I. How We Collect and Use Your Personal Information
Heavstal Tech™ (hereinafter referred to as "Heavstal", "we", "us", or "our") firmly believes that privacy is a fundamental right. We only collect information that is necessary for specified, explicit, and legitimate purposes.
1. Identity & Account Data
When you sign in using our **Heavstal Identity Provider (OAuth2)** or **Google Sign-In**, we collect:
- Profile Information: Name, Email Address, and Profile Picture (Avatar).
- Authentication Tokens: Secure tokens to maintain your session across our ecosystem.
- Public Name: An optional display name you may set for public interactions (e.g., feedback reviews).
2. Technical & Usage Data
To maintain the security and stability of our **API Console** and **Bot Services**, we automatically collect:
- Device Information: IP Address, User Agent, and Browser Type.
- API Logs: Timestamp, Endpoint Accessed, Response Status, and Latency.
- Rate Limiting Data: Request counts stored temporarily in **Redis** to prevent abuse.
3. Password Manager Vault Data
For users of the **Heavstal Password Manager (HTPM)**:
- Zero-Knowledge Encryption: We store your password blobs, but they are **encrypted on your device** before reaching our servers (Supabase).
- No Access: We **cannot** see, decrypt, or recover your stored passwords. Only you hold the decryption key (your Master Password).
II. How We Store and Protect Your Information
We use industry-standard security measures to protect your data.
- Database Security: All user data is stored in **Supabase** (PostgreSQL) with Row Level Security (RLS) enabled.
- Encryption: Sensitive fields (like API Secrets and OAuth Tokens) are hashed using **Bcrypt** or encrypted using **AES-256** at rest.
- Data Retention: We retain account data only as long as your account is active. API logs are automatically purged from Redis after 7 days.
III. How We Share Your Information
We **do not sell** your personal information. We only share data with trusted infrastructure partners necessary to operate the service:
| Partner | Purpose | Data Shared |
|---|---|---|
| Google Cloud | Authentication & Hosting | Email, ID Token |
| Supabase | Database Storage | User Profile, Vault Blobs |
| Redis (Vercel KV) | Caching & Rate Limiting | IP Address, Session ID |
| Paystack | Payment Processing | Email, Transaction Reference (No Card Data) |
| Brevo | Transactional Emails | Email Address, Name |
IV. Cookies and Tracking Technologies
We use strictly necessary cookies to maintain your login session (`heavstal_session`) and preferences (`ht_theme`). We do not use third-party tracking pixels for advertising.
V. Your Rights
You have the right to:
- Access: View the data associated with your account via the Dashboard.
- Correction: Update your profile information at any time.
- Deletion: Request permanent deletion of your account and all associated data by contacting support.
- Export: Download your Vault data or API usage logs (Premium feature).
VI. Children's Privacy
Our services are not intended for children under the age of 13. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete such information.
VII. Contact Us
If you have any questions about this Privacy Policy or data practices, please contact our Data Protection Officer:
Email: heavstaltech@gmail.com