on your consent, you may withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.
  • Right to Opt Out of Sale/Sharing: Where applicable, you may opt out of the sale of your personal information or the sharing of your personal information for cross-context behavioral advertising purposes.
  • Right Regarding Automated Decision-Making: Where applicable, you may request information about the logic involved in automated decision-making and contest decisions made solely through automated means.
  • Right to Lodge a Complaint: Depending on your jurisdiction, you may have the right to lodge a complaint with a data protection supervisory authority.

How to Exercise Your Rights. To exercise any of the above rights, please contact us at support@hyperionintelligence.co. You may be required to provide additional information necessary to verify your identity before we can process your request. If we receive your request from an authorized agent, we may ask for evidence of valid written authority (such as a power of attorney) to submit requests on your behalf.

We will respond to your request within the timeframe required by applicable law. Certain data may be exempt from such requests where retention is necessary to comply with our legal obligations, to establish, exercise, or defend legal claims, or as otherwise permitted by applicable law.

10. State-Specific Privacy Rights (United States)

10.1 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. These include the right to know, delete, correct, and opt out of the sale or sharing of personal information, as described in Section 9. We do not sell your personal information or share it for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes other than those permitted under applicable law.

California residents may also designate an authorized agent to make requests on their behalf. We may require the agent to provide proof of written authorization and may verify your identity directly.

For purposes of the CCPA/CPRA, the categories of personal information we collect, the sources, purposes, and categories of third parties with whom we share personal information are described in Sections 3, 4, and 5 of this Policy.

10.2 Virginia, Colorado, Connecticut, Utah, and Other State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comprehensive privacy legislation may have additional rights, including the right to access, delete, correct, and port their personal information, and the right to opt out of targeted advertising, the sale of personal information, and profiling in furtherance of decisions that produce legal or similarly significant effects. To exercise these rights, please contact us using the information in Section 16.

11. International Users and Cross-Border Transfers

The Services are operated from the United States. If you access the Services from outside the United States, please be aware that your data may be transferred to, stored, and processed in the United States and other countries where Hyperion or its service providers operate. These countries may have data protection laws that differ from those in your jurisdiction.

Legal Basis for Processing (EEA, UK, and Swiss Users). If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, our legal bases for processing your personal data include:

  • Contract Performance: Processing necessary to provide the Services you have requested.
  • Legitimate Interests: Processing necessary for our legitimate business interests, such as fraud prevention, security, service improvement, and analytics, where those interests are not overridden by your rights.
  • Legal Obligation: Processing necessary to comply with applicable legal requirements.
  • Consent: Processing based on your consent, which you may withdraw at any time.

Transfer Safeguards. Where we transfer personal data from the EEA, UK, or Switzerland to countries that have not received an adequacy determination, we rely on appropriate transfer mechanisms, including Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK Information Commissioner’s Office, supplemented by additional safeguards as appropriate.

12. Children’s Privacy

The Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe that a child under 18 has provided personal information to Hyperion, please contact us at the contact information below.

13. Data Security

Hyperion implements and maintains administrative, technical, and physical security measures designed to protect the confidentiality, integrity, and availability of your personal information. These measures include:

  • Encryption of data in transit and at rest
  • Access controls limiting data access to authorized personnel with a business need
  • Regular security assessments and vulnerability testing
  • Incident response procedures for security events
  • Employee training on data protection and security practices

While we take reasonable steps to protect your personal information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents.

Data Breach Notification. In the event of a data breach involving your personal information, Hyperion will notify you and any applicable regulatory authorities as required by applicable law. Notification will include, to the extent known, the nature of the breach, the categories of data affected, and the measures taken to address and mitigate the breach.

14. Your Additional Privacy Controls

Hyperion provides the Hyperion Portal, a centralized dashboard that allows you to view and manage the connections you have made using Hyperion. Through the Hyperion Portal, you can:

  • View the financial accounts you have connected
  • See which Apps are using your data through Hyperion
  • Review the types of data shared with each App
  • Terminate connections between Apps and your financial accounts
  • Request deletion of associated data stored in Hyperion’s systems
  • Manage your AI data usage preferences

15. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will update the “Effective Date” and “Last Updated” date at the top of this page and post the revised Policy on our website. Where required by applicable law, we will provide you with notice of material changes through additional means (such as email notification). We encourage you to review this Policy periodically to stay informed about our data practices.

16. Contact Information

If you have any questions, concerns, or complaints about this Policy or Hyperion’s data practices, please contact us at:

Hyperion Intelligence, Inc.
Email: support@hyperionintelligence.co
Website: www.hyperionintelligence.co

If you are located in the EEA, UK, or Switzerland and have concerns about our data practices that we have not satisfactorily addressed, you have the right to lodge a complaint with your local data protection supervisory authority.

By using the Services, you acknowledge that you have read and understood this Privacy Policy.