Warren — Privacy Policy
Last updated: 6 July 2026
Effective date: 6 July 2026
Warren is a product of HopX Pty Ltd (ABN 50 683 525 813) ("Warren", "we", "us", "our"). This Privacy Policy explains how we collect, use, disclose, store and protect personal information when you use the Warren website, deal rooms, and related services (the "Service").
We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where the EU/UK General Data Protection Regulation (GDPR/UK GDPR) or the California Consumer Privacy Act as amended by the CPRA (together, "CCPA") applies to you, additional rights and disclosures are set out in Sections 12 and 13.
The short version (this box is a summary, not a substitute for the full policy)
- Warren is neutral ground for two partners to agree a deal, tick off deliverables, and keep a shared record. We collect the minimum we need to run that.
- We collect your account details, the content you put in deal rooms, your reputation record, and basic usage/analytics data.
- We don't sell your personal information. We use a small set of trusted providers (hosting, AI, email, payments, analytics) to run the Service.
- Because Warren is multiplayer, some information you enter is deliberately shared with your deal partner. Sealed records are, by design, a joint record both parties keep.
- You can access, correct, export or delete your information — see Section 11 (and Sections 12–13 for GDPR/CCPA rights). Contact us any time at hugoc@warrenship.com.
1. Who we are and how to contact us
The entity responsible for your personal information (the data controller for GDPR purposes) is:
HopX Pty Ltd (trading as "Warren")
ABN: 50 683 525 813
Privacy contact: hugoc@warrenship.com
Registered address: Level 22, Tower 1, 101 Grafton Street, Bondi Junction NSW 2022, Australia
If you have a question, a request about your information, or a complaint, email us at the address above and we'll respond (see Section 14 for our complaints process and timeframes).
2. What Warren does, in privacy terms
Warren is partnership infrastructure. Two people open a shared "room", agree who is doing what, both co-sign the terms, confirm each deliverable as it ships, and walk away with a sealed record they both own. Over time a person builds a portable reputation record from those sealed deals.
This shapes how we handle data in three important ways:
- Warren is multiplayer. When you open a room and invite a partner, information you put in that room (the deal terms, deliverables, confirmations) is shared with that partner by design. That is the point of the product.
- Sealed records are jointly held. When a deal is sealed, both parties hold a copy of that record. Because it is a mutual record of what two people agreed and confirmed, neither party can unilaterally erase the other's copy of the shared facts. This affects deletion — see Section 10.
- Reputation is portable. Your track record is private by default. You choose if and when to make a reputation profile shareable (a paid feature). We explain this in Section 6.
3. Information we collect
We collect the following categories of personal information.
3.1 Information you give us directly
- Account and identity data: your first name, email address, and workspace or brand name when you sign up.
- Partner and invitation data: the name and (optionally) email address of a partner you invite to a room. If you provide a partner's details, you confirm you are entitled to share them with us for this purpose.
- Deal room content: deal titles, descriptions, deliverables, dates, notes, terms, and the confirmations and co-signatures you and your partner make. Some of this may include personal information if you choose to enter it.
- Onboarding and preference data: the partnership types you select during signup (e.g. brand deals, co-marketing, referrals) and similar choices you make.
- Payment data: if you subscribe to a paid plan, our payment processor collects your billing details. We receive limited information such as your plan, billing status, and the last four digits of your card — we do not store full card numbers ourselves.
- Support and communications data: the content of messages you send us, and records of calls you book with us.
3.2 Information we collect automatically
- Usage and analytics data: pages viewed, features used, CTA and signup-funnel events, and similar interaction data, collected via analytics tools including Google Analytics 4. See Section 8 on cookies.
- Device and log data: IP address, browser type, device type, operating system, referring URLs, and timestamps.
- Cookies and similar technologies: see Section 8.
3.3 Information from third parties
- Payment and authentication providers may share account, billing, or login status with us.
- Your deal partner: because rooms are shared, information your partner enters or confirms in a shared room becomes visible to you, and vice versa.
3.4 Sensitive information
Warren is not designed to collect "sensitive information" (as defined in the Privacy Act) or special category data (under the GDPR) — such as health, racial or ethnic origin, political, or biometric data. Please do not enter such information into deal rooms. If you do, you consent to us handling it as described in this policy.
3.5 Children
The Service is not directed to children and is intended for users aged 16 and over (18 in jurisdictions where that is the age of digital consent). We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.
4. How we use your information, and our legal bases
We use personal information only for the purposes below. For users protected by the GDPR, the corresponding lawful basis is shown in brackets.
