Privacy Policy

Effective: May 7, 2026

1. Introduction

Hexys ("we," "us," "our") is a pornography recovery application designed for adults aged 18 and older. This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use the Hexys mobile application and website (collectively, the "Service"). We are committed to protecting your privacy with zero-knowledge architecture wherever technically possible, and to being honest about where that architecture does and does not apply.

2. Information We Collect

We collect the following categories of data:

  • Email address: required for account authentication via magic link
  • Display name: optional. Visible only to you and Arcos. Never shown in the community or pods.
  • Anonymous usage analytics: collected via PostHog (privacy-respecting, no cross-site tracking) to understand feature usage patterns
  • Encrypted journal ciphertext: your journal entries are encrypted on your device using AES-256 encryption before transmission. We store only ciphertext. We cannot decrypt or read your journal entries.
  • Encrypted urge and relapse notes: any free-text notes you add when logging an urge or a relapse are encrypted on your device using the same AES-256-GCM system before transmission. We store only ciphertext.
  • Recovery event data: when you log a check-in, urge, or relapse, we store the event timestamp, streak count, mood (a single word such as "good" or "okay"), urge intensity level (a number from 1 to 5), and any trigger categories you select (such as "Stress" or "Late night"). These categorical fields are stored in plaintext. Free-text notes are encrypted as described above.
  • Subscription status: whether you are on the Free or Core plan
  • Push notification tokens: device tokens for sending streak reminders and recovery prompts
  • Device type: iOS or Android, used for platform-specific features
  • Arcos conversation history: messages you send to Arcos and the responses Arcos generates are stored server-side in plaintext to enable conversation context across sessions. Unlike journal entries, Arcos conversations are not zero-knowledge encrypted because Arcos requires access to prior messages to generate relevant responses. Arcos conversation history is deleted when you delete your account.
  • Crisis indicators: if Arcos detects crisis-related language in a message, we log the matched keywords and create a flag record for internal review. You are immediately provided with crisis resources including the 988 Suicide and Crisis Lifeline and Crisis Text Line.
  • XP and achievement data: experience points earned and achievements unlocked, stored to power the progression system.

3. Information We Do Not Collect

  • Real name: your display name is optional and visible only to you and Arcos
  • Location data: we do not request or store GPS, IP-based location, or any geolocation data
  • Browsing history: on iOS, the Safari Content Blocker runs locally on your device using Apple's Content Blocker API. On Android, content blocking uses a local VPN-based DNS filter that runs entirely on your device. Neither platform reports your browsing activity to our servers
  • Contacts: we never access your phone contacts
  • Journal content: journals are encrypted on-device before transmission. We store only ciphertext

4. Companies that process data on our behalf

We use the following third-party sub-processors:

  • Supabase: database hosting and authentication (EU/US servers). Stores account data, ciphertext journal entries, and community content.
  • RevenueCat: subscription management and payment processing coordination. Does not have access to journal content or recovery data.
  • PostHog: privacy-respecting product analytics. Sets a first-party analytics cookie on the Hexys website that does not track you across other sites. Event-level usage data (such as which features are used) is collected but is not linked to identifying content from your journal or your conversations with Arcos.
  • Resend: Resend processes transactional email delivery on our behalf. This includes account verification, password reset emails, accountability partner digests, and other product communications you have opted into. Resend processes only the email address and message content needed to deliver the email, and does not retain or use this data for any other purpose.
  • Anthropic: Anthropic processes prompts and responses for the Arcos companion feature. Anthropic's commercial API operates on a zero-retention basis for our prompts and Arcos's responses, meaning your conversations are not retained by Anthropic, are not used to train Claude or any other model, and are deleted within 30 days of processing. Anthropic does not have access to your account, your journal, or any data you have not explicitly shared with Arcos in conversation.
  • Sentry: Sentry processes anonymized error and crash telemetry on our behalf for the Hexys mobile applications. When the app encounters an error, Sentry receives a stack trace, the device model, the operating system version, and the version of the Hexys app. Sentry does not receive your journal contents, your conversations with Arcos, your check-in details, or any other personally identifying content. We use this data solely to identify and fix bugs.
  • Apple App Store and Google Play: handles payment processing for subscriptions. We do not store credit card or payment information.

5. Zero-Knowledge Architecture

Zero-knowledge encryption means that data is encrypted on your device before it reaches our servers. We store only ciphertext. We hold no decryption key and cannot read the content, even if compelled to do so.

The encryption key for your journal entries and free-text notes is derived on your device from a 12-word recovery phrase using BIP39, an open industry standard. Key derivation uses PBKDF2-HMAC-SHA256 with 210,000 iterations. The phrase is generated on your device when you first write encrypted content, shown to you once, and is never transmitted to our servers or stored anywhere outside your device. Because we never see the phrase, we cannot help you recover your encrypted content if you lose it. This is by design: a phrase we could recover would be a phrase we could be compelled to surrender. If you lose your phrase, you can generate a new one and start fresh, but any prior encrypted entries will become permanently unreadable.

