Privacy Policy – HyperResponder
Last updated: 17 August 2025
At VYKO TECHNOLOGIES LTD (“we”, “our”, “us”), your privacy is important to us. This Privacy Policy explains what data we collect, how we use it, and your rights as a user of the HyperResponder app and our websites (www.vyko.io, www.hyperresponder.com).
1. Who We Are
We are VYKO TECHNOLOGIES LTD, registered in the United Kingdom. We develop HyperResponder, a fitness tracking app that uses AI and natural language processing (NLP) to convert your free-form workout notes into structured data and trends.
Company Registration: 16534635
Registered Address: 52 Rupert Street, London, W1D 6DS
ICO Registration Number: ZB935904
Data Protection Officer: Not required under Article 37 UK GDPR, as we do not process sensitive data at scale or as our core activity.
We are the data controller under the UK GDPR.
2. Data We Collect
We may collect and process the following categories of data:
Account Data: Email address, username
Workout Entries: Free-form text you input
Parsed Workout Data: Sets, reps, weights, exercises extracted from your notes
Device Data: Device model, OS version, crash logs
Website Signup Data: If you join the waitlist or closed beta, we collect your email to send onboarding details, beta invites, and updates.
We do not collect or request sensitive health data unless you voluntarily provide it. Billing Information is managed via third-party payment providers. We do not store payment data directly.
3. How We Use Your Data
We use your data to:
Enable you to log, save, and view your workouts
Process your free-text notes into structured workout logs
Generate insights, trends, and performance summaries
Improve app functionality and fix bugs
Notify you of feature updates, closed beta access, product updates, or onboarding information if you’ve joined our waitlist (only with consent)
We do not sell personally identifiable information.
We may use aggregated and anonymised data (with all identifiers removed) for analytics, research, product improvement, or commercial purposes. This data cannot identify you and is never sold in a personally identifiable form.
4. Legal Basis for Processing
Under the UK General Data Protection Regulation (UK GDPR), we rely on:
Consent – e.g. joining the waitlist, marketing opt-ins
Contractual necessity – to deliver the app features
Legitimate interests – to maintain, improve, and secure the app
These lawful bases allow us to process your data in a way that is expected, proportionate, and legally permitted under data protection law.
5. Third Parties & Data Sharing
We use the following third‑party services, which process personal data on our behalf and are bound by Data Processing Agreements:
Framer – Provides hosting for the HyperResponder and VYKO websites. Framer publishes a public Data Processing Addendum, incorporated into its Terms of Service. Framer acts as a data processor, and the DPA governs its obligations relating to the processing of personal data and content.
Firebase (Google) – Provides crash reporting, analytics, and infrastructure. Firebase is covered by Google's Data Processing and Security Terms (also called Firebase Data Processing Terms), which include Model Contractual Clauses for transfers. Google acts as a processor; these terms are applied by default but you can opt in or download them via your Firebase or Google Cloud privacy settings.
Tally – Processes beta application and feedback form responses, which may include your email address and any free-text data you provide. Tally publishes a public Data Processing Agreement on their website.
MailerLite – Manages email waitlist signups and automated onboarding (e.g. beta invite emails). MailerLite processes email addresses, consent status, and delivery/engagement tracking data (e.g. opens, link clicks). MailerLite publishes a public Data Processing Agreement on their website.
Porkbun – Provides domain registration, DNS management, and email hosting services for vyko.io, including our contact email address (hello@vyko.io). When you send an email to this address, Porkbun processes your personal data (such as your name, email address, and the contents of your message) in order to deliver the message to us. Porkbun acts as a data processor on our behalf and is bound by its published Data Processing Agreement, which governs its obligations relating to the processing of personal data, including security, data subject rights, and international transfers.
Zoho Mail – Hosts our support and contact emails for HyperResponder (hello@hyperresponder.com, team@hyperresponder.com). This means any personal data you send to us via these addresses will be processed by Zoho. Zoho acts as a processor on our behalf and we have executed a signed Data Processing Agreement with them.
