Privacy Policy

Last updated: April 4, 2026

What we collect

hexwatch collects the minimum data necessary to provide the service:

• Email address - Used for account authentication. Collected when you sign up with email or a social provider (GitHub, Google).
• Service connection metadata - Which services you have connected (e.g., "Vercel", "GitHub"), connection status, and last sync time. We do not store the content of your service data beyond temporary polling snapshots.
• API tokens (Cloud Sync only) - If you choose Cloud Sync, your API tokens are encrypted with AES-256-GCM and stored on our server to enable background polling. You can choose On Device storage instead, where tokens never leave your phone.
• Device push token - Used to send push notifications for alerts and incidents.

What we do not collect

• We do not collect analytics or usage data.
• We do not use tracking technologies or advertising identifiers.
• We do not sell or share your data with third parties.
• We do not access the content of your third-party service accounts beyond what is displayed in the app.

On Device storage

When you choose On Device storage for a service, the API token is stored exclusively in the iOS Keychain on your device. It is protected by the kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly flag, meaning it is hardware-backed, encrypted, and never synced to iCloud or any server. We have zero knowledge of these tokens.

Cloud Sync storage

When you choose Cloud Sync, your API token is encrypted with AES-256-GCM before storage. The encryption key is held by our server infrastructure and is not stored in the app binary. Tokens are only decrypted in memory when making API calls to your services. They are never logged.

Data retention

Polling snapshots (deployment status, error counts, etc.) are retained for the duration of your account. Activity events are retained for 90 days. When you delete your account, all data including encrypted tokens, snapshots, events, and profile information is permanently and immediately deleted.

Third-party services

hexwatch uses the following infrastructure:

• Supabase - Authentication and database (hosted in US-East)
• Railway - Backend API server
• Apple Push Notification service (APNs) - Push notifications

Your rights

You can delete your account and all associated data at any time from Settings > Danger Zone > Delete Account within the app. You can disconnect individual services at any time, which immediately removes the stored token.

Children

hexwatch is not intended for children under 13. We do not knowingly collect data from children.

Changes

We may update this policy. Material changes will be communicated through the app.

Contact

Questions about this policy? Email privacy@hexwatch.app.