Hieper

Privacy statement

Last updated: June 23, 2026

Who is Hieper?

Hieper is an online service provided by TOMMO Design, a sole proprietorship registered at Perzikstraat 10, 6543 ZB Nijmegen, the Netherlands, listed with the Dutch Chamber of Commerce under number 90258339.

Hieper helps you collect and remember the birthdays of friends, family and colleagues, organise parties with RSVPs, save gift ideas and create personal birthday messages.

TOMMO Design is the data controller within the meaning of the EU General Data Protection Regulation (GDPR) for personal data processed via Hieper.

What data do we store?

Account and profile data

  • Your email address
  • Your first and last name (optional)
  • Your time zone and language preference
  • Optional contact details, such as an email address or phone number, only if you enter them yourself
  • Your subscription status (free or Hieper Plus)

Contacts and birthdays

  • First and last name of your contacts
  • Birthday (day and month, year optional)
  • Relationship label (such as "Family", "Friend", "Colleague")
  • Optional notes, gift hints and photos
  • Optional email addresses and phone numbers of contacts (only if you add them)

Parties, RSVPs and gifts

  • Details of parties you organise (title, date, location, announcements)
  • RSVPs from guests (name, optional email/phone, status)
  • Wishlist items and gift reservations
  • Group-gift contributions and payment status
  • Photos that you or your guests upload to a party (Hieper Plus). These are stored in our secure storage bucket at Lovable Cloud (Supabase Storage) and are only visible to participants of that party. You can delete them at any time.

Payment data (only for Hieper Plus)

We keep a reference to your Stripe customer and subscription ID and the status of your subscription. We never receive or store your credit card or bank details. These are handled entirely by Stripe.

Technical data

  • IP address and user-agent in server logs (kept briefly for security and debugging)
  • Logs of sent reminders and emails (to prevent duplicate delivery)

Calendar photos and image recognition

Hieper offers a feature that lets you upload a photo of a paper birthday calendar. The photo is sent to our AI provider (Google Gemini, via the Lovable AI Gateway), which reads names and dates from it. The photo and the extracted text are not stored long-term and are not used for model training. Only when you confirm and import the detected birthdays are they saved as contacts in your account.

On the public landing page you can also try this feature once without an account. To prevent abuse we protect this form with Cloudflare Turnstile (a privacy-friendly alternative to reCAPTCHA that does not place cookies and does not build profiles) and apply a short rate-limit per IP address. The result of that single scan is only kept in your browser (localStorage) and is automatically imported once you create an account.

Cookies and local storage

Hieper uses functional cookies and local storage to operate. In addition, with your consent, we use Google Analytics 4 (GA4) for anonymous usage statistics. Specifically:

  • Auth session: keeps you signed in between visits (local storage, managed by our backend provider).
  • Theme preference: remembers whether you chose a light or dark theme (hieper-theme in localStorage).
  • Cookie consent: remembers your choice for anonymous statistics (hieper-analytics-consent in localStorage).
  • Cloudflare Turnstile: only on public forms used without sign-in. Does not place tracking cookies and does not build profiles.
  • Google Analytics 4 (GA4): when consented to, places anonymous analytical cookies to measure page visits and anonymous interactions. IP addresses are anonymised and we do not share data with Google for advertising purposes.

Functional cookies do not require consent under article 11.7a of the Dutch Telecommunications Act. For Google Analytics we ask consent in advance via the cookie banner at the bottom of the page.

Processors (third parties)

To run Hieper we use a number of processors. We have a data processing agreement with each of them, and all data stays within the EU or is transferred under appropriate safeguards (Standard Contractual Clauses).

  • Lovable Cloud (Supabase): database, authentication, hosting and storage buckets for files such as party photos and profile pictures. Servers in the EU.
  • Cloudflare: CDN, edge runtime and Turnstile protection for public forms.
  • Stripe: payment processing for Hieper Plus.
  • Resend / email provider: delivery of transactional email (reminders, announcements, account email).
  • Google (including Google Analytics 4): for signing in with Google, importing contacts and (if allowed via the cookie banner) anonymously analysing site visits via Google Analytics 4.
  • Bol.com / Bol Affiliates: for gift suggestions and wishlists we fetch product information from bol.com. If you click through to bol.com via an affiliate link, bol processes your click according to its own privacy policy.
  • OpenAI / Google AI via the Lovable AI Gateway: for generating birthday messages, gift suggestions and reading calendar photos. The submitted data is not used for model training.

Key principles

  • The birth year is always optional.
  • You can edit or delete contacts at any time from your dashboard.
  • Anyone adding a birthday via a shared circle explicitly consents through a checkbox.
  • Party guests can unsubscribe from notifications per party.
  • Hieper never sells personal data to third parties.
  • Hieper never sends birthday messages on your behalf automatically. You decide whether and when to congratulate someone.

What do we use the data for?

Solely to show your personal birthday overview, send reminders, organise parties, suggest gifts and generate personal birthday messages for you. Not for advertising, profiling or third-party marketing.

Legal bases (GDPR art. 6)

  • Performance of a contract: for account, contacts, parties and subscription.
  • Consent: for Google contact import, adding someone's data via a shared circle and the use of Google Analytics.
  • Legal obligation: for payment administration.
  • Legitimate interest: for security, fraud prevention and debugging.

Retention and deletion

We keep your data for as long as you have a Hieper account. When you delete your account from Settings, Delete account, we erase your profile, contacts, parties and generated messages as far as technically possible and cancel any active subscription. We keep the financial administration of Plus payments for 7 years to comply with Dutch tax retention rules.

Free Plus trial abuse: to prevent the same person from claiming the free trial again and again by deleting and recreating an account, we temporarily keep, after deletion, a minimal pseudonymised identifier (an irreversible hash of your email address and/or OAuth ID, combined with a server-side secret). Your name, photo, contacts and other personal data are not kept. This hash is automatically deleted after 12 months and is used for nothing other than this abuse check.

Security

Your data is stored in a secure database. Only you have access to your own contacts and parties thanks to Row-Level Security: other users technically cannot read your data. Traffic to Hieper is encrypted with HTTPS.

Your rights

Under the GDPR you have the right to:

  • Access your data (which you can largely do yourself inside the app)
  • Have inaccurate data corrected
  • Have your data deleted ("right to be forgotten")
  • Restrict or object to processing
  • Have your data transferred (data portability)
  • Withdraw consent you previously gave

Email us at support@hieper.app: we reply within 30 days. You can also file a complaint with the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl).

Changes

We may update this statement when the service changes. The date at the top of this page indicates when we last updated it. For significant changes we will inform you by email.