1. Introduction
This Privacy Policy explains how Hypebox (“Hypebox”, “we”, “us”, or “our”) collects, uses, discloses, and safeguards information in connection with Staks — our business management platform available at staksai.com and app.staksai.com (the “Service”).
Staks is operated by Hypebox through its affiliated entities, Hypebox Media SARL (Beirut, Lebanon) and Hypebox For Marketing and PR (Dubai, United Arab Emirates). By using the Service, you agree to the practices described in this Policy. If you do not agree, please do not use the Service.
This Policy should be read together with our Terms of Use.
2. Who this Policy applies to, and our role
Staks is a business-to-business (“B2B”) tool. It is used by organizations (“Customers”) and the people they authorize (“Users”, such as owners, admins, and team members). Two categories of data are involved, and our role differs for each:
- Account and platform data (registration details, login credentials, usage and device data). For this data, Hypebox acts as a data controller — we decide how and why it is processed.
- Customer Content (the business records a Customer enters into Staks, such as invoices, quotes, expenses, payroll and employee records, clients, contacts, deals, products, and uploaded documents). For this data, Hypebox acts as a data processor (or service provider) — we process it on behalf of and under the instructions of the Customer, who is the controller. If you are an individual whose personal data appears in Customer Content (for example, an employee or a client of a Customer), please direct privacy requests to that organization; we will support them in responding.
3. Information we collect
a. Information you provide directly
- Account information: name, email address, and password. If you sign in with Google, we receive your name, email address, and profile identifier from Google.
- Organization and profile information: organization name, role, team membership, business entity details, logos, and settings you configure.
- Customer Content: the business data you and your team create or upload, which may include financial records (invoices, quotes, payments, expenses, taxes, assets, liabilities), payroll and employee information, customer/contact and company records, sales pipeline and deal data, products and inventory, and documents (e.g., contracts, PDFs). This may contain personal data about third parties whom the Customer has chosen to manage in Staks.
- Communications: messages, support requests, and feedback you send us.
b. Information collected automatically
- Usage data: actions taken in the Service, feature usage, timestamps, and audit/activity logs (including logs relating to integrations and API tokens).
- Device and technical data: IP address, browser type, device and operating system information, and similar identifiers.
- Cookies and similar technologies: used to keep you signed in, remember preferences, and operate the Service. See Section 11.
c. Information from third parties
- Authentication providers (e.g., Google) when you choose to sign in through them.
- Service providers (subprocessors) that help us operate the Service, as described in Section 6.
We do not intentionally collect special categories of sensitive personal data (such as government IDs, health, or biometric data) for our own purposes. Customers should avoid entering such data into free-text fields unless necessary and lawful for their own business.
4. How we use information, and our legal bases
We use information to:
| Purpose | Examples | Legal basis (where applicable) |
|---|---|---|
| Provide and operate the Service | Create accounts, authenticate logins, store and display your business data, run features | Performance of a contract |
| Send transactional communications | Sign-in codes, password resets, invitations, invoice/quote/payroll notifications | Performance of a contract; legitimate interests |
| AI-assisted features | Generate reports, extract and summarize data via the business copilot | Performance of a contract; legitimate interests |
| Secure the Service | Prevent fraud and abuse, maintain audit logs, enforce access controls and rate limits | Legitimate interests; legal obligation |
| Support and improve the Service | Respond to requests, diagnose issues, understand usage, develop features | Legitimate interests |
| Comply with law | Respond to lawful requests, meet accounting/tax and regulatory obligations | Legal obligation |
Where we rely on legitimate interests, we balance those interests against your rights. Where the law requires consent (for example, certain cookies or marketing), we obtain it and you may withdraw it at any time.
We do not sell your personal information, and we do not use Customer Content to advertise to you.
5. AI features (Business Copilot)
Staks includes AI-assisted features (the “business copilot” and related tools) that help you query, summarize, and extract insights from your data. To provide these features, the relevant data (such as your prompt and the specific business records needed to answer it) is processed by our AI subprocessor, Anthropic, using the Claude family of models.
- AI processing happens only when a User invokes an AI feature.
