1. Data We Collect

If you don't have an account (most people)

Absolutely nothing. Zero. The map works without an account. When your browser requests data from our API, our server processes the HTTP request, sends you the data, and immediately moves on with its life. No logs are kept beyond the standard 24-hour server access log (which is what nginx writes by default and we can't really stop it — it would know your IP existed for about a day, which is considerably less invasive than most apps you have installed on your phone).

We don't use Google Analytics. We don't use Facebook Pixel. We don't use any third-party tracking scripts. We use a map library (MapLibre) and some fonts (Google Fonts — yes, your browser connects to Google for those; sorry, we should probably self-host them one day). That's it.

If you create an account (optional)

We store the minimum required to make accounts work:

• Email address — to verify your account and send you password reset links. We don't send marketing emails. We barely have time to answer support emails.
• Hashed password — bcrypt, not reversible, not readable, not interesting to anyone including us.
• JWT sessions — stored in your browser, expire automatically. Stateless, signed, no session data on our servers beyond the JWT secret.
• Messages you send — never stored on our servers. The chat server is a pure relay: it receives your encrypted message envelope and immediately fans it out to connected recipients via SSE and MQTT. Nothing is written to a database. Message history lives exclusively on your device (local SQLite). If you log in on a new device, your history stays on the old one — you can optionally transfer or copy it yourself. We literally cannot read your messages even if we wanted to. We don't want to.
• Voice and video calls — relayed in real time through our LiveKit server (WebRTC). No recordings are made, no media is stored, no call logs are kept. The server is a router, not a recorder.

What we emphatically do NOT collect

• Location data (unless you explicitly send a route to someone)
• Browsing history or behaviour analytics
• Device fingerprints
• Advertising identifiers
• Biometrics (we're a map, not a dystopia)
• Social graph or relationship data
• Purchase history (we don't sell anything that requires a cart)
• Your opinions, preferences, or what you had for breakfast

2. Cookies

We use zero tracking cookies. We use zero advertising cookies. We use zero third-party cookies of any kind.

We use localStorage (which is technically not a cookie, but lawyers like to mention it) to store your login token if you choose "Remember me." This data never leaves your device. It is stored locally, read locally, and deleted locally when you log out.

If you've used other websites recently, you've probably accepted 47 cookie notices for things like "personalisation partners" and "legitimate interest." We are not that. We are aggressively boring when it comes to cookies.

3. GDPR (European Users)

Under the General Data Protection Regulation, you have rights over your personal data. Here is a concise explanation of those rights and how they apply to HyveHeim:

• Right to access — You can request all data we hold about you. If you don't have an account, the answer is "none." If you do, we'll send you your email address. We have no message history — it's on your device, not ours.
• Right to erasure — Delete your account from the profile settings and we will wipe everything. Promptly. Without drama.
• Right to portability — We can export your data in JSON format. Email us.
• Right to object — We're not running any automated profiling or direct marketing. There's nothing to object to, but you're welcome to object anyway if it makes you feel better.
• Right to complain — You can file a complaint with your national supervisory authority. We'd prefer you emailed us first, but we respect your right to go straight to the regulators if you feel strongly.

Our legal basis for processing account data: contract performance (we need your email to provide the account service you signed up for). That's it. No "legitimate interests" used as a catch-all excuse.

We do not have a Data Protection Officer because we are not a large organisation processing sensitive data at scale. We do have a person who reads privacy-related emails and takes them seriously. They are the same person. They are also writing this privacy policy. Hello.

4. CCPA (California Users)

California residents have rights under the California Consumer Privacy Act. Since we don't sell personal information (we have no personal information to sell), most of the CCPA is not directly applicable. Specifically:

• We do not sell your personal information to third parties.
• We do not share your personal information with third parties for cross-context behavioural advertising.
• You have the right to know what data we collect (see Section 1). For most users: nothing.

5. Third-Party Services

HyveHeim integrates with the following third-party services. Here's the honest rundown:

• Google Fonts — Material Symbols font is self-hosted. No requests are made to Google's servers.
• Anthropic (Claude) — Event synthesis requests include the event title and source headlines. No user data is sent. Anthropic's commercial API privacy policy applies.
• CartoDB / CARTO — Map tile images are fetched from CARTO's CDN. Your IP is visible to them when fetching tiles. See CARTO's privacy policy for details.
• Nominatim (OSM) — Country/region lookups use the public Nominatim API. Coordinates are sent to OpenStreetMap's servers. No account data is sent.
• iptv-org — The TV player loads an M3U playlist from GitHub. GitHub's privacy policy applies to that CDN request.

That is a comprehensive and complete list of third-party data flows. We are not hiding any others in footnotes.

6. Data Retention

• Intel events — Retained for 30 days by default, then archived. Not linked to any user.
• Account data — Email address, hashed password, group/room memberships. Retained for the lifetime of your account. Deleted immediately on account deletion.
• Chat messages — Not retained on servers. Ever. History lives on your device only.
• Server access logs — Retained for 24 hours in standard nginx access log format. Not analysed, not sold, not even really looked at unless something breaks.
• Community reports — Retained until the submitting account is deleted, or until the report expires (configurable per report).

7. Security

We take security seriously (we built an intel platform, irresponsibly ignoring security would be embarrassing):

• All traffic encrypted in transit via TLS 1.2+
• Passwords hashed with bcrypt (cost factor 12)
• JWTs signed with 256-bit secrets, short expiry
• Chat messages encrypted client-side (AES-256-GCM) before leaving your device — the server relays opaque ciphertext it cannot decrypt
• Panic data encrypted end-to-end with AES-256-GCM + X25519 ECDH
• Voice/video: WebRTC relay only — no recording, no media storage, no call logs
• Database not publicly accessible (private network only)
• Admin API protected by separate token with no public exposure

If you discover a security vulnerability, please email us before publishing it. We will take it seriously, fix it promptly, and credit you if you'd like.

8. Changes to This Policy

If we materially change this policy (i.e., start collecting more data), we will notify account holders by email. Changes that reduce data collection require no notification because they are good news.

We are not going to add 14 pages of "we may share your data with trusted partners" boilerplate in the future. If that ever happens, it means this project has been acquired by someone terrible and you should leave immediately.

9. Contact

Privacy questions, data requests, or if you just want to yell at us about GDPR: