Privacy
УкраїнськаPrivacy policy
What hamir collects, why, and how long it keeps it.
Last updated: June 19, 2026
The short version
Personalization runs on your device. What hamir learns about your reading — the topics you engage with, the feeds you keep, what you skip — stays encrypted on your iPhone and syncs between your Apple devices through iCloud Keychain. Nothing about that profile reaches hamir's servers by default.
What does reach the server is the minimum to make the app work: your account, the sources you follow, and a small amount of anonymous usage telemetry. Saved posts and interaction history sync to the server only if you opt in (Settings → Storage → Sync), so the same profile can follow you to a device on another platform.
hamir is built by one person. hamir doesn't and never will track you for marketing or display ads.
What stays on your device
Your reading profile — the topics, tags, domains, and feeds you engage with, and what you skip — is built from your taps and swipes. It's encrypted with AES-GCM-256, the key lives in iOS Keychain, and the encrypted payload syncs between your Apple devices via iCloud Keychain. Apple's end-to-end encryption means neither Apple nor hamir can read it.
Private sources you add — and the bookmarks you save from them — sync between your Apple devices through your iCloud private database (CloudKit), separate from iCloud Keychain. hamir's servers never see this data; with Advanced Data Protection enabled, the records are end-to-end encrypted and even Apple can't read them.
Your interactions stay on your device and are never sent to hamir's servers — they only shape recommendations on your phone.
If you turn on cross-platform sync (Settings → Storage → Sync), interaction history is written to hamir's servers so other devices in your account can read the same profile. Wiped when sync is turned off or the account is deleted.
hamir doesn't train models on your reading behaviour or skip history. The topic classifier is trained on labelled articles, not on user activity.
What hamir keeps on its servers
Each entry below lives only as long as your account does, unless noted otherwise.
Account identity — a server-generated UUID, your nickname, and an avatar URL if your sign-in provider sends one.
Sign-in identities — one record per provider you've used (Apple, Google, GitHub): the provider's stable ID and the avatar URL. We don't store the email the provider returns; the app keeps it on your device only, so you can see which account a connection is.
Source subscriptions — the feeds and sources you've added.
Saved posts (opt-in sync) — on-device by default; if you turn on sync, the list also lives on the server.
Push token (opt-in) — the APNs token, only if you've enabled push notifications. Cleared on logout or when you turn notifications off.
Anonymous usage events — impressions, screen views, time-on-card. Stored without a user_id column, so rows can't be re-linked to you after insert. Auto-deleted after 180 days.
Moderation log — attempts to add blocked sources, linked to the account that made the attempt; used only for abuse prevention. Retained up to 2 years; on account deletion the user attribution is removed and only the anonymized row stays.
Crash and error reports — stack traces sent to a self-hosted error tracker. User identifiers, request headers, and cookies are scrubbed server-side before the report leaves. No third-party vendor receives this data.
Operational logs (HTTP requests, background-job traces) — a few days at most, then expire automatically.
Subscriptions and tips
Apple processes in-app purchases through StoreKit; card numbers and billing details never reach hamir. hamir checks your supporter status on-device through StoreKit to unlock benefits — no purchase data is sent to or stored on hamir's servers.
Why each data type is kept (GDPR Article 6)
Account identity, sign-in identities, subscriptions, saved posts: Article 6(1)(b) — necessary to provide the service.
Push token: Article 6(1)(a) — consent. Opt in via the system push dialog, revoke any time.
Anonymous usage events, moderation log, crash reports: Article 6(1)(f) — legitimate interest in measuring product performance, preventing abuse, and maintaining stability, balanced by data minimisation (no user_id on telemetry, anonymized retention on moderation, server-side scrubbing on crashes).
Third parties involved in delivering hamir
Sign-in providers — Apple, Google, GitHub. When you choose one, they handle authentication; hamir keeps the identifier and avatar they share. Any email or name they send is used only to complete sign-in and isn't stored on our servers.
Apple Push Notification service — used only if you've enabled push.
Apple iCloud Keychain + iCloud Key-Value Storage — used for the encrypted on-device profile sync. hamir doesn't see the payload; Apple is the data controller for the sync channel.
Apple StoreKit — handles in-app purchases.
Hosting and infrastructure — a cloud hosting provider in the EU West region runs the servers, databases, and operational logging.
hamir doesn't use third-party analytics SDKs, advertising networks, or data brokers, and shows no App Tracking Transparency prompt — nothing here tracks you across other apps.
Where your data is stored
hamir's servers run in the European Union. Sign-in providers and Apple services process data on their own infrastructure under their own policies; any Apple-side transfers to US infrastructure are covered by Apple's Standard Contractual Clauses with its EU subsidiaries.
If you visit the website
The hamir.app website provides sign-in callback handling, the public instance directory, and these legal pages — there's no web reader UI.
When you visit the site, the server logs the request (IP address, user-agent, path, timestamp) for a few days for operational and abuse-prevention purposes, then those logs expire automatically. There are no third-party analytics, ad trackers, or session-replay tools. There's no third-party CDN — your browser talks to the hosting infrastructure directly.
Your rights
Wherever you live, you can export your data (built-in account export), correct your nickname directly in the app, delete your account via the in-app flow, and withdraw consent for push notifications (toggle them off in iOS Settings or in the app).
When you delete your account, hamir purges all account records (identities, source subscriptions, saved posts, supporter records, push registrations, private sources with credentials, analytics) and invalidates your tokens.
hamir is not for users under 16. If a minor's account is reported, hamir deletes it.
If hamir suffers a data incident that puts your data at risk, hamir notifies affected users within 72 hours of becoming aware, as required under GDPR Article 33, with what happened, what data is involved, and what to do.
GDPR (EU / EEA / UK). If you're in the EU, EEA, or UK, you additionally have access (Article 15), rectification (16), erasure (17), and portability (20) — covered by the export, nickname-edit, and account-delete flows above; restriction or objection to processing (Articles 18 and 21) — email hello@hamir.app; withdrawal of any consent given (Article 7(3)); and the right to lodge a complaint with your local data-protection authority directly.
California (CCPA / CPRA). You also have the rights to know, delete, correct, opt out of sale or sharing (hamir doesn't sell or share for cross-context advertising), limit use of sensitive information (hamir doesn't collect any as California defines it), and non-discrimination for exercising any of these.
Have additional questions? Email hello@hamir.app. Material changes to this policy land in the app or release notes before they take effect.