Privacy Policy

This Privacy Policy explains what information we collect when you use Hivemate, why we collect it, who we share it with, and how to exercise your rights. Hivemate is operated by an individual sole proprietor based in Qatar.

Short version: Hivemate is a local-first desktop app. Your prompts, your code, the output from AI tools, and your AI provider API keys never touch our servers. The only data we hold is your account email and your subscription status.

1. What we collect

1a. Account data

When you sign in via Google OAuth, we receive and store:

• Your email address.
• A Supabase-generated user identifier (UUID).
• Your sign-in timestamp.

We do not receive your Google password.

1b. Subscription data

When you subscribe, our payment processor (Paddle) collects and stores your billing details (name, billing address, last 4 digits of your card, country, VAT number if applicable). We receive only:

• Your subscription status (active / cancelled / expired).
• Your current plan tier (Standard / Pro / VVIP).
• The end date of your current billing period.
• A Paddle customer identifier so we can sync changes.

We do not see or store your card details.

1c. Anti-fraud and operational logs

Our infrastructure providers (Supabase, Vercel, Cloudflare) keep standard server logs that include your IP address, user-agent, and timestamps for the requests you make to our services. These logs are used for security, abuse prevention, and debugging. They are typically retained for 30 days.

1d. What we do NOT collect

Hivemate runs locally on your Windows device. We do not see, log, transmit, or store:

• Your AI prompts or AI-generated output.
• Your code or any files on your machine.
• Your API keys for third-party AI providers (Anthropic, OpenAI, Google, etc.) — these live in your operating system's keychain only.
• The contents of your terminal sessions.

2. Why we collect it

• Provide the Service: we need your account email and subscription status to authenticate you and gate paid features.
• Process payments: Paddle needs your billing information to charge your subscription and handle refunds.
• Operate securely: server logs help us detect fraud, prevent abuse, and debug outages.
• Communicate: we use your email to send transactional messages (password resets, payment receipts, security notifications). We will not send marketing emails without your explicit consent.

3. Who we share it with

We share data only with the third-party processors required to run the Service. None of these processors sell your data.

• Supabase, Inc. — authentication and account database. Privacy policy.
• Google LLC — OAuth sign-in provider. Receives the OAuth handshake when you sign in. Privacy policy.
• Paddle.com Market Limited — payment processor and merchant of record. Handles all card data. Privacy policy.
• Vercel, Inc. — marketing site hosting. Privacy policy.
• Cloudflare, Inc. — DNS, edge protection, and domain registrar. Privacy policy.

We may also disclose your data if required by law (court order, subpoena, or other valid legal process), or to protect our rights, property, or safety.

4. International data transfers

Our processors are located in the United States and the European Union. By using the Service, you consent to your data being processed in those regions. Where required, our processors rely on standard contractual clauses (SCCs) for cross-border transfers.

5. Data retention

We retain your account data while your account is active. When you delete your account, we delete your account record from Supabase within 30 days. Paddle retains billing records for as long as required by tax and accounting law (typically 7 years in the EU and UK). Server logs are retained for 30 days.

6. Your rights

Depending on where you live, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your data (right to erasure).
• Export your data in a portable format.
• Object to or restrict certain processing.
• Withdraw consent at any time (where processing is based on consent).
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email support@hivemate.dev. We respond within 30 days.

7. Cookies and tracking

The marketing site uses no analytics, no advertising trackers, and no third-party cookies. The desktop application uses no telemetry by default.

The only cookies set are functional ones required for sign-in (Supabase auth session) and payment checkout (Paddle session). These are first-party where possible.

8. Children

The Service is not directed to children under 16. We do not knowingly collect data from children under 16. If you believe a child has signed up, contact us and we will delete the account.

9. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date above. Material changes will be announced by email to active accounts at least 30 days before they take effect.