Privacy Policy

Last updated: 2026-05-07

HexWave collects the minimum data needed to give you a reading. This page describes what we collect, why, and how to ask us to delete it.

1. What We Collect

When you use HexWave we collect:

• Email address and a hashed password (account)
• Birth date and optional birth time and birth location -- encrypted at rest (calculation)
• Optional avatar image (display)
• Subscription status and a payment-provider customer identifier (billing webhook)
• People you add and their birth data -- encrypted at rest (Mutual Hex Maps)

Birth date, time, and coordinates are encrypted at rest with AES-256-GCM. Passwords are hashed with bcrypt; we never store the plaintext.

Reading interpretations (Birth Hexagram profiles, daily readings, mutual maps between two people) are stored in a shared content cache keyed by hexagram pair and language, not tied to any user. The same reading text is reused across every user with the same triad pair, and persists after account deletion as a shared library.

2. What We Don't Track

The marketing site at https://hexwave.app uses OpenPanel cookieless analytics. There are no tracking cookies, no session fingerprinting, and no advertising pixels. The signed-in app uses a single httpOnly authentication cookie. Beyond that, only minimal client-side state for UI preferences (e.g., language) is kept. No tracking cookies, no session fingerprinting, no ad pixels.

3. The Live Demo

When you enter a birth date in the homepage live demo, the engine processes the date and we do not retain it beyond the response.

4. Third-Party Processors

HexWave uses a small set of processors, each for a single purpose:

• Payment provider -- a third-party Merchant of Record for subscriptions; processes payment and tax
• Anthropic -- Claude API for generating reading interpretations
• Resend -- transactional email and contact form delivery
• Backblaze B2 -- avatar image storage
• OpenPanel -- cookieless marketing-site analytics
• Hetzner -- infrastructure hosting (servers and PostgreSQL database)

Each processor receives only the data it needs to perform its function.

5. Retention

Account data is retained while your account is active. If you delete your account, we delete or irreversibly anonymise your records within 30 days. Backups expire on a rolling 90-day window. Generated reading interpretations are cached permanently; they are keyed by hexagram and language, not by user, so they remain after account deletion as a shared library.

6. Your Rights

You can request access to, correction of, or deletion of your personal data at any time. EU residents have the rights described under GDPR (access, rectification, erasure, portability, objection, restriction). California residents have the rights described under CCPA (know, delete, opt out of sale; HexWave does not sell personal data). To exercise any right, contact us through Contact.

7. Children

HexWave is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided data, please contact us and we will delete it.

8. Governing Law

This privacy policy is governed by the laws of the State of Israel. The data controller is HexWave, contactable through Contact.

9. Changes

We may update this policy. Material changes will be announced in the app and on this page. The "last updated" date above reflects the most recent change.

10. Contact

Privacy questions or rights requests: see Contact.