Privacy policy

hamir runs personalization on your device. Your ranking weights, topic affinities, and skip history live encrypted on your iPhone and sync across your Apple devices through iCloud Keychain — never copied to our servers.

What does reach our servers is the minimum to make the app work: your account, the sources you follow, and a small amount of anonymous usage telemetry. Saved posts are also on-device by default (opt in to server sync from Settings → Storage → Sync). Detail below.

hamir is run by one person, not a company. We don't sell data, we don't run ads, and we don't track you across other apps.

hamir builds a personalization profile from your taps and swipes — which topics, tags, domains, and feeds you engage with, and which posts you've dismissed. The profile is encrypted with AES-GCM-256; the key lives in iOS Keychain, and the encrypted payload syncs across your Apple devices via iCloud Keychain + iCloud Key-Value Storage. Apple's end-to-end encryption means neither Apple nor we can read it.

Your skip history is part of this on-device profile — it never reaches our servers. The API rejects skip-typed writes at the boundary, so even a modified client can't route them through. When the app fetches new posts, it sends a transient list of recent post IDs to exclude; not persisted server-side.

Delete the app or sign out of iCloud and the on-device profile is wiped. You can also clear it from Interests → Reset on-device profile.

Account identity: a server-generated UUID, your chosen nickname, and an avatar URL if your sign-in provider sends one.

Sign-in identities: a record per provider you've used (Apple, Google, GitHub) storing the provider's stable identifier, the email it returns, and the avatar URL. The identifier is what links you back on next sign-in. The email is refreshed each sign-in and used to flag duplicate-account abuse (same provider account creating a second hamir account to evade moderation).

Nicknames are generated locally from a curated wordlist on first sign-in — we don't ask the provider for your username or display name, and we don't email you marketing material.

Subscriptions: the feeds and sources you've added.

Saved posts: by default, on-device only. Turn on cross-platform sync (Settings → Storage → Sync) and the list also reaches the server, which is what non-Apple hamir clients (Android, Web) will read when they exist.

Notification token: if you turn on push, the APNs token needed to deliver them. Cleared on logout or when you turn notifications off.

Anonymous usage events: impressions, screen views, time-on-card. Stored without a user_id column, so a row can't be re-linked to you after insert. Auto-deleted after 180 days.

Moderation log: attempts to add blocked or prohibited sources, linked to the account that made the attempt — used only for abuse prevention. Retained up to 2 years; on account deletion the user attribution is removed and only the anonymized row stays.

Crash and error reports: stack traces sent to our self-hosted error tracker, with user identifiers, request headers, and cookies scrubbed server-side before the report leaves our infrastructure. No third-party vendor receives this data.

Account identity, sign-in identities, subscriptions, and saved posts: Article 6(1)(b) — necessary to provide the service.

Notification token: Article 6(1)(a) — consent. Opt in via the system push dialog, revoke any time.

Anonymous usage telemetry, moderation log, crash reports: Article 6(1)(f) — legitimate interest in measuring product performance, preventing abuse, and maintaining stability, balanced by data minimisation (no user_id on telemetry, anonymized retention on moderation, server-side scrubbing on crashes).

Sign-in providers — Apple, Google, GitHub. When you choose one, they handle authentication; we receive only the identifier and email they choose to share, plus any name or avatar.

Apple Push Notification service — used only if you turn on push.

Apple iCloud Keychain + iCloud Key-Value Storage — used for the encrypted on-device profile sync (described above). hamir doesn't see the payload; Apple is the data controller for the sync channel.

Hosting and infrastructure — a cloud hosting provider in the EU West region runs the servers, databases, and operational logging.

hamir does not use third-party analytics SDKs, advertising networks, or data brokers.

hamir's servers run in the European Union (EU West region). If you're in the EU or UK, your data doesn't normally leave the EU.

Sign-in providers process authentication on their own infrastructure under their own policies; the same is true for Apple's push notification and iCloud services.

