Privacy Policy

Last updated: 2026-04-29.

What we collect

• Account data: email address and password hash (Argon2id). That's it.
• Billing data: handled by Paddle (our merchant of record). We never see your card number.
• Encrypted profile blobs: opaque ciphertext only. The decryption key is derived from your master password, which we don't have.
• Telemetry (opt-in): hashed profile id, hashed user id, engine version, test target, pass/fail. No URLs, no cookies, no identifiers.

What we don't collect

• Browsing history, URLs, or page content.
• Cookies, localStorage, or session data (except as encrypted blobs we cannot read).
• IP-level fingerprints from the browser itself.
• Telemetry while it's disabled — and it's disabled by default for new users.

Sharing

We do not sell user data to anyone. We share only what's strictly necessary to operate the Service: with Paddle (billing), with Backblaze B2 (encrypted blob storage), and with our cloud infrastructure provider (Hetzner). We do not run third-party trackers or ads.

Retention

Encrypted blobs persist for the lifetime of your account. Telemetry events are aggregated weekly and individual events purged after 30 days. Account data is deleted within 30 days of account closure on request.

Your rights

EU/UK users: you have the rights granted by the GDPR — access, rectification, erasure, portability, objection. Email privacy@hak-browser.example to exercise them.

Contact

privacy@hak-browser.example