Privacy Policy
Last updated: 21 March 2026
This Privacy Policy explains how Hydi collects, uses, discloses, and protects Personal Information when you visit our website, create an account, use our software, receive communications from us, or interact with a client portal powered by Hydi.
In this document:
- Hydi, we, us, and our mean Fitweb Pty Ltd
- Business User means a business, sole trader, staff member, or other organisation user who uses Hydi to manage client-facing tasks
- Client User means a person who accesses a Hydi-powered client portal, magic link, upload flow, form, or signature flow
- Personal Information means information that identifies, relates to, describes, or can reasonably be linked to a person, including equivalent concepts such as "personal data" under GDPR and KVKK
1. Summary
Hydi is a client-facing task and document collection platform for small service businesses. We collect only the information we need to operate the service, secure accounts, process subscriptions, support client portals, and comply with law.
Hydi currently uses a limited cookie footprint based on confirmed application behavior. As of the effective date of this policy, we have confirmed only strictly necessary authentication and redirect-related cookies in the application code. We have not confirmed analytics, advertising, or cross-site tracking cookies in the current codebase. If that changes, we will update this policy and, where required, obtain consent before using them.
2. Who We Are
Controller / Business Contact Fitweb Pty Ltd Level 1, Office 407/39 Kingsway, Glen Waverley VIC 3150 support@hydiapp.com
Hydi is based in Australia. We may process Personal Information in Australia and in other countries where our service providers operate.
3. Scope
This policy applies to:
- visitors to our website and landing pages
- Business Users who sign up for or use Hydi
- Client Users who access a Hydi-powered portal, upload files, comment, or sign acknowledgements
- people who contact us, request demos, or receive administrative communications from us
This policy does not apply to third-party sites, services, or payment pages that we do not control, even if they are linked from Hydi.
4. Personal Information We Collect
We collect the following categories of Personal Information.
| Category | Examples | Typical Source |
|---|---|---|
| Account and identity data | name, business name, email address, password login data, role/access level | you, your employer, or your account administrator |
| Contact data | phone number, website, branding contact details, support correspondence | you or your organisation |
| Client portal data | client name, email, phone number, magic-link activity, task submissions, comments | Business Users and Client Users |
| Uploaded content | files, attachments, forms, signatures, acknowledgement text, file metadata | Business Users and Client Users |
| Transaction and billing data | subscription plan, billing cycle, Stripe customer/subscription identifiers, invoice status | you and our payment processor |
| Technical and device data | IP address, browser type, device information, approximate location, log data | your device and our infrastructure |
| Security and audit data | authentication events, access logs, signature audit details, user agent, event history | our systems |
| Communication and preference data | email preferences, unsubscribe status, SMS preferences, support requests | you or your organisation |
We do not intentionally collect sensitive information unless it is uploaded or submitted through the service by a Business User or Client User in connection with a task workflow. If sensitive information is processed through Hydi, the Business User is responsible for ensuring that it has a valid legal basis and appropriate notices or consents.
5. How We Use Personal Information
We use Personal Information for the following purposes.
| Purpose | Examples | Main Legal Basis |
|---|---|---|
| Provide the service | create accounts, host client portals, manage tasks, send reminders, store files, support signatures | contract |
| Authenticate and secure access | sign-in, session management, fraud prevention, access control, abuse detection | legitimate interests; contract |
| Process subscriptions and payments | create subscriptions, manage billing, prevent payment fraud, maintain records | contract; legal obligation |
| Communicate with you | service messages, security notices, support replies, billing notices | contract; legitimate interests |
| Improve and maintain the platform | troubleshoot issues, monitor reliability, fix bugs, maintain logs | legitimate interests |
| Meet legal requirements | tax, accounting, lawful requests, security investigations, dispute handling | legal obligation |
| Protect rights and safety | enforce our terms, investigate misuse, prevent unlawful activity | legitimate interests |
Where consent is required by law, we rely on consent. Where we rely on legitimate interests, we balance those interests against your rights and expectations.
6. Cookies and Similar Technologies
Hydi uses a narrow set of first-party cookies that are necessary to operate secure sign-in and redirect flows.