OpenAI API – Provides natural language processing services for parsing workout text entered into the app. OpenAI offers a standard DPA that applies to API and ChatGPT Enterprise/Team. You must complete an online form to execute the DPA (selecting OpenAI Ireland Ltd for EU/UK customers) and receive a digitally signed copy.
Apple Developer – Used for closed beta distribution via TestFlight. We do not transmit user personal data to Apple for processing. Apple acts as an independent data controller under its own privacy terms and Developer Program License Agreement. As such, a separate Data Processing Agreement (DPA) is not required for our use of the Apple Developer Program.
All providers listed above are GDPR-compliant and bound by Data Processing Agreements (DPAs), or equivalent documented GDPR terms. Where DPAs are required, we have executed or downloaded valid agreements with our processors. and the DPA governs its obligations relating to the processing of personal data, including security, data subject rights, and international transfers. For services where a DPA is not required (e.g. Apple Developer, acting as a controller), we have documented their roles and obligations under applicable privacy terms.
If you wish to review or obtain any of these agreements (Framer DPA, Firebase Terms, OpenAI DPA, or Apple Developer data‑processing terms), please contact us at hello@vyko.io. We'll provide access or share the signed documents as appropriate.
We may share fully anonymised and aggregated data (which cannot identify individuals) with analytics providers, industry partners, or for internal commercial insights.
6. International Data Transfers
Some third-party processors may store or process your data outside the UK or European Economic Area (EEA). In these cases, we ensure your data is protected by including the use of UK-approved Standard Contractual Clauses (SCCs), Google’s and OpenAI’s international transfer frameworks, and other mechanisms approved by the ICO and UK government to ensure your data remains protected and compliant.
7. Data Security
We take data protection seriously and use the following safeguards:
Encryption at rest (AES-256) and in transit (TLS 1.2+)
Secure, firewalled infrastructure and HTTPS-only access
Role-based access control (RBAC) for internal data access
Regular backups and monitoring for unusual activity
Only authorised personnel can access user data.
8. Beta Testing Notice
During closed beta, HyperResponder is in active development. Features may be experimental or unstable. Data you submit may be manually reviewed to improve functionality. All data is still treated with the same safeguards in this Privacy Policy.
9. Data Retention
Your workout and account data is retained until you delete your account or request deletion.
Backups are kept for up to 90 days for disaster recovery purposes.
Anonymous usage analytics may be retained for long-term product improvement.
10. Your Rights
You have the right to:
Access the data we hold about you
Correct or update your personal data
Request deletion of your data at any time
Withdraw consent where processing is based on it
Object to certain types of processing
File a complaint with the Information Commissioner’s Office (ico.org.uk)
Request a copy of your data in a portable format (where technically feasible).
To exercise your rights, email: hello@vyko.io
11. Children’s Data
You must be 16 or older to use HyperResponder. We do not knowingly collect data from users under 16.
12. Cookies and Tracking Technologies (Including Meta Pixel)
When you access our website, we use cookies and similar tracking technologies to enhance your experience, analyse traffic, and support our marketing efforts. This includes tools such as Google Analytics and advertising technologies like Meta (Facebook) Pixel.
Types of Cookies We Use
Strictly Necessary Cookies – Required for the basic operation of our website (e.g., page navigation, secure login). These do not require consent under UK GDPR/PECR.
Analytics Cookies – Help us understand how users interact with our website (e.g., Google Analytics, Firebase). These are only placed after consent is given.
Marketing/Advertising Cookies – Allow us to deliver personalised advertising and measure performance (e.g., Meta Pixel). These are also consent-based only.
Functionality Cookies – We do not currently use functionality cookies (such as remembering user preferences).
