1. Data We Collect

If you don't have an account (most people)

Absolutely nothing. Zero. The map works without an account. When your browser requests data from our API, our server processes the HTTP request, sends you the data, and immediately moves on with its life. No logs are kept. Period. No access logs, no error logs, no IP addresses. Your request is processed and forgotten immediately.

We don't use Google Analytics. We don't use Facebook Pixel. We don't use any third-party tracking scripts. We use a map library (MapLibre) and some fonts (Google Fonts — yes, your browser connects to Google for those; sorry, they are self-hosted — no requests are made to Google's servers). That's it.

If you create a free account

An account is required to use the vertical dashboards (Cyber, Aviation, Maritime, Physical Security, Energy) and chat features; the public OSINT map works without one. When you sign up we store:

• Username — your chosen handle. Required.
• Hashed password — modern salted hashing, not reversible, not readable, not interesting to anyone including us.
• Email address — optional but recommended. Used for: account recovery prompts, email verification, transactional system notices (trial expiry warnings, payment receipts, password reset). Stored in our database (Switzerland) and surfaced through the UI in masked form only (a*****@example.com). Never shared, sold, or used for marketing without your explicit opt-in.
• Phone number — optional. Stored in E.164 format. Surfaced in the UI as last-4 only (•••• 1234). Used solely as a recovery fallback. We do not SMS you for marketing.
• Company name — optional. Helps us route enterprise inquiries correctly. Treated as ordinary identifying data.
• Recovery hash — a one-way hash of your BIP-39 recovery phrase. The phrase itself is generated in your browser and never sent to us. If you lose it, we cannot recover your account.
• Session tokens — signed, stateless, short-lived. Stored in your browser, not on our servers.
• Messages you send (chat) — End-to-end encrypted and held for a maximum of 48 hours for offline delivery, then permanently and irreversibly deleted. The server cannot read them — it sees only encrypted blobs. Message history lives exclusively on your device in an encrypted local database.
• Voice and video calls — relayed in real time (WebRTC). No recordings, no media stored, no call logs.
• Space membership — stored using a cryptographic blind. The server cannot link your account to the spaces you've joined. (If you wanted us to keep records of who's in what, sorry, the cryptography happened.)

If you start a free trial or subscribe to a paid plan

Every account starts with an automatic 30-day free trial. In addition to the data above, we also store:

• Trial state — when your trial started, when it ends, and which verticals were unlocked. Stored as plain timestamps + a text array. No personal data; used solely to know whether to grant Pro-tier access on each request.
• Discount records (if you qualify) — percentage, reason (e.g. professional:auto:ISC2, professional:asisonline-cert-12345, journalist:approved), verified date, expiry. Renewed annually.
• Professional-verification submissions (if you apply for the 25% certified-pro discount) — the association name, certification number, the evidence URL you supplied, your notes, and the operator's approve/reject decision. Stored in a dedicated professional_verifications table. Retained while the discount is active plus 12 months after for audit; deleted on account deletion.
• Email-verification tokens — when you click "verify my email," we generate a single-use token, hold it for 24 hours in a transient cache, and burn it on first use. Never persisted to the main database.
• Payment data — processed entirely by Stripe. We never see, store, or handle your card number. Stripe gives us only a customer ID, subscription status, and invoice references. Stripe is PCI-DSS Level 1 compliant.
• Stripe customer ID — a single opaque string Stripe issues when you first pay. We store it on your account so we can map renewals + cancellations back to you. It does not, by itself, contain card data.

We retain payment records for 6 years as required by UK tax law (HMRC). This is a legal obligation we cannot override. After 6 years, records are permanently deleted.

Outbound email — who sends and where replies go

All system mail (verification, receipts, trial-expiry notices, password reset) is sent From: [email protected] with Reply-To: [email protected]. The footer of every message states the same. [email protected] is a monitored mailbox; noreply@ discards replies. Outbound transit goes via a UK-/EU-resident commodity mail provider over TLS.

What we emphatically do NOT collect

• Location data (unless you explicitly send a route to someone)
• Browsing history or behaviour analytics
• Device fingerprints
• Advertising identifiers
• Biometrics (we're a map, not a dystopia)
• Social graph or relationship data
• Purchase history (we don't sell anything that requires a cart)
• Your opinions, preferences, or what you had for breakfast

2. Cookies & browser storage

Zero tracking cookies. Zero advertising cookies. Zero third-party cookies. Everything below is first-party and strictly necessary for the site to work — no consent banner, because there's nothing to consent to that you weren't already consenting to by clicking "Log in".

