Privacy Policy

Effective: March 2026

1. Introduction

Hexys (“we,” “us,” “our”) is a pornography recovery application designed for men aged 18 and older. This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use the Hexys mobile application and website (collectively, the “Service”). We are committed to protecting your privacy with zero-knowledge architecture wherever technically possible.

2. Information We Collect

We collect the following categories of data:

  • Email address: required for account authentication via magic link
  • Anonymous usage analytics: collected via PostHog (privacy-respecting, no cross-site tracking) to understand feature usage patterns
  • Encrypted journal ciphertext: your journal entries are encrypted on your device using AES-256 encryption before transmission. We store only ciphertext. We cannot decrypt or read your journal entries.
  • Streak and check-in data: daily check-in timestamps and streak counts
  • Subscription status: whether you are on the Free or Core plan
  • Push notification tokens: device tokens for sending streak reminders and recovery prompts
  • Device type: iOS or Android, used for platform-specific features

3. Information We Do Not Collect

  • Real name: your display name is optional and visible only to you and Arcos
  • Location data: we do not request or store GPS, IP-based location, or any geolocation data
  • Browsing history: the Safari Content Blocker runs locally on your device using Apple's Content Blocker API. It never reports your browsing activity to our servers
  • Contacts: we never access your phone contacts
  • Journal content: journals are encrypted on-device before transmission. We store only ciphertext

4. Third-Party Services

We use the following third-party services:

  • Supabase: database hosting and authentication (EU/US servers). Stores account data, ciphertext journal entries, and community content.
  • RevenueCat: subscription management and payment processing coordination. Does not have access to journal content or recovery data.
  • PostHog: privacy-respecting product analytics. No cross-site tracking, no cookie-based identification. Used for aggregate feature usage data only.
  • Resend: transactional email delivery only (account verification, waitlist confirmation, launch notifications). Your email is not shared with third parties for marketing.
  • Anthropic/Claude: powers Arcos, the AI recovery coach. Conversation metadata is processed for response generation. We do not store AI conversation content server-side beyond the current session context.
  • Apple App Store / Google Play: handles payment processing for subscriptions. We do not store credit card or payment information.

5. COPPA Compliance

Hexys is designed exclusively for users aged 18 and older. We implement age-gating at onboarding through date of birth verification. Users who do not meet the minimum age requirement are blocked from creating an account. We do not knowingly collect personal information from individuals under 18 years of age. If we learn that we have collected data from a user under 18, we will delete that data promptly.

6. GDPR and CCPA Rights

If you are a resident of the European Economic Area (EEA) or California, you have the following rights:

  • Right to access: you can export all your data from the Settings screen within the app
  • Right to deletion: you can delete your account from Settings. All associated data will be permanently removed within 30 days of your request
  • Right to rectification: you can update your account information at any time within the app
  • Right to portability: data export is available in standard formats from Settings
  • Right to opt out of sale: we do not sell your personal information to third parties

7. Data Retention

We retain your account data for as long as your account is active. If you request account deletion, all associated data (including ciphertext journal entries, streak data, community posts, and account information) will be permanently deleted within 30 days of the deletion request. Anonymous, aggregated analytics data that cannot be traced back to any individual may be retained indefinitely.

8. Security

We implement the following security measures:

  • AES-256 client-side encryption for all journal entries before transmission
  • TLS encryption for all data in transit
  • Row Level Security (RLS) on all database tables to enforce access control at the database level
  • Supabase auth with magic link authentication (no passwords stored)
  • Biometric lock option for journal access within the app
  • Screen capture prevention for sensitive screens

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on our website and, where possible, via in-app notification. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

10. Governing Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of the State of Texas, United States, without regard to conflict of law principles.

11. Contact Us

If you have questions about this Privacy Policy or your data, contact us at: privacy@hexys.app