Meta Pixel and Automatic Advanced Matching
We use Meta Pixel to monitor interactions with our website and improve our advertising campaigns on Meta platforms (e.g., Facebook, Instagram). We have enabled Automatic Advanced Matching, which allows hashed, browser-detected user data (such as email addresses submitted via forms) to be securely shared with Meta to improve ad attribution and targeting.
All data shared is hashed and processed under Meta’s own privacy terms and does not include raw, identifiable information. Meta Pixel is only activated after you provide explicit consent via our cookie banner.
Legal Basis for Processing
We rely on the following lawful bases under the UK GDPR:
Consent – For the use of non-essential cookies (analytics and advertising). No such cookies are placed unless and until you provide consent.
Legitimate Interests – For strictly necessary cookies required for the secure, proper functioning of our website.
Cookie Banner and Consent Management
Our cookie banner allows you to selectively accept or reject cookie categories such as Analytics and Marketing.
No non-essential cookies will be placed on your device until you provide explicit consent.
Your consent preferences are stored securely for 180 days, after which the banner will reappear for renewed consent.
You can update or withdraw your consent at any time via our cookie settings panel on the website or by adjusting your browser preferences.
We strive to respect your privacy choices fully and comply with all applicable data protection laws.
Your Cookie Choices and Rights
When you first visit our site, you will be presented with a cookie banner allowing you to:
Accept or decline non-essential cookies
Manage or withdraw your consent at any time
You may also adjust your cookie preferences:
Through our cookie settings panel, or
By changing your browser settings, or
Visiting Your Online Choices to opt out of interest-based advertising on a broader level
Please note: Withdrawing consent does not affect the lawfulness of any processing based on that consent before its withdrawal.
Contact
For any questions about how we use cookies or your data rights, email us at hello@vyko.io.
13. Data Breach Notification
If a data breach occurs that risks your personal rights or freedoms, we will notify you and the Information Commissioner’s Office (ICO) within 72 hours, in accordance with GDPR obligations.
14. Changes to This Policy
We may update this Privacy Policy occasionally. If the changes are significant, we will notify you via the app or email. You should review this policy regularly to stay informed.
Privacy Policy – HyperResponder
Last updated: 17 August 2025
At VYKO TECHNOLOGIES LTD (“we”, “our”, “us”), your privacy is important to us. This Privacy Policy explains what data we collect, how we use it, and your rights as a user of the HyperResponder app and our websites (www.vyko.io, www.hyperresponder.com).
1. Who We Are
We are VYKO TECHNOLOGIES LTD, registered in the United Kingdom. We develop HyperResponder, a fitness tracking app that uses AI and natural language processing (NLP) to convert your free-form workout notes into structured data and trends.
Company Registration: 16534635
Registered Address: 52 Rupert Street, London, W1D 6DS
ICO Registration Number: ZB935904
Data Protection Officer: Not required under Article 37 UK GDPR, as we do not process sensitive data at scale or as our core activity.
We are the data controller under the UK GDPR.
2. Data We Collect
We may collect and process the following categories of data:
Account Data: Email address, username
Workout Entries: Free-form text you input
Parsed Workout Data: Sets, reps, weights, exercises extracted from your notes
Device Data: Device model, OS version, crash logs
Website Signup Data: If you join the waitlist or closed beta, we collect your email to send onboarding details, beta invites, and updates.
We do not collect or request sensitive health data unless you voluntarily provide it. Billing Information is managed via third-party payment providers. We do not store payment data directly.
3. How We Use Your Data
We use your data to:
Enable you to log, save, and view your workouts
Process your free-text notes into structured workout logs
Generate insights, trends, and performance summaries
Improve app functionality and fix bugs
Notify you of feature updates, closed beta access, product updates, or onboarding information if you’ve joined our waitlist (only with consent)
We do not sell personally identifiable information.
We may use aggregated and anonymised data (with all identifiers removed) for analytics, research, product improvement, or commercial purposes. This data cannot identify you and is never sold in a personally identifiable form.
