Privacy Policy

Overview

WeaveHub Technologies LLC ("WeaveHub", "WeaveHub Technologies", "we", "our") develops software products including PocketSync (formerly HealthSync), PocketNOC, PocketSOC, PocketIntel, PocketForge, and WeaveLedger. This Privacy Policy covers data practices across all WeaveHub products and the weavehub.app website. Each product also has its own product-specific privacy policy with additional details.

Product-Specific Privacy Policies

For detailed data handling practices specific to each product, please refer to:

• PocketNOC (SolarWinds infrastructure monitoring): pocket-noc.com/privacy
• PocketSOC (Security alert aggregation): pocketsoc.com/privacy
• PocketIntel (Cybersecurity intelligence aggregation): pocketintel.weavehub.app/privacy
• PocketForge (Multi-hypervisor management for VMware, Nutanix, Proxmox): /pocketforge/privacy
• PocketVM (Vulnerability management for Tenable, Qualys, Rapid7): /pocketvm/privacy
• PocketOps (Cloudflare & Fastly CDN/DNS/WAF management): /pocketops/privacy
• PocketSync (Apple Health streaming and Cloud Sync): /pocketsync/privacy
• PocketPorts (Ownership-verified personal network port scanner): /pocketports/privacy
• WeaveLedger (Self-hosted expense tracking, receipt scanning, financial analytics): /weaveledger/privacy

Where a product-specific policy conflicts with this umbrella policy, the product-specific policy prevails for that product.

Data WeaveHub Collects Across Products

Across the WeaveHub family, we collect a small, common set of identifiers and operational signals. The exact data depends on the product; the product-specific policies linked above describe each in detail.

• Account identifiers: Email addresses (where supplied), device identifiers (iOS Vendor ID, Android ID), UUID device IDs, and user IDs.
• Subscription & licensing data: Apple App Store, Google Play, and (for some products) Stripe transaction identifiers and subscription status. We do not store credit card numbers; payment is handled entirely by the store or by Stripe.
• Push notification tokens: Apple APNs and Google FCM tokens for alert and sync-completion delivery.
• Anonymous usage analytics: Firebase Analytics signals (app opens, screen views, feature usage) where enabled. User-configurable in product settings.
• Product-specific data: See each product-specific policy for the categories of data that product handles — for example, OAuth tokens and Cloud Sync file/contact/calendar data in PocketSync, infrastructure credentials in PocketForge / PocketVM / PocketOps, scan metadata in PocketPorts.

Where to Read Each Product's Data Practices

Each product's data flows are described in detail in its product-specific privacy policy linked above. A one-line summary:

• PocketSync — HealthKit metrics streamed on-device to your configured destinations; Cloud Sync stores encrypted OAuth tokens and routes files/contacts/calendars through WeaveHub infrastructure. See /pocketsync/privacy and the PocketSync DPA.
• PocketForge / PocketStack — Hypervisor data fetched directly from your servers; infrastructure data never reaches WeaveHub. See /pocketforge/privacy.
• PocketVM — Tenable / Qualys / Rapid7 API tokens stored only on your device; scan data fetched directly from your VM platform. See /pocketvm/privacy.
• PocketOps — Cloudflare / Fastly API tokens stored only on your device; CDN/DNS/WAF data fetched directly from the provider. See /pocketops/privacy.
• PocketPorts — Ownership-verified host and scan metadata; results stored on WeaveHub infrastructure. See /pocketports/privacy.
• WeaveLedger — Self-hosted: financial data lives on your Cloudflare account; WeaveHub never sees it. See /weaveledger/privacy.
• PocketIntel, PocketSOC, PocketNOC — Hosted on dedicated product domains. See the product-specific links above.

Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), UK, and Switzerland, we process personal data under the following legal bases:

• Performance of a contract (Article 6(1)(b)): Processing necessary to provide the PocketSync service you requested, including Cloud Sync operations, Health Data Streaming, and account management.
• Legitimate interests (Article 6(1)(f)): Anonymous analytics to improve our products and services, provided these interests are not overridden by your data protection rights.
• Consent (Article 6(1)(a)): Where you explicitly authorize access to HealthKit data or cloud storage accounts through OAuth.

For WeaveLedger, we process subscription and licensing data under performance of a contract (Article 6(1)(b)). WeaveHub does not process your financial data and is not a data controller or processor for data stored on your self-hosted instance.

Automated Processing

PocketSync Cloud Sync runs scheduled sync jobs automatically (approximately every 5 minutes when active). These automated processes access your connected cloud accounts, compare metadata to detect changes, and transfer new or modified files, contacts, or calendar events between providers as configured in your sync job. No human review of your data occurs during this process. You can pause or delete sync jobs at any time within the app. No automated decision-making or profiling as defined under GDPR Article 22 is performed.