- To provide the Service — create and run your account, open and operate deal rooms, record co-signatures and confirmations, and generate sealed records. (Performance of a contract.)
- To enable the multiplayer experience — share room content and confirmations between you and your invited partner. (Performance of a contract; legitimate interests.)
- To generate and, at your choice, share your reputation record — build your private track record and, if you enable it, a shareable reputation profile. (Performance of a contract; consent for public sharing.)
- To operate AI-assisted features — extract deal terms into who-does-what-by-when, generate nudges and status updates, and summarise sealed records (see Section 7). (Performance of a contract; legitimate interests.)
- To process payments — manage subscriptions and billing for paid plans. (Performance of a contract; legal obligation for tax records.)
- To communicate with you — send service, transactional and security messages, respond to support requests, and (where permitted) send product updates you can opt out of. (Legitimate interests; consent where required for marketing.)
- To improve and secure the Service — analytics, debugging, fraud prevention, fair-use enforcement, and product development. (Legitimate interests.)
- To comply with law — meet legal, tax, and regulatory obligations and respond to lawful requests. (Legal obligation.)
We will not use your personal information for a materially different purpose without telling you and, where required, obtaining your consent.
4.1 A note on marketing
Under APP 7, we will only use your information for direct marketing where you'd reasonably expect it or you've consented, and every marketing message includes an unsubscribe option. You can opt out any time by emailing hugoc@warrenship.com.
5. How we share and disclose information
We do not sell your personal information. We disclose it only as follows.
- With your deal partner — by design, within shared rooms, as described above.
- With service providers (sub-processors) who help us run the Service — hosting, database, AI/model, email, analytics, and payment providers. These providers act on our instructions and are bound by confidentiality and data-protection obligations. A current list is maintained in our Data & Compliance statement.
- On a public reputation profile — only the parts of your record you choose to make shareable, and only if you enable that feature.
- In a business transfer — if HopX Pty Ltd is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to this policy.
- For legal reasons — where we reasonably believe disclosure is required by law, regulation, legal process, or to protect the rights, safety, or property of users, the public, or us.
Where a disclosure would otherwise be a cross-border disclosure of personal information, see Section 9.
6. Reputation records and shared records
Two features deserve specific attention:
- Private track record. Every sealed deal contributes to your private track record. This is visible only to you unless you choose otherwise.
- Shareable reputation profile (paid feature). If you enable it, you can share a profile summarising your verified track record. You control whether it is on, and you can turn it off; turning it off stops future sharing, though people who previously viewed or received an exported copy may retain what they already saw.
- Sealed records are joint. A sealed record documents what two parties agreed and confirmed. Both parties retain their own copy. We treat this as a shared record: we will act on your requests about your copy and your personal information, but we cannot delete the other party's legitimate copy of the mutual facts. See Sections 10 and 11.
7. AI features and automated processing
Warren uses AI models (via a model-agnostic layer that may route to different third-party providers) to:
- extract deal details into structured deliverables at setup;
- generate reminders, nudges, confirmations, and status updates; and
- summarise sealed records.
What you should know:
- We send only the content needed for the relevant task to our AI providers, who process it on our behalf under contractual data-protection terms and do not use it to train their own models except as permitted by our agreements with them.
- These features assist you; they do not make legally significant decisions about you without human involvement. The co-sign and each confirmation are always deliberate human actions taken by you and your partner — Warren does not co-sign or confirm on your behalf.
- We do not carry out automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR. If that ever changes, we will update this policy and give you the safeguards the law requires.
8. Cookies and analytics
We use cookies and similar technologies to keep you logged in, remember preferences, secure the Service, and understand how it is used (including Google Analytics 4 and event tracking such as CTA and signup-funnel events).
- Strictly necessary cookies are required for the Service to work.
- Analytics/performance cookies help us improve the product.
Where required by law (e.g. in the EU/UK), we request your consent for non-essential cookies via a cookie banner, and you can change your choices at any time. You can also control cookies through your browser settings. Blocking some cookies may affect how the Service works.
9. International data transfers
Warren is operated from Australia, and our service providers may process data in Australia, the United States, the European Union, and other countries. This means your personal information may be transferred to, and stored in, a country different from where you live.
- APP 8 (Australia): before disclosing personal information overseas, we take reasonable steps to ensure the recipient handles it consistently with the APPs.
- GDPR/UK GDPR: where we transfer personal data outside the EEA/UK, we rely on an adequacy decision where one exists, or otherwise use appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum/IDTA). You can request a copy of the relevant safeguard by emailing us.
