HatchCheck
Open menu
Get My App Checkup
Trust and security

Trust & Security

HatchCheck is designed for upload-light app launch evidence, private-by-default artifacts, local-only credential options, and conservative trust boundaries.

Version: 0.1-draft

Effective date: 2026-05-04

Last updated: 2026-05-04

Draft for legal review. HatchCheck should not claim SOC 2, HIPAA, ISO, or similar certification unless actually completed.

Beta Trust Boundaries

  • HatchCheck does not guarantee Apple App Store or Google Play approval and is not legal advice.
  • Users are responsible for final submission decisions, official declarations, app behavior, and legal review.
  • Beta limitations apply; findings are based on the evidence provided and unverified areas remain marked not verified.
  • Limit sensitive evidence uploads to what is needed. Do not upload private keys, signing certificates, production env files, production secrets, customer data, or real demo passwords.
  • Support, privacy, security, deletion, and export paths are available through support, security, data requests, and privacy requests.

Useful Materials

  • Screenshots.
  • Store listing drafts.
  • Privacy policy text.
  • SDK lists.
  • Selected config files.
  • App Store/Google Play form screenshots.

Do Not Upload

  • Private keys, certificates, signing credentials, production .env files, customer data, production secrets, and real demo passwords.
  • App builds or binaries unless a later workflow explicitly supports them.
  • Provider tokens, service account keys, raw production logs, or unnecessary full repositories.

Credential Handling

You can keep demo credentials local and paste them into review notes later. HatchCheck does not need to store demo credentials to generate most findings.

Storage, Access, Retention, and Audit

  • Uploads should be private by default and accessed through authorized routes or signed URLs where implemented.
  • Deletion controls and retention periods are documented, with manual support fallback while automation matures.
  • Admin access should be restricted to authorized operational needs.
  • Sensitive file access should be audited where implemented.

Training, Incidents, and Links

  • HatchCheck does not train HatchCheck models on customer content without explicit consent.
  • Security contact: [SECURITY_EMAIL].
  • Related pages: /privacy, /dpa, /subprocessors, /terms, /acceptable-use.

Related Legal Pages

TermsPrivacyCookiesRefundsDisclaimerAcceptable UseTrust & SecurityData RequestsDPASubprocessorsPrivacy RequestLegal ChangelogSupport

HatchCheck cookie preferences

Essential cookies are always on. Analytics, functional, and marketing cookies stay off unless you allow them. HatchCheck does not load analytics or marketing scripts before consent.