Cookie Controls
You can control cookies through your browser settings. Common browser help pages are available here:
- Chrome: https://support.google.com/chrome/answer/95647
- Safari: https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac
- Firefox: https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop
- Edge: https://support.microsoft.com/en-au/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09
If you disable strictly necessary cookies, some parts of Hydi, including sign-in and protected pages, may not work correctly.
7. How We Share Personal Information
We may share Personal Information with:
- service providers that help us host, secure, deliver, and support Hydi
- payment processors that handle subscriptions and invoices
- messaging providers that send email and SMS notifications
- professional advisers, insurers, auditors, and law enforcement where required
- a buyer, investor, or successor entity in connection with a merger, acquisition, financing, or sale of assets
We do not sell Personal Information in the ordinary meaning of that phrase. We also do not currently share Personal Information for cross-context behavioural advertising based on the codebase reviewed as of the effective date.
8. International Transfers
Hydi is based in Australia, and some of our providers may process Personal Information in other countries.
Where GDPR, UK GDPR, or KVKK applies and Personal Information is transferred internationally, we will use an appropriate transfer mechanism, such as:
- an adequacy decision
- standard contractual clauses
- contractual and technical safeguards appropriate to the transfer
9. Data Retention
We keep Personal Information only for as long as reasonably necessary for the purposes described in this policy, including to provide the service, maintain security, resolve disputes, and meet legal or accounting obligations.
Typical retention periods are:
- account and subscription records: for the life of the account and a reasonable period after closure
- billing and tax records: up to 7 years where required by law or accounting practice
- support and audit records: for as long as needed to investigate issues, enforce terms, or meet legal obligations
- uploaded files and portal content: as directed by the relevant Business User, subject to backup, legal hold, and security retention requirements
10. Security
We use reasonable technical and organisational measures designed to protect Personal Information, including access controls, authentication protections, role-based permissions, logging, and hosted infrastructure safeguards.
No system is completely secure. You are responsible for keeping your credentials secure and notifying us promptly if you believe your account or a magic link has been compromised.
11. Data Breach Response
If we become aware of a security incident affecting Personal Information, we will investigate it promptly and take appropriate action.
Where required by applicable law, we will notify affected individuals, regulators, or both. Timing and content of notices will depend on the applicable law, the nature of the incident, and the information involved.
12. Your Privacy Rights
Depending on where you live, you may have rights to:
- access the Personal Information we hold about you
- request correction of inaccurate information
- request deletion of certain information
- object to or restrict certain processing
- withdraw consent where processing depends on consent
- request portability of information you provided to us
- complain to a regulator
EEA / UK / GDPR Rights
If GDPR or UK GDPR applies, you may have rights under Articles 15 to 22, including access, rectification, erasure, restriction, portability, objection, and rights relating to automated decision-making.
California Rights
If you are a California resident, you may have rights to know, access, delete, correct, and limit certain uses of sensitive personal information, as well as the right to opt out of any "sale" or "sharing" if those terms apply under California law.
As of the effective date of this policy, Hydi does not sell or share Personal Information for cross-context behavioural advertising based on the current codebase.
If California law requires a specific opt-out mechanism in the future, we will provide a "Do Not Sell or Share My Personal Information" link or equivalent tool.
Türkiye / KVKK Rights
If KVKK applies, you may have rights to learn whether your data is processed, request information about processing, learn the purpose of processing and whether it is used accordingly, know third parties to whom data is transferred, request correction or deletion where conditions are met, and seek compensation where legally available.
13. How to Exercise Your Rights
To make a privacy request, contact us at:
We may need to verify your identity before completing your request. If you are a Client User and your information was submitted to Hydi by a Business User, we may direct you to that Business User first where it acts as the primary controller for that information.
14. Children
Hydi is intended for adults and business use. It is not directed to children.
If you believe a child has provided Personal Information to us without proper authorisation, contact us and we will review the request.
15. Third-Party Services
Hydi may link to third-party services, including payment pages and external websites. Their privacy practices are governed by their own policies, not this one.
16. Changes to This Policy
We may update this Privacy Policy from time to time. If we make a material change, we will update the "Last updated" date and take any additional steps required by law.
17. Contact Us
For privacy questions or complaints, contact:
Fitweb Pty Ltd Level 1, Office 407/39 Kingsway, Glen Waverley VIC 3150 support@hydiapp.com