The following data is protected by zero-knowledge encryption in Hexys:

  • All journal entries
  • Free-text notes attached to urge and relapse logs

The following data is stored server-side and is not zero-knowledge encrypted:

  • Arcos conversation messages (required for conversation history and context)
  • Recovery event metadata: mood, urge intensity, trigger category selections, and timestamps
  • Streak counts and check-in history
  • Community posts and pod messages

We believe in being specific rather than making broad privacy claims that do not reflect the technical reality of every feature.

6. Minors and COPPA Compliance

Hexys is intended for users 18 years of age and older. Users under 18 are prohibited from creating an account. We implement age-gating at onboarding through date of birth verification, and accounts that do not meet the minimum age requirement are blocked from being created.

If we discover that an account was created by a person under 18, including via false date-of-birth information, we will terminate that account and delete all associated data within 30 days of discovery. Parents or guardians who believe their child has created an account may contact us at privacy@hexys.app for immediate account removal.

7. Your Privacy Rights

Your rights depend on where you live. Across all regions, you can export your data and delete your account at any time from the Settings screen within the app. The subsections below describe the specific protections that apply to residents of certain jurisdictions.

EEA residents (GDPR)

If you are a resident of the European Economic Area, the General Data Protection Regulation gives you the following rights regarding your personal data:

  • Right to access: you can export all your data from the Settings screen within the app
  • Right to deletion: you can delete your account from Settings. All associated data (including ciphertext journal entries, Arcos conversation history, streak data, community posts, and account information) will be permanently deleted within 30 days of your request.
  • Right to rectification: you can update your account information at any time within the app
  • Right to portability: data export is available in standard formats from Settings
  • Right to object or restrict: you may object to or request restriction of processing by emailing privacy@hexys.app

California residents (CCPA and CPRA)

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act give you the right to know what personal information we collect about you, the right to request access to and deletion of that information, the right to correct inaccurate information, and the right to opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising. To exercise any of these rights, email privacy@hexys.app.

Texas residents

If you are a resident of Texas, the Texas Data Privacy and Security Act (TDPSA) gives you specific rights regarding your personal data. You have the right to access the personal data we hold about you, correct inaccuracies in that data, request deletion of your data, request a portable copy of your data, and opt out of any sale of your data or use of your data for targeted advertising. We do not sell personal data and we do not use personal data for targeted advertising. To exercise any of these rights, email privacy@hexys.app.

Other US state privacy rights

If you are a resident of a US state with a comprehensive privacy law (including but not limited to Virginia, Colorado, Connecticut, Utah, Oregon, Montana, Iowa, Tennessee, Indiana, and Delaware), you may have rights similar to those described above for Texas residents. These rights typically include access, correction, deletion, portability, and opt-out of sale or targeted advertising. We do not sell personal data. To exercise these rights, email privacy@hexys.app and identify your state of residence.

EU representative (GDPR Article 27)

Under GDPR Article 27, non-EU companies that process personal data of EU residents may be required to designate an EU representative. If we determine that the volume or nature of EU resident data we process triggers this requirement, we will publish our designated representative's contact information on this page. EEA residents may always reach us directly at privacy@hexys.app for any privacy-related request.

8. Cookies and Similar Technologies

The Hexys mobile applications do not use web cookies. The Hexys website (hexys.app) uses only essential cookies necessary for site functionality, such as preserving your authentication state if you sign in to access your subscription, plus a first-party PostHog analytics cookie that does not track you across other websites. We do not use advertising cookies, third-party tracking pixels, or any cross-site tracking technology on our website.

9. Account Deletion and Data Retention

We retain your account data for as long as your account is active. If you request account deletion, all associated data (including ciphertext journal entries, Arcos conversation history, streak data, community posts, and account information) will be permanently deleted within 30 days of the deletion request. Anonymous, aggregated analytics data that cannot be traced back to any individual may be retained indefinitely.

10. Security

We implement the following security measures:

  • AES-256-GCM client-side encryption for all journal entries and free-text urge and relapse notes before transmission, with keys derived from a user-held BIP39 phrase via PBKDF2-HMAC-SHA256 (210,000 iterations)
  • TLS encryption for all data in transit
  • Row Level Security (RLS) on all database tables to enforce access control at the database level
  • Supabase auth with magic link authentication (no passwords stored)
  • Biometric lock option for journal access within the app
  • Screen capture prevention for sensitive screens

11. Data Breach Notification

If we become aware of a security breach affecting your personal data, we will notify you within 72 hours of confirming the breach. Notification will include the nature of the breach, the data affected, the steps we have taken to contain it, and the steps you can take to protect yourself. We will also notify the appropriate regulatory authorities as required by law, including the Texas Attorney General if more than 250 Texas residents are affected.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on our website and, where possible, via in-app notification. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

13. Governing Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of the State of Texas, United States, without regard to conflict of law principles.

14. Contact Us

If you have questions about this Privacy Policy or your data, contact us at: privacy@hexys.app