Privacy Policy

This policy explains what Hataw collects, why, and what we do with it. Plain language, no dark patterns.

What we collect

• Email address — only if you sign in. Used for magic-link authentication and rare service notices.
• Published content — the files you (or your agent) upload. These are served from <slug>.hataw.dev and are public by default.
• Site metadata — slug, sizes, content types, the time of publish, and which API key (if any) created the site.
• Request logs — IP address, user agent, and path for requests to the API and to served sites. Used for abuse prevention and debugging. Rotated regularly.

What we don't collect

• No third-party analytics or trackers.
• No advertising cookies.
• No payment information (the service is free).

How we use it

To run the service: authenticate you, serve your sites, enforce the Terms, and prevent abuse. We don't sell your data and we don't share it with third parties for marketing.

Subprocessors

We use a small number of vendors to operate Hataw. They process data on our behalf and are bound by their own privacy terms:

• Railway — application hosting.
• Resend — sending magic-link sign-in emails.
• Postgres / object storage providers on Railway — for site metadata and uploaded bytes.

Retention

Sites are deleted 30 days after publish. Sites claimed by an account are retained until you delete them or the account. Request logs are kept for a short rolling window.

Your rights

You can delete your account and all associated sites and keys from the dashboard. For anything else (data export, deletion of specific records), email privacy@hataw.dev.

Children

Hataw is not directed at children under 13. Don't use it if you're under 13.

Changes

If this policy changes materially, we'll update the date at the top of this page.