1. Data Controller
HiveTech OÜ (registry code: 16591569, registered address: Sääse tn 10-50 Tamsalu linn, Tapa vald Lääne-Viru maakond 46105) is the data controller for personal data processed in connection with the NPCFactory service.
Contact: siim.teresk.hivetech@gmail.com
2. Personal Data We Collect
- Account data: Name, email address, password (hashed)
- Usage data: API usage, credit consumption, games and NPC configurations, prompt logs and metadata
- Payment data: Processed by Stripe (we do not store full card numbers). We receive payment confirmation and transaction IDs.
- Technical data: IP address, browser type, session information when you use our web interface
- Website analytics (optional): If you accept our cookie notice, we use Google Analytics 4 to collect aggregated usage data (e.g. pages viewed, approximate location, device/browser). See section 3 below.
3. Cookies and website analytics
Our website uses cookies and similar technologies.
- Essential cookies are required for the Service (e.g. login sessions, CSRF protection, payment flows). These are set based on our contract with you and our legitimate interests in operating the site securely.
- Google Analytics 4 (Google Ireland Limited, with data potentially processed by Google LLC in the United States) is enabled only if you click Accept analytics on our cookie banner. If you choose Essential only, we do not grant analytics storage. Until you accept, we use Google’s Consent Mode so analytics cookies are not used for measurement. Analytics helps us understand traffic and improve the website.
You can withdraw analytics consent anytime by clearing site data for our domain in your browser (which removes the stored choice) or using browser controls; you may then see the banner again. For more on how Google uses data, see Google’s Privacy Policy.
4. Legal Basis and Purposes
We process your data on the following legal bases (GDPR Article 6):
| Purpose |
Legal basis |
| Account creation, authentication, Service provision | Contract (Art. 6(1)(b)) |
| Email verification | Contract |
| Billing and payment processing | Contract |
| Sending transactional emails (e.g. verification) | Contract |
| Improving the Service, security, fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Website analytics (Google Analytics), where you have accepted cookies | Consent (Art. 6(1)(a)) |
5. Data Retention
- Account data: Retained while your account is active and for a reasonable period after closure for legal and compliance purposes
- Usage and prompt logs: Retained as needed for Service operation and billing; may be anonymised or deleted after a defined period
- Payment records: Retained as required by Estonian accounting and tax law (typically 7 years)
- Analytics: Google Analytics retains data according to Google’s settings and policies; we configure retention where the product allows.
6. Data Processors
We use the following processors (sub-processors) that may process your data:
- Stripe – Payment processing (EU/US). We do not store full card numbers.
- OpenAI – When you use reasoning levels that rely on OpenAI models (e.g. GPT-4o, GPT-4o-mini), your prompts, NPC configurations, and conversation context are sent to OpenAI for processing. OpenAI is US-based; we rely on standard contractual clauses and OpenAI's data processing addendum for transfers outside the EEA.
- HiveTech self-hosted LLM – When you use HiveTech reasoning levels, processing runs on our own infrastructure (EU region).
- Hosting provider – Server infrastructure (EU region).
- Email service – Transactional emails (verification, billing notifications).
- Google Analytics – When you accept analytics cookies, website usage is processed by Google (Ireland/US) under Google’s terms and our consent banner. We do not use Google Analytics for advertising personalization on this site.
We ensure processors provide adequate safeguards (e.g. standard contractual clauses, GDPR compliance).
7. Your Rights
Under GDPR, you have the right to:
- Access – Obtain a copy of your personal data
- Rectification – Correct inaccurate data
- Erasure – Request deletion ("right to be forgotten") where applicable
- Restriction – Limit processing in certain circumstances
- Portability – Receive your data in a structured, machine-readable format
- Object – Object to processing based on legitimate interests
- Withdraw consent – Where processing is based on consent
- Complain – Lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
To exercise these rights, contact us at siim.teresk.hivetech@gmail.com.
8. Security
We implement appropriate technical and organisational measures to protect your data (encryption, access controls, secure hosting).
9. International Transfers
Where we transfer data outside the EEA, we ensure appropriate safeguards (e.g. adequacy decisions, standard contractual clauses).
10. Changes
We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice in the Service.