Warren ← Back to report
Warren · Legal

Warren — Data & Compliance Statement

Last updated: 9 July 2026 Effective date: 6 July 2026

This statement sets out, in plain terms, exactly what data Warren collects, why we collect it, how long we keep it, who processes it, and how we protect it. It sits alongside our Privacy Policy and Terms of Service, and is intended to be the reference a partner, auditor, or enterprise buyer can read to understand our data practices.

Warren is a product of HopX Pty Ltd (ABN 50 683 525 813). We handle personal information under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, with additional coverage for the GDPR/UK GDPR and the CCPA/CPRA where they apply.

Data protection contact: hugoc@warrenship.com

The short version

  • We collect the minimum needed to run deal rooms, seal records, build reputation, take payment, and keep the Service secure.
  • Every category below has a stated purpose and retention period.
  • We use a small set of named sub-processors (hosting, AI, email, analytics, payments). We don't sell data.
  • We encrypt data in transit, restrict access, and follow Australia's Notifiable Data Breaches scheme if something goes wrong.

1. Data inventory — what we collect, why, and how long we keep it

# Data category Examples Why we collect it (purpose) Legal basis (GDPR) Retention
1 Account & identity First name, email, workspace/brand name, hashed password or auth token Create and secure your account; identify you across sessions Contract Life of account + 12 months after closure, then deleted/de-identified
2 Partner & invitation Invited partner's name, optional email, invite link status Let you invite a partner and open a shared room Contract; legitimate interests Life of the room; invite metadata up to 12 months
3 Deal room content (unsealed) Deal title, deliverables, dates, notes, terms, draft confirmations Run the deal room and its shared scoreboard Contract While room is active; deletable by you (subject to shared-room nature)
4 Co-signatures & confirmations Who co-signed/confirmed what, and when Record the deliberate agreement and confirmation actions of both parties Contract Retained as part of the deal record; joint record if sealed
5 Sealed records Finalised who-did-what record, both-party confirmations, seal timestamp Provide the durable, mutual record that is Warren's core value Contract; legitimate interests Retained as a joint record while either party keeps an account; both parties may export
6 Reputation record Private track record; shareable profile (if enabled) Build your portable track record; enable optional public sharing Contract; consent for public sharing Life of account; public sharing stops when disabled
7 Onboarding / ICP preferences Partnership types selected (brand deals, co-marketing, referrals, etc.) Configure your room; understand product-market demand Legitimate interests Life of account; aggregated for analytics
8 Payment & billing Plan, billing status, last 4 card digits, billing name (full card data held by processor, not us) Take subscription payments; meet tax/record obligations Contract; legal obligation Tax records 5–7 years per Australian law
9 Usage & analytics Page views, feature usage, CTA and signup-funnel events (via GA4) Improve the product; measure demand and funnel drop-off Legitimate interests; consent for non-essential cookies Typically 14–26 months, then aggregated/deleted
10 Device & log data IP address, browser, device, OS, referrer, timestamps Security, fraud/abuse prevention, debugging Legitimate interests; legal obligation Generally up to 12 months
11 Cookies & identifiers Session cookies, analytics cookies/IDs Keep you logged in; remember preferences; analytics Necessary; consent for non-essential Per cookie; session to 26 months
12 AI processing content The specific room content sent to AI providers for a task Extract deliverables, generate nudges/summaries Contract; legitimate interests Transient processing; not retained by providers for training beyond our contract terms
13 Support & comms Support emails, booked-call records, product-update opt-ins Respond to you; send service and (opt-in) marketing messages Legitimate interests; consent for marketing Up to 24 months after resolution

Data we deliberately avoid: Warren is not designed to collect sensitive information / special category data (health, race, political views, biometrics, etc.). Please don't enter it. We also don't knowingly collect data from children (Service is 16+/18+).


2. Purposes of processing (summary)

We process personal data to: (a) provide the Service (rooms, co-signing, confirmations, sealing); (b) enable the multiplayer/shared-room experience; (c) build and, at your option, share reputation records; (d) run AI-assisted features; (e) take payments; (f) communicate with you; (g) secure, debug, and improve the Service; and (h) comply with law. We do not sell personal information, and we do not "share" it for cross-context behavioural advertising under the CPRA.