Cookies we set

Both cookies are cleared by your browser when you press "Log out" — our logout endpoint expires them server-side.

localStorage / sessionStorage

Technically not cookies, but the lawyers want them listed:

• hl_lang (localStorage) — your UI language preference. Persists across visits.
• hl_theme (localStorage) — light or dark mode. Persists across visits.
• auth_return_to (sessionStorage) — the page you were on when you clicked "Sign in", so we can send you back there after login. Cleared once consumed.
• pending_promo (sessionStorage) — a promo code from a /r/{code} link, redeemed after you sign in. Cleared once consumed.

None of these leave your device. None are read by third parties.

If you've used other websites recently, you've probably accepted 47 cookie notices for things like "personalisation partners" and "legitimate interest." We are not that. We are aggressively boring when it comes to cookies.

3. UK GDPR & EU GDPR

HyveHeim is operated from the United Kingdom and complies with both the UK General Data Protection Regulation (UK GDPR, as retained under the Data Protection Act 2018) and the EU GDPR for European users. Under both regulations, you have the following rights:

• Right to access — You can request all data we hold about you. If you don't have an account, the answer is "none." If you do, we'll provide your username and account data. We have no message history — it's on your device, not ours.
• Right to erasure — Delete your account from the profile settings and we will wipe everything. Promptly. Without drama.
• Right to portability — We can export your data in JSON format. Contact us.
• Right to object — We're not running any automated profiling or direct marketing. There's nothing to object to, but you're welcome to object anyway if it makes you feel better.
• Right to complain — You can file a complaint with your national supervisory authority. We'd prefer you contacted us first, but we respect your right to go straight to the regulators if you feel strongly.

Lawful Basis for Processing

International Data Transfers

Your data is processed on infrastructure within Switzerland and the EU/EEA, plus two relay-only points that hold no personal data. Switzerland has an EU adequacy decision; the remainder are in the EU/EEA. No additional cross-border safeguards (such as Standard Contractual Clauses) are required for these transfers.

Payment data is processed by Stripe, Inc. (US) under their own privacy policy and EU-US Data Privacy Framework certification.

AI processing of event data (classification, geocoding, summarisation) runs primarily on self-hosted models on our own hardware in the EU — the data does not leave our infrastructure for these tasks. A small fraction of generative work falls back to an EU-based commercial LLM API when local capacity is exceeded. Only event titles and source headlines are sent to either path — never user data, never DM content.

Data controller: HyveHeim, United Kingdom. ICO registration number: C1896848. For data protection enquiries, use the contact form.

Supervisory authority: If you are unsatisfied with our response, you may complain to the Information Commissioner's Office (ICO) at ico.org.uk (UK), or your local EU/EEA data protection authority.

We do not have a Data Protection Officer because we are not a large organisation processing sensitive data at scale. We do have a person who reads privacy-related messages and takes them seriously. They are the same person. They are also writing this privacy policy. Hello.

4. CCPA (California Users)

California residents have rights under the California Consumer Privacy Act. Since we don't sell personal information (we have no personal information to sell), most of the CCPA is not directly applicable. Specifically:

• We do not sell your personal information to third parties.
• We do not share your personal information with third parties for cross-context behavioural advertising.
• You have the right to know what data we collect (see Section 1). For most users: nothing.

5. Third-Party Services

HyveHeim integrates with the following third-party services. Here's the honest rundown:

• Stripe — Payment processing for premium subscriptions. Stripe handles all card data under PCI-DSS Level 1 compliance. We never see your card number. Stripe Privacy Policy.
• Outbound mail provider — A standard commodity mail service handles delivery of system mail (verification, receipts, trial-expiry warnings, password reset). The provider sees the recipient address, subject and body; no other account data is shared. The current provider has its own privacy policy you can request from us via the contact form.
• Inbound mail routing — A commodity routing layer forwards inbound mail to support@, noreply@, etc. into our mailbox provider. The router relays the message; it does not retain content.
• Self-hosted LLM (on our own EU hardware) — Primary AI processing of event data (classification, geocoding, dedup, summarisation). No third party sees the data. Only event titles and source headlines are processed — never user data.
• Mistral AI (France) — Fallback for prompts that exceed our local model's context window. Only event titles and source headlines are sent — no user data. Mistral Privacy Policy.
• Cloudflare — DNS and CDN. Your browser connects through Cloudflare's network. Cloudflare Privacy Policy.
• Google Fonts — Material Symbols font is self-hosted. No requests are made to Google's servers.
• Nominatim (OSM) — Geocoding lookups. Coordinates are sent to OpenStreetMap's servers. No account data is sent.
• Planespotters.net — Aircraft photos fetched on demand. Your browser connects to their CDN.
• MarineTraffic — Vessel photos fetched on demand. Your browser connects to their CDN.