4. Legal Basis for Processing
Under the UK General Data Protection Regulation (UK GDPR), we rely on:
Consent – e.g. joining the waitlist, marketing opt-ins
Contractual necessity – to deliver the app features
Legitimate interests – to maintain, improve, and secure the app
These lawful bases allow us to process your data in a way that is expected, proportionate, and legally permitted under data protection law.
5. Third Parties & Data Sharing
We use the following third‑party services, which process personal data on our behalf and are bound by Data Processing Agreements:
Framer – Provides hosting for the HyperResponder and VYKO websites. Framer publishes a public Data Processing Addendum, incorporated into its Terms of Service. Framer acts as a data processor, and the DPA governs its obligations relating to the processing of personal data and content.
Firebase (Google) – Provides crash reporting, analytics, and infrastructure. Firebase is covered by Google's Data Processing and Security Terms (also called Firebase Data Processing Terms), which include Model Contractual Clauses for transfers. Google acts as a processor; these terms are applied by default but you can opt in or download them via your Firebase or Google Cloud privacy settings.
Tally – Processes beta application and feedback form responses, which may include your email address and any free-text data you provide. Tally publishes a public Data Processing Agreement on their website.
MailerLite – Manages email waitlist signups and automated onboarding (e.g. beta invite emails). MailerLite processes email addresses, consent status, and delivery/engagement tracking data (e.g. opens, link clicks). MailerLite publishes a public Data Processing Agreement on their website.
Porkbun – Provides domain registration, DNS management, and email hosting services for vyko.io, including our contact email address (hello@vyko.io). When you send an email to this address, Porkbun processes your personal data (such as your name, email address, and the contents of your message) in order to deliver the message to us. Porkbun acts as a data processor on our behalf and is bound by its published Data Processing Agreement, which governs its obligations relating to the processing of personal data, including security, data subject rights, and international transfers.
Zoho Mail – Hosts our support and contact emails for HyperResponder (hello@hyperresponder.com, team@hyperresponder.com). This means any personal data you send to us via these addresses will be processed by Zoho. Zoho acts as a processor on our behalf and we have executed a signed Data Processing Agreement with them.
OpenAI API – Provides natural language processing services for parsing workout text entered into the app. OpenAI offers a standard DPA that applies to API and ChatGPT Enterprise/Team. You must complete an online form to execute the DPA (selecting OpenAI Ireland Ltd for EU/UK customers) and receive a digitally signed copy.
Apple Developer – Used for closed beta distribution via TestFlight. We do not transmit user personal data to Apple for processing. Apple acts as an independent data controller under its own privacy terms and Developer Program License Agreement. As such, a separate Data Processing Agreement (DPA) is not required for our use of the Apple Developer Program.
All providers listed above are GDPR-compliant and bound by Data Processing Agreements (DPAs), or equivalent documented GDPR terms. Where DPAs are required, we have executed or downloaded valid agreements with our processors. and the DPA governs its obligations relating to the processing of personal data, including security, data subject rights, and international transfers. For services where a DPA is not required (e.g. Apple Developer, acting as a controller), we have documented their roles and obligations under applicable privacy terms.
If you wish to review or obtain any of these agreements (Framer DPA, Firebase Terms, OpenAI DPA, or Apple Developer data‑processing terms), please contact us at hello@vyko.io. We'll provide access or share the signed documents as appropriate.
We may share fully anonymised and aggregated data (which cannot identify individuals) with analytics providers, industry partners, or for internal commercial insights.
6. International Data Transfers
Some third-party processors may store or process your data outside the UK or European Economic Area (EEA). In these cases, we ensure your data is protected by including the use of UK-approved Standard Contractual Clauses (SCCs), Google’s and OpenAI’s international transfer frameworks, and other mechanisms approved by the ICO and UK government to ensure your data remains protected and compliant.
7. Data Security
We take data protection seriously and use the following safeguards:
Encryption at rest (AES-256) and in transit (TLS 1.2+)
Secure, firewalled infrastructure and HTTPS-only access
Role-based access control (RBAC) for internal data access
Regular backups and monitoring for unusual activity
Only authorised personnel can access user data.