10. How long we keep your information
We keep personal information only as long as necessary for the purposes in this policy, then delete or de-identify it. In general:
| Category |
Retention |
| Account and profile data |
While your account is active, and up to 12 months after closure (to allow reactivation and handle disputes), then deleted or de-identified. |
| Deal room content (unsealed) |
While the room is active; deletable by you at any time, subject to the shared-room nature of the content. |
| Sealed records |
Retained as a joint record for both parties while either party maintains an account, because the record's value is that it is durable and mutual. Either party may export their copy. |
| Reputation record |
While your account is active; the shareable profile stops sharing when you disable it. |
| Payment and tax records |
As required by Australian tax and financial-record law — generally 5–7 years. |
| Support communications |
Up to 24 months after the matter is resolved. |
| Analytics and log data |
Typically 14–26 months, consistent with our analytics settings, then aggregated or deleted. |
Specific periods may vary where a longer period is required by law, or to establish, exercise, or defend legal claims. Full detail is in our Data & Compliance statement.
11. Your choices and rights (all users)
Under the Privacy Act and APPs, you may:
- Access the personal information we hold about you;
- Correct information that is inaccurate, out of date, incomplete, or misleading;
- Complain if you think we've mishandled your information (Section 14);
- Opt out of direct marketing at any time.
To exercise any of these, email hugoc@warrenship.com. We will verify your identity before acting, respond within a reasonable time (generally 30 days), and won't charge you to make a request (we may charge a reasonable cost for giving access in some cases, and will tell you first).
On shared and sealed records: we will always act on requests about your own personal information. Where information is part of a mutual record with a deal partner (for example a sealed record), we can remove or restrict your personal information and your copy, but we cannot erase the other party's legitimate record of the shared facts. We'll explain what we can and can't do when you ask.
12. Additional rights for EEA/UK users (GDPR)
If you are in the European Economic Area or the United Kingdom, you also have the right to:
- erasure ("right to be forgotten"), subject to the shared-record limits above and our legal obligations;
- restriction of processing and objection to processing based on legitimate interests or direct marketing;
- data portability — receive your data in a structured, commonly used, machine-readable format;
- withdraw consent at any time where we rely on consent, without affecting prior processing; and
- lodge a complaint with your local supervisory authority (for the UK, the Information Commissioner's Office; in the EU, your national data protection authority).
Our lawful bases are set out in Section 4. Where we rely on legitimate interests, we've balanced those against your rights; you can ask us for more detail on that assessment.
13. Additional rights for California users (CCPA/CPRA)
If you are a California resident, you have the right to:
- know the categories and specific pieces of personal information we've collected, the sources, purposes, and categories of recipients;
- delete personal information we've collected, subject to exceptions (including the shared-record limits above);
- correct inaccurate personal information; and
- opt out of "sale" or "sharing" of personal information, and to limit use of sensitive personal information.
We do not sell your personal information, and we do not "share" it for cross-context behavioural advertising as those terms are defined under the CPRA. We will not discriminate against you for exercising your rights. To make a request, email hugoc@warrenship.com; you may use an authorised agent, and we will verify your request before acting.
14. Complaints
If you're concerned about how we've handled your personal information, please contact us first at hugoc@warrenship.com so we can try to resolve it. We'll acknowledge your complaint promptly and aim to resolve it within 30 days.
If you're not satisfied with our response, you can contact:
- Australia: the Office of the Australian Information Commissioner (OAIC) — oaic.gov.au.
- UK: the Information Commissioner's Office (ICO) — ico.org.uk.
- EU: your national data protection authority.
- California: the California Privacy Protection Agency.
You should also be aware that Australian law now includes a statutory tort for serious invasion of privacy (in effect from 10 June 2025). Nothing in this policy limits your rights under law.
15. Security
We take reasonable technical and organisational measures to protect personal information, including encryption in transit, access controls, and use of reputable infrastructure providers. Full detail is in our Data & Compliance statement. No system is perfectly secure; if we become aware of a data breach that is likely to result in serious harm, we will notify affected individuals and the OAIC (and other regulators where required) in line with the Notifiable Data Breaches scheme and applicable law.
16. Changes to this policy
We may update this policy from time to time. If we make material changes, we'll update the "Last updated" date and, where appropriate, notify you by email or in-product. Continuing to use the Service after changes take effect means you accept the updated policy.
This document is provided for general information and to describe our practices. It is not legal advice. HopX Pty Ltd should have this policy reviewed by a qualified Australian legal practitioner before publication, and details in square brackets completed.