That is a comprehensive and complete list of third-party data flows. We are not hiding any others in footnotes.

6. Data Retention

• Intel events — Retained for 30 days by default, then archived. Not linked to any user.
• Account data — Username, hashed password, optional email/phone/company, trial & discount state. Memberships are blinded (server can't link you to groups). Deleted within 7 days of account deletion request.
• Professional-verification submissions — Retained while a discount you applied for is still active, plus 12 months for audit purposes, then deleted.
• Chat messages — Encrypted messages held for a maximum of 48 hours for offline delivery, then permanently deleted. Server cannot read them.
• Server logs — Almost-none. Application logging is disabled (no access logs, no IP addresses, no user-data in service logs). The single exception is attacker-only nginx logging: HTTP responses with status 4xx and 5xx (probes for /admin, /.env, /wp-login, etc.) are logged for security purposes only, kept for 14 days, then rotated out. Successful 2xx/3xx requests are never logged. This was the deliberate result of a security audit — defending the platform against botnet floods requires knowing what they're trying.
• Community reports — Retained until the submitting account is deleted, or until the report expires (configurable per report).
• Mímir posts + comments — Retained for the life of the post unless deleted by the author or removed by operators. Soft-deleted posts (you hit delete) are kept for 7 days then hard-deleted; revisions go with them.
• Mímir drafts (autosave) — Stored under your account, capped at 50 per user (oldest evicted), auto-pruned after 90 days of no edit.
• Mímir notifications — Hard-deleted after 30 days. Email-sent notifications carry no body, just a link back to the post.
• Mímir karma + reputation — Derived nightly from your reactions / posts / flags; the underlying records persist as long as the posts they reference do.
• Classification alerts — When a post is blocked for containing a protective marking, we record the matched marking labels + a one-way hash of the attempted body (NOT the body itself) so we can spot repeat-offender patterns without persisting your restricted text. Kept for 12 months for compliance review then deleted.
• Moderation log — Operator actions (hide / mute / ban / feature / verify) are logged with operator id + timestamp + reason. Kept for the life of the platform (audit obligation under Online Safety Act 2023 + DSA).

7. Security

We take security seriously (we built an intel platform; ignoring our own security would be a bad look).

• All traffic encrypted in transit (TLS).
• Passwords hashed with a slow, salted, memory-hard algorithm. Never stored as text. Not even SELECT * FROM users WHERE password = 'hunter2' would help us, and we have a sense of humour about that.
• Session tokens are signed, short-lived, and stored in your browser — not on our server.
• Chat is end-to-end encrypted on your device before it touches the wire. The server sees opaque bytes; it cannot read your messages even if it wanted to. It doesn't want to.
• Panic data is end-to-end encrypted with modern public-key cryptography. The server is a postbox.
• Voice / video: WebRTC relay only — no recording, no media storage, no call logs.
• The database is not publicly reachable. The admin surface is gated by a separate credential and never exposed to the public internet.
• Email and phone, where provided, are masked in the UI (a*****@example.com, •••• 1234); the full values never come back from any client-facing API.
• Every operator action is logged with operator id + timestamp + reason (audit-trail aligned to SOC 2 CC6.1 / ISO 27001 A.12.4.1, in case your compliance officer asks).

If you're a security researcher who just read all that and got the urge to test it: please do. Coordinated disclosure via the contact form, we'll fix it, we'll credit you, and we won't be weird about it. Black-hatting us is rude.

If you discover a security vulnerability, please email us before publishing it. We will take it seriously, fix it promptly, and credit you if you'd like.

8. Changes to This Policy

If we materially change this policy (i.e., start collecting more data), we will notify account holders via in-app notification or website announcement. Changes that reduce data collection require no notification because they are good news.

We are not going to add 14 pages of "we may share your data with trusted partners" boilerplate in the future. If that ever happens, it means this project has been acquired by someone terrible and you should leave immediately.

9. Contact

Privacy questions, data requests, or if you just want to yell at us about GDPR: