The Hub OS

Privacy Policy

Last updated: February 27, 2026

1. Introduction

This Privacy Policy (“Policy”) describes how The Hub OS (“we,” “us,” or “our”), collects, uses, discloses, and protects your personal information when you visit thehubos.com (the “Site”) or purchase any of our digital products (collectively, the “Services”).

By accessing or using the Site, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree, please discontinue use of the Site immediately.

This Policy is designed to comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), Brazil’s Lei Geral de Proteção de Dados (“LGPD”), and all other applicable data protection laws worldwide.

2. Data Controller

The data controller responsible for your personal data is:

The Hub OS

Email: support@thehubos.com

For GDPR-related inquiries, you may contact us at the email address above. We will respond within thirty (30) days of receipt.

3. Information We Collect

3.1 Information You Provide Directly

  • Purchase Information: When you purchase a product, we collect your email address, name (if provided), and payment details. Payment card information is processed exclusively by Stripe, Inc. and is never stored on our servers.
  • Communications: If you contact us via email at support@thehubos.com, we collect the content of your message and your email address.
  • Newsletter Subscription: If you opt in to our newsletter during checkout, we collect your email address for marketing communications.

3.2 Information Collected Automatically

  • Analytics Data: We use PostHog to collect usage data including page views, scroll behavior, click events, and session recordings. PostHog assigns a pseudonymous identifier to your browser session.
  • Privacy-Focused Analytics: We use Fathom Analytics, which collects aggregated, anonymized page view data without using cookies or collecting personal information. Fathom is fully GDPR, CCPA, and ePrivacy compliant.
  • Performance Metrics: We use Vercel Analytics to collect aggregated web performance metrics (Core Web Vitals). No personal data is collected.
  • Device and Browser Information: We may automatically collect your IP address, browser type, operating system, device type, screen resolution, and referring URL.
  • Local Storage: We use browser local storage to save your theme preference (light/dark mode) and analytics session identifiers. These are not cookies and are not transmitted to third parties.

3.3 Information We Do Not Collect

We do not collect sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sexual orientation. We do not knowingly collect data from children under the age of sixteen (16).

4. Legal Bases for Processing (GDPR / UK GDPR / LGPD)

We process your personal data under the following legal bases:

  • Performance of a Contract (Art. 6(1)(b) GDPR): Processing your purchase, delivering the digital product, generating access links, and sending transactional emails.
  • Consent (Art. 6(1)(a) GDPR): Sending marketing/newsletter emails (only when you have opted in). Session recording via PostHog analytics.
  • Legitimate Interests (Art. 6(1)(f) GDPR): Improving our Site and Services through aggregated analytics, fraud prevention, and enforcing our Terms of Service. Our legitimate interests do not override your fundamental rights and freedoms.
  • Legal Obligation (Art. 6(1)(c) GDPR): Retaining transaction records for tax, accounting, and regulatory compliance.

5. How We Use Your Information

  • To process and fulfill your purchase, including generating secure product access links and sending confirmation emails.
  • To provide customer support and respond to your inquiries.
  • To send transactional emails related to your purchase (order confirmation, product access, account recovery).
  • To send marketing communications if you have opted in (you may unsubscribe at any time).
  • To analyze Site usage and improve the user experience through aggregated analytics.
  • To detect, prevent, and address fraud, abuse, or technical issues.
  • To comply with applicable legal obligations, including tax and accounting requirements.

6. Third-Party Service Providers

We share your personal data only with the following categories of service providers, each acting as a data processor on our behalf:

Stripe, Inc. (San Francisco, CA, USA)

Purpose: Payment processing. Stripe receives your email, name, and payment card details to process transactions. Stripe is PCI-DSS Level 1 certified. Stripe Privacy Policy

Supabase, Inc. (San Francisco, CA, USA)

Purpose: Secure database hosting. Stores customer records, order history, and product access tokens. Supabase Privacy Policy

Resend, Inc. (USA)

Purpose: Transactional and marketing email delivery. Receives recipient email addresses and email content. Resend Privacy Policy

PostHog, Inc. (San Francisco, CA, USA)

Purpose: Product analytics and session recording. Collects pseudonymous usage data and, if you make a purchase, may associate your email address with your analytics profile. PostHog Privacy Policy

Conva Ventures Inc. d/b/a Fathom Analytics (Canada)

Purpose: Privacy-focused website analytics. Does not use cookies, does not collect personal data, and is GDPR/CCPA/PECR compliant by design. Fathom Privacy Policy

Vercel, Inc. (San Francisco, CA, USA)

Purpose: Website hosting and aggregated performance analytics (Core Web Vitals). Vercel Privacy Policy

We do not sell, rent, or trade your personal information to any third party. We do not share your data with third parties for their own marketing purposes.

