Privacy policy

Personalization runs on your device. What hamir learns about your reading — the topics you engage with, the feeds you keep, what you skip — stays encrypted on your iPhone and syncs between your Apple devices through iCloud Keychain. Nothing about that profile reaches hamir's servers by default.

What does reach the server is the minimum to make the app work: your account, the sources you follow, and a small amount of anonymous usage telemetry. Saved posts and interaction history sync to the server only if you opt in (Settings → Storage → Sync), so the same profile can follow you to a device on another platform.

hamir is built by one person. hamir doesn't and never will track you for marketing or display ads.

Your reading profile — the topics, tags, domains, and feeds you engage with, and what you skip — is built from your taps and swipes. It's encrypted with AES-GCM-256, the key lives in iOS Keychain, and the encrypted payload syncs between your Apple devices via iCloud Keychain. Apple's end-to-end encryption means neither Apple nor hamir can read it.

Skips stay on-device. The API rejects skip writes at the boundary, so a modified client can't route them through either. When the app fetches new posts it sends a transient list of recent post IDs to exclude — those aren't persisted.

If you turn on cross-platform sync (Settings → Storage → Sync), your interaction history is written to hamir's server in plaintext so clients on other platforms in your account can read the same profile. It's tied to your account and wiped on account deletion. Turning sync off later wipes the server copy too. Deleting the app or signing out of iCloud wipes the on-device copy.

hamir doesn't train models on your reading behaviour or skip history. The topic classifier is trained on labelled articles, not on user activity.

Each entry below lives only as long as your account does, unless noted otherwise.

Account identity — a server-generated UUID, your nickname, and an avatar URL if your sign-in provider sends one.

Sign-in identities — one record per provider you've used (Apple, Google, GitHub): the provider's stable ID, the email it returns, and the avatar URL. That ID is how hamir recognises you when you sign back in. The email is refreshed each sign-in and used to flag duplicate-account abuse.

Subscriptions — the feeds and sources you've added.

Saved posts (opt-in sync) — on-device by default; if you turn on sync, the list also lives on the server.

Push token (opt-in) — the APNs token, only if you've enabled push notifications. Cleared on logout or when you turn notifications off.

Anonymous usage events — impressions, screen views, time-on-card. Stored without a user_id column, so rows can't be re-linked to you after insert. Auto-deleted after 180 days.

Moderation log — attempts to add blocked sources, linked to the account that made the attempt; used only for abuse prevention. Retained up to 2 years; on account deletion the user attribution is removed and only the anonymized row stays.

Crash and error reports — stack traces sent to a self-hosted error tracker, with user identifiers, request headers, and cookies scrubbed server-side before the report leaves the infrastructure. No third-party vendor receives this data. Retained at the discretion of the tracker (a few hundred days by default).

Operational logs (HTTP requests, background-job traces) — a few days at most, then expire automatically.

Account identity, sign-in identities, subscriptions, saved posts: Article 6(1)(b) — necessary to provide the service.

Push token: Article 6(1)(a) — consent. Opt in via the system push dialog, revoke any time.

Anonymous usage events, moderation log, crash reports: Article 6(1)(f) — legitimate interest in measuring product performance, preventing abuse, and maintaining stability, balanced by data minimisation (no user_id on telemetry, anonymized retention on moderation, server-side scrubbing on crashes).

Sign-in providers — Apple, Google, GitHub. When you choose one, they handle authentication; hamir receives only the identifier and email they share, plus any name or avatar.

Apple Push Notification service — used only if you've enabled push.

Apple iCloud Keychain + iCloud Key-Value Storage — used for the encrypted on-device profile sync. hamir doesn't see the payload; Apple is the data controller for the sync channel.

Hosting and infrastructure — a cloud hosting provider in the EU West region runs the servers, databases, and operational logging.

hamir doesn't use third-party analytics SDKs, advertising networks, or data brokers, and doesn't show iOS App Tracking Transparency prompts because there's nothing to track you across other apps with.

hamir's servers run in the European Union (EU West region). If you're in the EU or UK, your data doesn't normally leave the EU. Sign-in providers process authentication on their own infrastructure under their own policies; the same is true for Apple's push and iCloud services. If you email hello@hamir.app, your message will be processed wherever the mail provider routes it. Where hamir's Apple-side processing (sign-in, push, iCloud Keychain) routes through Apple's US infrastructure, those transfers are covered by Apple's Standard Contractual Clauses with its EU subsidiaries.

The hamir.app website provides sign-in callback handling, the public instance directory, and these legal pages — there's no web reader UI.

When you visit the site, the server logs the request (IP address, user-agent, path, timestamp) for a few days for operational and abuse-prevention purposes, then those logs expire automatically. There are no third-party analytics, ad trackers, or session-replay tools. There's no third-party CDN — your browser talks to the hosting infrastructure directly.

Wherever you live, you can export your data (built-in account export), correct your nickname directly in the app, delete your account via the in-app flow, and withdraw consent for push notifications (toggle them off in iOS Settings or in the app).

When you delete your account, hamir purges account records, identities, subscriptions, saved posts, push registrations, private sources you added with their stored credentials, and analytics data, and invalidates your tokens.

hamir is not for users under 16. If a minor's account is reported, hamir deletes it.

If hamir suffers a data incident that puts your data at risk, hamir notifies affected users within 72 hours of becoming aware, as required under GDPR Article 33, with what happened, what data is involved, and what to do.

GDPR (EU / EEA / UK). If you're in the EU, EEA, or UK, you additionally have access (Article 15), rectification (16), erasure (17), and portability (20) — covered by the export, nickname-edit, and account-delete flows above; restriction or objection to processing (Articles 18 and 21) — email hello@hamir.app; withdrawal of any consent given (Article 7(3)); and the right to lodge a complaint with your local data-protection authority directly.

California (CCPA / CPRA). Under California's privacy laws you additionally have the right to know what personal information hamir has (the sections above are the standing answer — email for a specific record), the right to delete (use in-app deletion), the right to correct (your nickname is editable), the right to opt out of sale or sharing for cross-context behavioural advertising (hamir doesn't sell or share for that purpose, but the right exists), the right to limit use of sensitive personal information (hamir doesn't collect any as defined by California law), and the right to non-discrimination for exercising any of these.

Have additional questions? Email hello@hamir.app. Material changes to this policy land in the app or release notes before they take effect.