Privacy Policy
This Privacy Policy explains how HatchCheck may collect, use, share, retain, and protect information when providing pre-submit app checkups.
Version: 0.1-draft
Effective date: 2026-05-04
Last updated: 2026-05-04
Draft for legal review. Controller/business identity, legal bases, state notices, retention periods, and international transfer terms need attorney and business review.
Controller or Business Identity
X&R Ventures LLC, LLC, [REGISTERED_ADDRESS] is the controller/business for account, billing, security, support, and site operations unless final legal review says otherwise.
Scope
This policy covers HatchCheck websites, intake flows, checkup projects, uploads, reports, review-note drafts, Agent Fix Packs, support, privacy requests, and related service operations.
Categories Collected
| Account info | Name, email, auth/session metadata, role, workspace/account settings. |
|---|---|
| Billing metadata | Plan, order, receipt, payment status, Stripe IDs, entitlement records, webhook metadata. HatchCheck should not store raw card numbers. |
| Project/app info | App name, company, platforms, stack, SDKs, URLs, launch timeline, roles, billing model, AI features, review history, and intake answers. |
| Uploaded artifacts | Screenshots, store drafts, privacy policy text, SDK lists, selected config examples, form screenshots, rejection messages, and artifact metadata. |
| Optional demo credential notes | Local-only placeholders or instructions. HatchCheck does not need to store demo passwords for most findings. |
| Communications/support | Messages, support tickets, privacy requests, security reports, and operator notes. |
| Usage/log/device data | Request metadata, IP-derived safety signals, user agent, timestamps, route events, errors, rate-limit metadata, and audit metadata. |
| Cookies/analytics | Essential cookies or local storage, consent preferences, internal attribution, and analytics/marketing tools only after required consent where applicable. |
| AI processing metadata/output | Prompts or redacted inputs where configured, schema validation results, generated drafts, findings, report text, and task exports. |
Sources and Purposes
Sources include you, your authorized team members, checkout/payment providers, auth/session providers, service logs, uploads, and configured service providers.
Purposes include account access, payment fulfillment, intake, URL/evidence checks, report generation, review-note drafts, support, privacy/security operations, abuse prevention, product reliability, and legal/business recordkeeping.
AI Provider Processing
If HatchCheck uses an AI provider, HatchCheck may send selected or redacted customer content and metadata to that provider to draft or normalize checkup outputs.
- HatchCheck does not train HatchCheck models on customer content without explicit consent.
- AI providers and their data terms must be listed in the Subprocessor Inventory before production use.
- Do not include production secrets, signing credentials, real demo passwords, or unnecessary customer data in AI inputs.
Legal Bases for EU/UK Users
Attorney review required. Potential bases may include contract, legitimate interests, consent, and legal obligations depending on the data and context.
Sharing and Service Providers
HatchCheck may share information with subprocessors that help provide hosting, auth, database, storage, billing, support, email, AI processing, analytics, security, or observability where configured.
- See /subprocessors for detected active and planned providers.
- Sale/share or targeted advertising notice placeholder: [SALE_SHARE_TARGETED_ADVERTISING_POSITION].
- Cookie details are available at /cookies.
Retention
| Account records | [RETENTION_PERIOD_ACCOUNT] after account closure unless longer retention is needed. |
|---|---|
| Billing/order records | [RETENTION_PERIOD_BILLING] for tax, dispute, fraud, and accounting needs. |
| Projects/reports/findings | [RETENTION_PERIOD_PROJECTS_REPORTS] or until deletion/export workflow applies. |
| Uploaded artifacts | [RETENTION_PERIOD_UPLOADS]. Upload-light mode can avoid raw file storage. |
| Security/audit logs | [RETENTION_PERIOD_AUDIT_LOGS], minimized and redacted where practical. |
| Consent and legal acceptances | [RETENTION_PERIOD_LEGAL_RECORDS] to show preference and agreement history. |
| Privacy requests | [RETENTION_PERIOD_PRIVACY_REQUESTS] for request tracking and audit. |
Security, Choices, and Rights
HatchCheck uses access controls, private storage where configured, upload safety checks, audit metadata, and redaction practices appropriate to the current V1 workflow.
- You can update cookie preferences at /cookies.
- You can submit privacy requests at /privacy-rights.
- Rights may include access, deletion, correction, export, consent withdrawal, sale/share opt-out, and sensitive-information limitation depending on region and applicability.
California, EU/UK, Children, and Transfers
Attorney review required. California notice/table, EU/UK notice, children/minors section, SCC/international transfer language, and applicable thresholds must be finalized before production launch.
- Children/minors: HatchCheck is not intended for children and should not be used to upload children's personal data unless explicitly approved for a later workflow.
- International transfers/SCC placeholder: [SCC_AND_TRANSFER_LANGUAGE].
- California notice placeholder: [CCPA_CPRA_NOTICE_TABLE_AND_APPLICABILITY].
Changes and Contact
Questions or requests: [LEGAL_EMAIL]. Support: support@hatchcheck.com.