7. International Data Transfers

Our service providers are primarily located in the United States and Canada. If you are located in the European Economic Area (“EEA”), the United Kingdom, Switzerland, or Brazil, your personal data may be transferred to countries that do not provide the same level of data protection as your home jurisdiction.

Where such transfers occur, we rely on: (a) the European Commission’s adequacy decisions; (b) Standard Contractual Clauses (SCCs) as approved by the European Commission; or (c) the service provider’s certification under recognized frameworks (such as the EU-U.S. Data Privacy Framework), as applicable.

8. Data Retention

  • Purchase Records: Retained for a minimum of seven (7) years from the date of transaction to comply with tax and accounting obligations.
  • Product Access Links: Expire thirty (30) days after creation, with a maximum of five (5) downloads.
  • Email Logs: Retained for twelve (12) months for troubleshooting and then deleted.
  • Analytics Data: PostHog data is retained in accordance with PostHog’s data retention policies. Fathom Analytics data is aggregated and anonymized.
  • Newsletter Subscribers: Retained until you unsubscribe, at which point your email is removed from our mailing list within thirty (30) days.
  • Support Communications: Retained for twenty-four (24) months from the date of last communication.

Upon expiration of the applicable retention period, personal data is securely deleted or anonymized.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

9.1 Rights Under GDPR / UK GDPR

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to Erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
  • Right to Restriction (Art. 18): Request that we limit processing of your data in certain circumstances.
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent.
  • Right to Lodge a Complaint: File a complaint with your local supervisory authority.

9.2 Rights Under CCPA / CPRA (California Residents)

  • Right to Know: Request disclosure of the categories and specific pieces of personal information collected.
  • Right to Delete: Request deletion of personal information, subject to exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information as defined under the CCPA/CPRA.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

9.3 Rights Under LGPD (Brazil)

Brazilian data subjects have rights substantially similar to those under the GDPR, including the right to access, correction, anonymization, portability, deletion, and information about third-party sharing. To exercise these rights, contact us at support@thehubos.com.

To exercise any of these rights, email us at support@thehubos.com. We will verify your identity and respond within thirty (30) days (or the timeframe required by applicable law). We may request additional information to verify your identity before fulfilling your request.

10. Cookies and Tracking Technologies

Our Site uses minimal cookie and tracking technologies:

  • Essential Local Storage: We store your theme preference (light/dark mode) in browser local storage. This is necessary for the Site to function as expected and is not a cookie.
  • Analytics Identifiers: PostHog stores a pseudonymous session identifier in local storage to associate page views within a single session. This identifier does not contain personal information unless you make a purchase, at which point your email may be linked.
  • No Third-Party Advertising Cookies: We do not use any advertising cookies, retargeting pixels, or third-party tracking cookies.

Fathom Analytics does not use cookies of any kind. Vercel Analytics does not use cookies or collect personal data.

11. Security

We implement commercially reasonable technical and organizational measures to protect your personal data, including:

  • All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Payment information is processed by Stripe (PCI-DSS Level 1 certified) and is never stored on our infrastructure.
  • Database access is restricted via role-based access controls and service-level authentication.
  • Product access tokens are cryptographically generated and expire after thirty (30) days.

No method of transmission or storage is completely secure. While we strive to protect your data, we cannot guarantee absolute security.

12. Children’s Privacy

Our Services are not directed to individuals under the age of sixteen (16). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such data promptly. If you believe we have inadvertently collected data from a child, please contact us at support@thehubos.com.

13. Changes to This Policy

We reserve the right to update this Policy at any time. When we make material changes, we will update the “Last updated” date at the top of this page and, where required by law, notify you via email or a prominent notice on the Site. Your continued use of the Site after any changes constitutes acceptance of the revised Policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

The Hub OS

Email: support@thehubos.com

We will acknowledge your request within five (5) business days and provide a substantive response within thirty (30) days.

← Back to The Hub OS