3. Sub-processors

We use the following categories of third-party providers to run the Service. Each acts on our documented instructions under a data-processing agreement with appropriate confidentiality and security obligations, and international-transfer safeguards where relevant (Section 6).

Category Purpose Provider(s) Data exposed
Database & backend Store data; run backend functions Supabase (hosted on AWS, ap-northeast-1 / ap-southeast-2) Categories 1–13 as needed
Authentication Passwordless (magic-link) log-in and sessions Supabase Auth Account & identity
Website & CDN hosting Serve the app; edge delivery Cloudflare (Pages / CDN) Device & log data
Email / notifications Transactional invite and record emails Resend Name, email, message content
Analytics Usage and funnel measurement Google Analytics 4 Usage, device, cookie data
AI / model providers Extract deals, generate summaries (planned — not active in the current release) Anthropic (when AI features are enabled) Category 12 (task-specific room content)
Payments Subscription billing (planned — not active until paid plans launch) Stripe (when billing is enabled) Billing data (full card data held by processor)

Note: the AI and payments rows activate only when those features launch; the live product today uses Supabase, Cloudflare, Resend, and GA4. Keep this list current and consider publishing it at a stable URL (e.g. warrenship.com/subprocessors), notifying customers of changes.

We require sub-processors to: process data only for the stated purpose; keep it confidential and secure; not use it to train their own models except as our agreements permit; and assist us with data-subject requests and breach handling.


4. Data sharing and disclosure

Beyond sub-processors, we disclose personal data only: (a) to your deal partner, by design, within shared rooms; (b) on a public reputation profile, only the parts you choose to share and only if you enable it; (c) in a business transfer (merger/acquisition/financing), subject to the Privacy Policy; and (d) for legal reasons, where reasonably required by law or to protect rights and safety. We do not sell data.


5. Security measures

We apply reasonable technical and organisational measures appropriate to our size and the sensitivity of the data, including:

Action for Warren: as you scale (especially toward the Business tier's SSO/audit-log promises), formalise a written information-security policy, access-review cadence, vendor-risk process, and consider SOC 2 / ISO 27001 readiness. This statement should be updated to reflect controls you actually have in place.

No method of transmission or storage is perfectly secure, and we can't guarantee absolute security.


6. International data transfers

Warren is operated from Australia; sub-processors may process data in Australia, the United States, the EU, and elsewhere.


7. Data subject / individual rights

Individuals can request to access, correct, delete, export, restrict, or object to processing of their personal data, opt out of marketing, and (GDPR) withdraw consent or lodge a complaint with a supervisory authority. California residents have the rights to know, delete, correct, and opt out of sale/sharing (we don't sell or share). Full detail, including how we verify requests and our response timeframes (generally 30 days), is in the Privacy Policy (Sections 11–13).

Shared-record limitation: for mutual records (e.g. sealed records), we act on requests about your own personal information and your copy, but cannot erase a partner's legitimate copy of the shared facts.

How to make a request: email hugoc@warrenship.com.


8. Data breach response (Notifiable Data Breaches)

If we become aware of a data breach:

  1. Contain & assess — we take immediate steps to contain it and assess whether it's likely to result in serious harm.
  2. Notify regulators & individuals — where an eligible data breach is likely to result in serious harm, we notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, consistent with the Notifiable Data Breaches scheme. Where the GDPR applies, we notify the relevant supervisory authority within 72 hours where feasible, and affected individuals where the breach is high-risk.
  3. Remediate & review — we fix the root cause and update controls to reduce recurrence.

We keep an internal record of breaches and our assessments.


9. Data retention & deletion (how it works in practice)


10. Governance & accountability


11. Regulatory framework we align to


This statement is provided for transparency and general information; it is not legal advice, and it describes intended and current practices that should be kept accurate as the Service grows. HopX Pty Ltd should keep the sub-processor list current and have this statement reviewed by a qualified Australian legal practitioner before publication.

HopX Pty Ltd — Level 22, Tower 1, 101 Grafton Street, Bondi Junction NSW 2022, Australia · ABN 50 683 525 813 · hugoc@warrenship.com