If you contact us at hello@hamir.app, your message will be processed wherever the mail provider routes it.

hamir is primarily an iOS app. The hamir.app website provides sign-in callback handling, the public instance directory, and these legal pages — there is no web reader UI.

When you visit the site, our server logs the request (IP address, user-agent, path, timestamp) for a few days for operational and abuse-prevention purposes, then those logs expire automatically.

We don't run third-party analytics, ad trackers, or session-replay tools on the site. We don't sit behind a third-party CDN — your browser talks to our hosting infrastructure directly.

Wherever you live, you can:

Get a copy of your data — hamir has a built-in account export.

Correct your nickname directly in the app.

Delete your account and the data tied to it — use the in-app delete-account flow. We purge account records, identities, subscriptions, saved posts, push registrations, private sources you added (with their stored credentials), and analytics data, and invalidate your tokens.

Withdraw consent for push notifications — toggle them off in iOS Settings or in the app.

Contact us about any of these at hello@hamir.app.

If you're in the EU, EEA, or UK, you additionally have:

Access (Article 15), rectification (16), erasure (17), and portability (20) — covered by the export, nickname-edit, and account-delete flows above.

Restriction or objection to processing (Articles 18 and 21) — contact us at hello@hamir.app.

Withdrawal of any consent given (Article 7(3)).

Lodging a complaint with your local data-protection authority — you don't have to contact us first.

Under California's privacy laws you additionally have:

Right to know what personal information we have — the sections above are the standing answer; email hello@hamir.app for a specific record.

Right to delete your personal information — use the in-app account deletion.

Right to correct — your nickname is editable in the app.

Right to opt out of sale or sharing for cross-context behavioural advertising — we don't sell or share for that purpose, but the right exists.

Right to limit use of sensitive personal information — we don't collect sensitive personal information as defined by California law.

Right to non-discrimination for exercising any of these.

Account-tied data (identity, subscriptions, saved posts, push tokens, sign-in identities): for as long as your account is active. Wiped on account deletion.

Anonymous usage events: 180 days, then auto-deleted.

Moderation log: up to 2 years, then anonymized.

Crash and error reports: retained at the discretion of our self-hosted error tracker; configurable, and limited to a few hundred days by default.

Operational logs (HTTP requests, background-job traces): a few days at most, then expire automatically through infrastructure retention windows.

We don't sell personal data.

We don't show ads, and we don't run third-party advertising or tracking SDKs. We don't display the App Tracking Transparency prompt because we don't track you across other apps or sites.

We don't link your in-app activity to any external identity, advertising ID, or device fingerprint.

We don't turn your private account data into a public profile without explicit action on your part.

We don't train models on your reading behavior, skip history, or other user-tied signals — the topic classifier is trained on labeled posts, not on user activity.

hamir is not directed to users under 16 (the App Store age rating for hamir), and we don't knowingly collect data from them. If you believe a child has registered, contact us and we'll delete the account.

hamir uses open-source readability tooling and internal extraction heuristics to improve readability on supported sources.

hamir is designed for lawful access and does not provide features to circumvent paywalls or other access controls. Reader mode availability for a source doesn't grant any right to reuse or redistribute content beyond what the publisher allows.

Where a source is restricted or subject to publisher limitations, hamir may limit native reader mode to publisher-provided metadata, summaries, and artwork, and direct full reading to the original webpage. If reader mode is inadvertently available for restricted content, we may limit or remove that functionality once identified.

We'll update this page when our practices change. The date at the top reflects the most recent revision. If a change is material (e.g., a new processor that handles personal data), we'll surface it in the app or in a release note so you have a fair chance to read it before it takes effect.

Privacy questions, GDPR requests, or anything else: hello@hamir.app.

hamir is run by one person. There's no separate Data Protection Officer — the email above reaches the person who actually runs the product and handles your data.