- Our AI subprocessor processes this data to return a result to you and, under our agreement, does not use it to train its foundation models.
- AI outputs can be imperfect. You are responsible for reviewing AI-generated results before relying on them, especially for financial, tax, payroll, or legal decisions.
6. How we share information
We share information only as described here:
Service providers (subprocessors). We use trusted vendors to run the Service. They may process data only to provide services to us and are bound by confidentiality and data-protection obligations:
| Subprocessor | Purpose | Primary location |
|---|---|---|
| Supabase | Database, authentication, and file storage | European Union (Frankfurt) |
| Vercel | Application hosting and content delivery | Global edge network |
| Resend | Transactional email delivery | European Union (Ireland) |
| Anthropic | AI-assisted features (Claude) | United States |
| Optional Google sign-in | Global |
- Within your organization. Customer Content and certain account details are visible to other authorized Users of the same organization, according to the roles and permissions configured by the Customer’s administrators.
- Legal and safety. We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Hypebox, our Users, or others.
- Business transfers. If Hypebox is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to this Policy.
We will maintain an up-to-date list of subprocessors and provide reasonable notice of material changes upon request.
7. International data transfers
Hypebox operates from Lebanon and the UAE, and our subprocessors are located in the European Union, the United States, and other regions. This means your information may be transferred to, stored in, and processed in countries other than your own, which may have different data-protection laws. Where required, we put in place appropriate safeguards (such as contractual protections) for these transfers.
8. Data retention
We retain personal data for as long as needed to provide the Service and for legitimate business, legal, accounting, or reporting purposes.
- Account data is retained while your account is active.
- Customer Content is retained according to the Customer’s instructions and settings. When a Customer deletes content or closes their account, we delete or de-identify the associated Customer Content within a commercially reasonable period, except where retention is required by law or for legitimate purposes (such as audit logs and financial records).
- Backups may persist for a limited additional period before being overwritten.
9. Security
We take security seriously and implement technical and organizational measures designed to protect information, including:
- Encryption of data in transit;
- Row-level security and role-based access controls that isolate each organization’s data;
- Hashed and salted storage of credentials and access tokens;
- Audit logging of sensitive actions; and
- Restricted, need-to-know internal access.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your login credentials confidential and for managing the access you grant to Users within your organization.
10. Your rights and choices
Depending on your location and applicable law (including the Lebanese Law No. 81/2018 on Electronic Transactions and Personal Data, the EU/UK GDPR where relevant, and applicable UAE data-protection law), you may have the right to:
- Access the personal data we hold about you;
- Correct inaccurate or incomplete data;
- Delete your data;
- Restrict or object to certain processing;
- Port your data to another provider; and
- Withdraw consent where processing is based on consent.
To exercise these rights, contact us at info@hypebox.agency. If your personal data is held within a Customer’s account as Customer Content, please contact that organization (the controller); we will assist them as their processor. We may need to verify your identity before responding, and we will respond within the timeframes required by applicable law.
11. Cookies and similar technologies
We use cookies and local storage that are strictly necessary to operate the Service — for example, to keep you signed in and remember your session and preferences. Because Staks is an authenticated business application, these are essential to its function. Where we use any non-essential cookies or analytics, we will do so in accordance with applicable law and, where required, with your consent. You can control cookies through your browser settings, but disabling essential cookies may prevent the Service from working.
12. Children’s privacy
Staks is a business tool intended for use by organizations and adults. It is not directed to children, and we do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has provided us personal data, please contact us so we can remove it.
13. Third-party links and services
The Service may link to or integrate with third-party websites and services (such as Google sign-in or AI assistants that connect via our API). Their privacy practices are governed by their own policies, and we are not responsible for them. We encourage you to review those policies.
14. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will update the “Last updated” date and, where appropriate, provide additional notice (for example, by email or in-app notice). Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy.
15. Contact us
If you have questions, concerns, or requests regarding this Policy or your personal data, contact us at:
- Email: info@hypebox.agency
- Hypebox Media SARL — George Castro Street, Khanamerian Bldg., Badaro, Beirut, Lebanon
- Hypebox For Marketing and PR — Damac Hills, Dubai, United Arab Emirates