Privacy Policy

Hawser is a Windows desktop application built and operated by Cook Impact Software LLC ("we," "us," "our") that helps you stay focused by quietly observing what you're doing on your computer and gently reminding you when you drift off-task. This policy explains what we collect, why we collect it, and how it's stored.

Plain-English summary: Almost everything Hawser knows about you stays on your own computer. We collect the minimum needed to run your account and your subscription. Screenshots never leave your machine unless you explicitly opt in. We do not sell your data and we do not run ad tracking.

1. What we collect

1a. Information you give us directly

• Account email and password. Required to create an account. Your password is stored as a one-way PBKDF2 hash with a per-user random salt - we cannot see or recover your original password.
• Daily missions, chat messages, profile facts. When you talk to the in-app AI companion or set a daily mission, that content is processed to generate responses and may be retained locally in your app's database to provide context across sessions.
• Partner program application data. If you apply for the Partner Program, the information you submit (name, email, optional URL, why-you-want-to-join text) is stored so we can review your application.
• Support and feedback. When you send feedback or contact support, we receive whatever you choose to include.

1b. Information collected automatically

• App usage telemetry. Active window titles, app names, and approximate focus/distraction durations - kept locally in a SQLite database on your machine to power your daily summary. This data is not transmitted off your computer in normal operation.
• Screenshots (optional, opt-in). By default Hawser analyzes your screen entirely on your local machine. If you enable cloud AI mode, screenshots may be sent to Anthropic for analysis as part of an API request. They are not retained beyond the duration of the request.
• Voice transcription (optional). If you use cloud voice input, the short audio clip you record is sent through our backend to OpenAI for speech-to-text. It is not stored by us, and per OpenAI's API terms is not used to train their models. You can switch to on-device transcription in Settings so audio never leaves your computer.
• Crash and error reports. If Hawser crashes, a minimal error report (stack trace, app version, OS version) may be sent to help us diagnose the bug. We do not include screenshots or window titles in error reports.
• Session metadata. When you sign in on the website or in the app, we store a session token plus the approximate sign-in time so that we can keep you signed in and recognize unusual activity.

1c. Information collected by Stripe (payments)

Payment card data is collected directly by Stripe on Stripe-hosted pages. We never see your full card number. We receive only the Stripe customer ID, subscription status, last-four digits of the card on file, and billing email, which we use to manage your subscription.

2. Where your data lives

• On your computer: activity logs, screenshots (unless you opt in to cloud mode), chat history, daily missions, profile facts. All in a SQLite database under your local Windows user profile.
• Cloudflare Workers KV (United States): account record (email + hashed password + metadata), active sessions, Stripe customer ID, license token, partner program applications.
• Stripe (United States): payment details, billing history, subscription status.
• Resend (United States): outbound transactional emails (sign-in confirmations, magic links, partner approval notices).
• Anthropic (United States): chat messages and (if you opt in) screenshots, processed at the time of each API call. We do not opt into Anthropic's training data use; per Anthropic's commercial terms your data is not used to train their models.
• OpenAI (United States): voice-dictation audio, processed at the time of each transcription request when you use cloud voice input. Not retained beyond the request; not used to train their models per OpenAI's API terms.

International transfers. Our infrastructure and the vendors above are based in the United States. If you use Hawser from the European Economic Area or the United Kingdom, your personal data is transferred to the US under the Standard Contractual Clauses or another lawful transfer mechanism. If you would rather no data leave your device at all, use Fully Local AI mode in Settings, where chat and screenshots are processed entirely on your own machine.

3. Why we collect what we collect

• To run your account and subscription (email, password hash, Stripe customer ID, license token, session tokens).
• To give Hawser the context it needs to actually help you (daily missions, chat history, profile facts - kept locally on your machine).
• To respond to your messages (chat content sent to Anthropic in cloud mode).
• To fix bugs (crash reports).
• To review partner program applications (application data).

We do not sell personal data. We do not use it for advertising. We do not run ad-network tracking pixels on this website.

3a. Legal basis for processing (GDPR)

If you are in the EEA or UK, our legal bases under Article 6 GDPR are:

• Contract: running your account and subscription and providing the focus features you signed up for.
• Legitimate interests: keeping the service secure, preventing abuse, fixing bugs, and the local activity monitoring that makes Hawser work - balanced against your privacy by keeping that data on your device by default.
• Consent: optional features you switch on yourself, such as cloud screenshot analysis, cloud voice transcription, and anonymous usage statistics. You can withdraw consent at any time in Settings.
• Legal obligation: keeping limited payment and tax records as required by law.

4. Third-party services

We rely on a small number of vendors to operate Hawser. Each has its own privacy practices:

• Stripe - payment processing
• Cloudflare - account storage (Workers KV), website hosting (Pages)
• Resend - transactional email delivery
• Anthropic - AI inference (cloud mode only)
• OpenAI - cloud voice transcription (when you use cloud voice input)
• Sentry - crash and error diagnostics (when crash reporting is enabled)

These vendors act as our data processors: each processes personal data only on our instructions, and may engage its own subprocessors as described in its policy. We do not sell personal data to any of them. A current list of subprocessors is available on request from [email protected].

5. How long we keep your data

• Account records: retained for as long as your account exists, plus a short retention window after deletion for legal and accounting purposes.
• Sessions: automatically expire (typically 30 days) and are deleted from our storage.
• Magic-link tokens: 15-minute expiry, deleted on use.
• Local SQLite data: stays on your computer until you delete it (in-app "Wipe all data" or by uninstalling Hawser).
• Partner program applications: kept indefinitely for record-keeping unless you request deletion.

6. Your rights

You can, at any time:

• See what's on your computer: open Hawser → Settings → Data & Privacy.
• Wipe local data: Settings → Data & Privacy → "Wipe all data."
• Cancel your subscription: Account → Manage Subscription.
• Delete your account: in Hawser, open Settings → Account → "Delete my account." This immediately deletes your account from our servers and cancels your subscription, then offers to erase your on-device data too. You can also email [email protected] and we will delete your account record, sessions, and partner application within 30 days. Limited records we are legally required to keep (for example, tax records for completed payments) may be retained as required.
• Get a copy of your data: for the data on our servers, open Settings → Account → "Export my data" (downloads a JSON file), or email support. For the data on your computer, use Settings → Data & Privacy → "Export My Data."

If you are in the European Economic Area, the United Kingdom, or California, you have additional rights under GDPR and CCPA, including the right to object to processing, the right to data portability, and the right to lodge a complaint with your local data protection authority. Email support to exercise any of these.

7. Security

Passwords are hashed with PBKDF2 (salted, many iterations) before storage - we cannot read your password. All connections between Hawser and our backend use HTTPS. Session tokens are stored in Windows Credential Manager on your device. For extra protection you can turn on at-rest encryption of your local Hawser data in Settings → Privacy (note: if you lose access to your Windows account, encrypted local data cannot be recovered). Despite this, no system is perfectly secure. If we ever become aware of a breach affecting your account, we will notify you by email without undue delay.

8. Children

Hawser is not directed at and is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected data from a child, contact us and we will delete it.

9. Changes to this policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top. If the changes are material, we will additionally notify you by email. Continuing to use Hawser after changes take effect means you accept the updated policy.

10. Contact & data controller

Hawser is operated by Cook Impact Software LLC (Idaho, USA), the data controller for the personal data described in this policy.

Questions about this policy, or to exercise any of your rights (access, deletion, portability, objection), email [email protected] with the subject "Data Rights Request." We respond within 30 days. If you are in the EEA or UK and are not satisfied with our response, you may lodge a complaint with your local data protection authority.