Data Storage & Protection

• PocketSync Health Data Streaming: No Google Sheets user data or HealthKit data is stored on our servers. Google Sheets access is via OAuth over HTTPS.
• PocketSync Cloud Sync: OAuth tokens and CardDAV/CalDAV credentials for connected providers are encrypted with AES-256-GCM and stored in a Cloudflare D1 database. API keys are hashed with SHA-256 before storage. Files in transit are temporarily held in a Cloudflare R2 buffer bucket and automatically deleted within 1 hour. Contact and calendar data is held in memory or temporary storage during transfer. File metadata, contact/calendar sync state, and sync history are stored in Cloudflare D1. All API communication uses HTTPS via a Cloudflare Worker.
• PocketNOC: SolarWinds credentials are stored exclusively on your device in platform-native secure storage (iOS Keychain / Android EncryptedSharedPreferences). License data is stored on Cloudflare infrastructure with encryption at rest.
• PocketSOC: Vendor API credentials are encrypted with AES-256-GCM at rest. All communications use TLS encryption.
• All products: Sensitive data is protected using industry-standard encryption in transit (TLS) and at rest.

Data Retention & Deletion

• PocketSync Health Data Streaming: WeaveHub retains no HealthKit or Google Sheets data on its servers. Revoke Google Sheets access at any time in your Google account settings.
• PocketSync Cloud Sync: When you disconnect a cloud account, we delete the corresponding encrypted OAuth tokens or CardDAV/CalDAV credentials from our database. Deleting a sync job deletes all associated file metadata, contact/calendar sync state, sync history, and any data on WeaveHub servers associated with that job. Files in the R2 transfer buffer are automatically deleted within 1 hour regardless of account status. Database backups that may contain Cloud Sync data are retained for 30 days and then permanently deleted. You may also revoke PocketSync's access directly through your cloud provider's app permissions settings (e.g., Google Account, Microsoft Account, Dropbox Settings, Box Account). Device identifiers can be removed by uninstalling the app.
• PocketNOC: Licensing data is retained while your license is active. Deleted upon verified request or license expiration.
• PocketSOC: Account data is retained while active. Alert metadata is transient and not persistently stored beyond operational necessity.
• All products: You may request deletion of your data at any time by contacting us. We will respond to deletion requests within 30 days.

Third-Party Service Providers

Depending on which product(s) you use, data may be processed by:

• Cloudflare, Inc. — Hosting, Workers runtime, D1 database, R2 object storage
• Apple Inc. — Push notifications (APNs), App Store distribution
• Google LLC — Firebase Analytics, Cloud Messaging (FCM), Play Store distribution, Google Drive API, Google Contacts API, Google Calendar API (PocketSync Cloud Sync), Google Sheets API (PocketSync Health Data Streaming)
• Microsoft Corporation — OneDrive, Outlook Contacts, Outlook Calendar / Microsoft Graph API (PocketSync Cloud Sync)
• Dropbox, Inc. — Dropbox API (PocketSync Cloud Sync)
• Box, Inc. — Box API (PocketSync Cloud Sync)
• CardDAV/CalDAV providers — Any user-configured CardDAV or CalDAV server for contact and calendar sync (PocketSync Cloud Sync). The specific provider depends on your configuration.
• Stripe, Inc. — Payment processing
• OpenAI, LLC — AI content summarization via Cloudflare AI Gateway (PocketIntel). Only publicly available article content is sent; no user personal data is transmitted.

These providers process data only as necessary to perform services on our behalf.

International Data Transfers

WeaveHub is based in the United States. Where personal data originating from the EEA, UK, or Switzerland is processed, we rely on the EU Commission's Standard Contractual Clauses (SCCs) for appropriate safeguards. See product-specific DPAs for details: PocketNOC DPA | PocketSOC DPA | PocketSync DPA.

For PocketSync Cloud Sync, WeaveHub acts as a data processor when handling files, contacts, calendars, and metadata on your behalf. Our sub-processors include:

• Cloudflare, Inc. (United States) — Workers compute, D1 database, R2 object storage
• Google LLC (United States) — Firebase Cloud Messaging

Website Analytics

Our website (weavehub.app) uses analytics to understand visitor traffic and improve the site experience. Analytics may collect:

• Usage data: Pages visited, session duration, and referral source
• Device information: Browser type, operating system, and screen resolution
• Identifiers: Anonymous, randomly generated identifiers not linked to your name, email, or any personal account

Website analytics does not collect personally identifiable information and is not linked to any app data.

Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, restrict, or port your personal data.

• EU/EEA/UK residents (GDPR): You have the right to access, rectify, erase, restrict processing, data portability, and object to processing of your personal data. For PocketSync Cloud Sync, you may request export of your sync job configurations and sync history in machine-readable format (JSON). See our DPAs linked above. To exercise these rights, contact us.
• California residents (CCPA/CPRA): You have the right to know what personal information we collect, request deletion of your personal information, and opt out of any sale of personal information. WeaveHub does not sell personal information. For PocketSync Cloud Sync, the categories of personal information collected include: identifiers (device ID, provider email), internet or network activity (sync history, file metadata), commercial information (subscription status), and personal records (contact names, emails, phone numbers, addresses, and calendar event details processed during sync). For PocketNOC and PocketSOC CCPA notices, see: PocketNOC | PocketSOC. For PocketForge, categories of personal information collected include: identifiers (Apple User ID) and commercial information (subscription status). For WeaveLedger, categories of personal information collected include: commercial information (App Store transaction identifiers and subscription status). WeaveHub does not collect financial information through WeaveLedger beyond what Apple provides for subscription validation. To exercise these rights, contact us.

We will respond to all verified data subject requests within 30 days.

Contact

Questions about this policy or your data? Contact us.