Legal
Last updated: 31 May 2026
HyPair is a mobile app that helps athletes find doubles partners for hybrid races — HYROX, Spartan, Tryka, and Athex. This policy explains exactly what personal data we collect, why we collect it, who we share it with, and what rights you have over it. Questions? Email us at hello@hypair.app.
HyPair is operated by HyPair Ltd, a private limited company incorporated in Ireland. When this policy refers to "HyPair", "we", "us" or "our", it means HyPair Ltd.
For the purposes of the EU General Data Protection Regulation (GDPR), HyPair Ltd is the data controller for all personal data collected through the HyPair app and website (hypair.app).
Contact: hello@hypair.app · HyPair Ltd · Ireland
Waitlist data — if you join the waitlist at hypair.app before the app launches, we collect your email address and which race format you are training for (HYROX or Tryka). This is stored in our database and used only to notify you when the app launches.
Account data — when you register, we collect your email address and a password. Passwords are stored as a secure one-way hash (bcrypt) and are never stored or transmitted in plain text.
Profile data — to help you find race partners, you provide: first name, profile photo, city/country, training pace (5K), personal best times, race formats you compete in, training frequency, and a short bio. All profile fields beyond name and email are optional.
Event data — races you have registered for, your preferred format (doubles/mixed doubles), and your target wave time.
Matching and messaging data — partner requests you send or receive, the outcome (accepted/declined), and messages exchanged with matched athletes inside the app.
Usage and analytics data — which screens you visit, errors and crashes, and basic device information (OS version, device type). We use this to fix bugs and improve the app. We do not sell this data.
Push notification token — if you grant permission, we store a device token to send you match alerts and chat notifications. You can revoke this at any time in your device settings.
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the matching and messaging service you signed up for | Contract performance (Art. 6(1)(b)) |
| Sending transactional emails (verification, reset, match alerts) | Contract performance (Art. 6(1)(b)) |
| Improving the app, fixing bugs, preventing abuse | Legitimate interests (Art. 6(1)(f)) |
| Sending the waitlist launch notification | Consent (Art. 6(1)(a)) — you can unsubscribe at any time |
We do not sell your personal data. We do not share it with advertisers. We share data only with the following data processors, all of whom are bound by data processing agreements:
| Processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage (profile photos) | US (data hosted in EU region) | Standard Contractual Clauses (SCCs) |
| Resend Inc. | Transactional email — verification, password reset, match notifications | US | Standard Contractual Clauses (SCCs) |
| Vercel Inc. | Hosting of the hypair.app website | US (CDN globally distributed) | Standard Contractual Clauses (SCCs) |
| Cloudflare Inc. | Email routing (hello@hypair.app), DNS, security | US (infrastructure globally distributed) | Standard Contractual Clauses (SCCs) |
| Expo / EAS (Expo Inc.) | Mobile app distribution and push notification delivery | US | Standard Contractual Clauses (SCCs) |
| Other app users | Your public profile (name, photo, bio, pace, race formats) is visible to other authenticated athletes browsing for partners. Your email address is never shared with other users. | N/A | N/A |
Several of our processors are based in the United States. The US does not have an EU adequacy decision for all transfers. Where we transfer personal data outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, which provide equivalent protection to data held within the EU.
Supabase hosts your data in its EU region (AWS eu-west-1, Ireland) where possible.
You can request a copy of the relevant SCCs by emailing hello@hypair.app.
Your profile is visible to other authenticated HyPair users when they search for partners at events you have registered for. Only signed-in users can view profiles — unauthenticated visitors cannot access any profile data.
You control what appears on your profile by editing it in the app. You can set your profile to private at any time, which hides it from search results while keeping your account active. Deleting your account removes your profile from partner search immediately.
If you are in the EEA or UK, you have the following rights. To exercise any of them, email hello@hypair.app. We will respond within 30 days.
HyPair is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. During registration, users must confirm they are 18 or older.
If we become aware that a user is under 18, we will delete their account and all associated data immediately. If you believe a child has created an account, please email hello@hypair.app and we will act within 48 hours.
The HyPair website (hypair.app) uses only strictly necessary cookies — specifically those set by Cloudflare for security and bot protection. We do not use tracking, advertising, or analytics cookies on the website.
The HyPair mobile app does not use cookies. It uses a secure session token stored in the device's secure storage (not accessible to other apps).
We may update this policy as the app evolves and as we add new processors or features. We will notify active users of any material changes via email or an in-app notice at least 14 days before the change takes effect. The "last updated" date at the top of this page always reflects the current version.
Continued use of HyPair after a notified change constitutes acceptance of the updated policy.
For any questions about this policy, your data, or to exercise your rights:
Email: hello@hypair.app
Company: HyPair Ltd · Ireland
Response time: within 30 days for all GDPR requests