8. Beta Testing Notice
During closed beta, HyperResponder is in active development. Features may be experimental or unstable. Data you submit may be manually reviewed to improve functionality. All data is still treated with the same safeguards in this Privacy Policy.
9. Data Retention
Your workout and account data is retained until you delete your account or request deletion.
Backups are kept for up to 90 days for disaster recovery purposes.
Anonymous usage analytics may be retained for long-term product improvement.
10. Your Rights
You have the right to:
Access the data we hold about you
Correct or update your personal data
Request deletion of your data at any time
Withdraw consent where processing is based on it
Object to certain types of processing
File a complaint with the Information Commissioner’s Office (ico.org.uk)
Request a copy of your data in a portable format (where technically feasible).
To exercise your rights, email: hello@vyko.io
11. Children’s Data
You must be 16 or older to use HyperResponder. We do not knowingly collect data from users under 16.
12. Cookies and Tracking Technologies (Including Meta Pixel)
When you access our website, we use cookies and similar tracking technologies to enhance your experience, analyse traffic, and support our marketing efforts. This includes tools such as Google Analytics and advertising technologies like Meta (Facebook) Pixel.
Types of Cookies We Use
Strictly Necessary Cookies – Required for the basic operation of our website (e.g., page navigation, secure login). These do not require consent under UK GDPR/PECR.
Analytics Cookies – Help us understand how users interact with our website (e.g., Google Analytics, Firebase). These are only placed after consent is given.
Marketing/Advertising Cookies – Allow us to deliver personalised advertising and measure performance (e.g., Meta Pixel). These are also consent-based only.
Functionality Cookies – We do not currently use functionality cookies (such as remembering user preferences).
Meta Pixel and Automatic Advanced Matching
We use Meta Pixel to monitor interactions with our website and improve our advertising campaigns on Meta platforms (e.g., Facebook, Instagram). We have enabled Automatic Advanced Matching, which allows hashed, browser-detected user data (such as email addresses submitted via forms) to be securely shared with Meta to improve ad attribution and targeting.
All data shared is hashed and processed under Meta’s own privacy terms and does not include raw, identifiable information. Meta Pixel is only activated after you provide explicit consent via our cookie banner.
Legal Basis for Processing
We rely on the following lawful bases under the UK GDPR:
Consent – For the use of non-essential cookies (analytics and advertising). No such cookies are placed unless and until you provide consent.
Legitimate Interests – For strictly necessary cookies required for the secure, proper functioning of our website.
Cookie Banner and Consent Management
Our cookie banner allows you to selectively accept or reject cookie categories such as Analytics and Marketing.
No non-essential cookies will be placed on your device until you provide explicit consent.
Your consent preferences are stored securely for 180 days, after which the banner will reappear for renewed consent.
You can update or withdraw your consent at any time via our cookie settings panel on the website or by adjusting your browser preferences.
We strive to respect your privacy choices fully and comply with all applicable data protection laws.
Your Cookie Choices and Rights
When you first visit our site, you will be presented with a cookie banner allowing you to:
Accept or decline non-essential cookies
Manage or withdraw your consent at any time
You may also adjust your cookie preferences:
Through our cookie settings panel, or
By changing your browser settings, or
Visiting Your Online Choices to opt out of interest-based advertising on a broader level
Please note: Withdrawing consent does not affect the lawfulness of any processing based on that consent before its withdrawal.
Contact
For any questions about how we use cookies or your data rights, email us at hello@vyko.io.
13. Data Breach Notification
If a data breach occurs that risks your personal rights or freedoms, we will notify you and the Information Commissioner’s Office (ICO) within 72 hours, in accordance with GDPR obligations.
14. Changes to This Policy
We may update this Privacy Policy occasionally. If the changes are significant, we will notify you via the app or email. You should review this policy regularly to stay informed.