Skip to content
HOPEFUL MONSTERS.Back to home

Legal

PRIVACY POLICY.

Effective 21 May 2026.

1. Who we are

This Privacy Policy explains how Hopeful Monsters Pty Ltd (ABN 52 116 184 331), a company registered in New South Wales, Australia ("Hopeful Monsters", "we", "us") collects, uses, holds, and discloses personal information through the Evolve platform (the "Service").

We comply with the Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Cth) and, where applicable, the EU General Data Protection Regulation (GDPR) for users accessing the Service from the European Economic Area or the United Kingdom.

2. Information we collect

We collect the following categories of personal information:

  • Account information — full name, email address, organisation, and role. Collected when you accept an invitation to the Service.
  • Authentication metadata — encrypted session tokens, IP address of recent sign-ins. Collected to keep your account secure.
  • Usage data — pages viewed, features used, performance metrics, browser and device type. Only collected when you accept the analytics cookie banner.
  • Communications — content of messages you send through the contact, support, or demo-request forms.
  • Client brand and topic data — brand names, topics of interest, and digest content uploaded by Hopeful Monsters team members on behalf of a client organisation; this data is owned by the client.
  • Bot-protection signals — when you submit forms (contact, support, demo, waitlist, or sign-in), Cloudflare Turnstile processes client-side signals including IP address, TLS fingerprint, User-Agent header, and the Turnstile sitekey and associated origin. These signals are used solely to distinguish human users from bots and block malicious traffic. Cloudflare cannot directly identify any individual from these signals.

3. How we use information

We use personal information for the purposes listed below. For users in the EEA or UK, the lawful basis under Article 6 of the GDPR is cited next to each purpose. For users outside the EEA or UK, the corresponding basis under the Australian Privacy Principles is implicit in the purpose limitation in APP 6.

  • provide, maintain, and improve the Service, including the fortnightly URL discovery and digest delivery pipeline — Article 6(1)(b) (contract);
  • authenticate users and protect against fraud or abuse (including Cloudflare Turnstile, honeypot fields, rate-limiting, multi-factor authentication, and the administrative audit log) — Article 6(1)(f) (legitimate interests);
  • respond to support requests and demo enquiries — Article 6(1)(b) (contract);
  • with your consent, measure how the Service is used in aggregate to inform product decisions — Article 6(1)(a) (consent);
  • discover candidate URLs (via Brave Search) and extract, summarise, and rank their content (via the Gemini API) to assemble digest sections for the client organisation — Article 6(1)(f) (legitimate interests);
  • record digest engagement events (which items a reader clicked or viewed) so the client organisation can evaluate the Service — Article 6(1)(f) (legitimate interests);
  • comply with legal obligations — Article 6(1)(c) (legal obligation).

4. Cookies and similar technologies

Strictly-necessary cookies (authentication, security, theme preference, the cookie-consent record itself, and the Cloudflare Turnstile bot-protection cookies set when you interact with a form) are always set so the Service functions. Analytics cookies (PostHog, served via our reverse proxy atb.hopefulmonsters.com.au) are only set after you click "Accept all" on the cookie banner. You can withdraw consent by clearing your browser's site data for this domain.

4b. Session replay and error logs

When the Service encounters an error we capture a redacted recording of the screen state immediately before the error and send it to our error-monitoring sub-processor (Sentry). All text content and form inputs are masked client-side before transmission, and all images and video are blocked. The remaining recording shows the structure of the page (which elements were present and how you interacted with them) and the names of network requests, without their bodies. Authorisation and cookie request headers, and any query-string parameters in the captured URL, are stripped before the event is sent. We rely on this capture under the legal basis of legitimate interests (security, fraud prevention, and continuity of service) under Article 6(1)(f) of the GDPR and treat it as strictly-necessary; it runs independent of the cookie banner.

5. Sub-processors and disclosure

We share personal information with the following sub-processors strictly to operate the Service:

  • Supabase — database, authentication, file storage (United States).
  • Vercel — application hosting, edge delivery, and scheduled jobs that run the fortnightly digest pipeline (United States).
  • Upstash — Redis-backed rate limiting (United States).
  • Resend — transactional and digest email delivery (United States).
  • Sentry — error monitoring (United States).
  • PostHog — product analytics, served via our reverse proxy (United States; analytics-only).
  • Linear — support and contact ticketing (United States).
  • Brave Search — public URL discovery for digest source candidates; no personal information is sent (Czech Republic / United States).
  • Google Cloud (Gemini API) — used to extract, summarise, and rank URL content for digest sections; page content of the candidate URLs is sent at the moment of digest generation (United States).
  • Cloudflare (Turnstile)— bot detection and abuse protection on public forms. Cloudflare acts as our data processor when protecting our forms and as an independent data controller when it uses the same signals to improve Turnstile's bot-detection capabilities, relying on its legitimate interests in doing so. See the Cloudflare Turnstile Privacy Addendum for details (United States).

Several sub-processors are located outside Australia. By using the Service you consent to your information being transferred to and processed in these jurisdictions. We take reasonable steps to ensure that overseas recipients handle personal information consistently with the APPs.

We do not sell personal information and we do not share it with advertisers.

6. Retention

We retain account information for the lifetime of your account and for 90 days after deletion to satisfy backup and audit obligations. Authentication logs and audit-trail entries are retained for up to 12 months. Generated digest content and click events are retained for the lifetime of the client subscription. Cookie consent records are retained on your device only.

7. Your rights

You have the right to access, correct, or request the deletion of your personal information, and to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au. If you are in the EEA or UK you additionally have rights of portability and to object to or restrict processing under GDPR.

To exercise any of these rights or to ask a question about this policy, please use our contact form.

7a. California consumer rights (CCPA)

If you are a California resident, the California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA) grants you specific rights regarding your personal information:

  • Right to know. You may request the categories and specific pieces of personal information we have collected about you, the sources of that information, the business or commercial purpose for collecting it, and the categories of recipients we have shared it with.
  • Right to delete. You may request that we delete personal information we have collected about you, subject to legal exceptions (for example, where we need the information to comply with a legal obligation or to detect security incidents).
  • Right to correct. You may request that we correct inaccurate personal information we hold about you.
  • Right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioural advertising purposes.
  • Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes beyond those permitted under CPRA without affirmative consent.
  • Right of non-discrimination. We will not discriminate against you for exercising any of these rights.

To exercise any of these rights, use our contact form. We will respond within the timeframes set by California law. We do not require an account to exercise these rights, but we may ask you to verify the request.

8. Security

The Service uses TLS for data in transit, row-level security on every client-facing database table, and an immutable audit log of administrative actions. No system is perfectly secure; if we become aware of a notifiable data breach we will notify affected individuals and the OAIC in accordance with the Notifiable Data Breaches scheme.

9. Children

The Service is intended for business users and is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and update the effective date above. Continued use of the Service after a change constitutes acceptance.