Privacy Policy
Last updated April 14, 2026
This Privacy Policy describes how Woobox LLC ("Hatchable", "we", "us", "our") collects, uses, and protects your information when you use the Hatchable platform ("Service"). Woobox LLC is the data controller for personal information you provide directly to us in connection with your Hatchable account.
1. Information We Collect
Account Information
When you create an account, we collect:
- Email address — required for claimed accounts; not collected for anonymous auto-signup accounts until you claim them
- Handle (username) — a unique identifier for your account, auto-generated or chosen by you
- Display name — optional
Anonymous Accounts
When you copy a setup command from the homepage or an AI agent first connects via MCP, an anonymous account is created automatically. At this stage we collect only:
- A generated handle and API key
- Your IP address (for rate limiting and abuse prevention)
No email or personal information is required. When you later claim the account by verifying an email address, the anonymous account is converted into a full account.
Passkey (WebAuthn) Data
If you register a passkey for authentication, we store:
- Credential ID (a unique identifier for the passkey)
- Public key (used to verify your identity — your private key never leaves your device)
- Credential metadata (sign count, attestation type, creation date)
We do not have access to your biometric data. Biometric verification happens entirely on your device.
Project Data
When you use Hatchable to build applications, we store:
- Project files (code, HTML, CSS, JavaScript) deployed via MCP tools or the console
- Database contents created by your applications
- Environment variables and configuration
- Function execution logs (request method, path, status code, duration, errors)
- Deployment history
Usage Data
We automatically collect:
- API request metadata (timestamps, endpoints called, response codes)
- Resource usage (function calls, database size, storage usage)
- IP addresses of API requests
End User Data
Applications you build on Hatchable may collect data from their own end users. You are the data controller for any end user data stored in your project databases. We act as a data processor for this information.
2. How We Use Your Information
| Purpose | Data Used |
|---|---|
| Provide the Service | Account info, project data, environment variables |
| Authentication | Email address, passkey credentials, API key hashes, session tokens |
| Billing and plan enforcement | Account info, resource usage |
| Debugging and support | Function logs, error data |
| Service improvement | Aggregated usage data (anonymized) |
| Security and abuse prevention | IP addresses, request patterns |
| Account claim and merge | Email address, API keys (to transfer ownership when an anonymous account is claimed by an existing user) |
3. Cookies and Session Tokens
Hatchable uses the following cookies:
| Cookie | Purpose | Domain | Duration |
|---|---|---|---|
hatchable_session | Authenticates your browser session on the main site and project subdomains | hatchable.com and *.hatchable.site | 7 days |
XSRF-TOKEN | CSRF protection for form submissions | hatchable.com | Session |
When you log in on hatchable.com and visit a private project at slug.hatchable.site, a session bridge sets the hatchable_session cookie on the project subdomain so you can access your app without logging in again. This cookie is HTTP-only and secure.
We do not use tracking cookies, third-party analytics, or advertising pixels on the platform.
4. Data Isolation and Security
- Database isolation: Every project gets its own dedicated, isolated database. There is no shared access between projects or accounts.
- Encryption at rest: Environment variables marked as secrets are encrypted using AES-256 before storage.
- No credentials in subprocess: Function execution environments do not have direct database or storage credentials. All data access routes through our authenticated gateway.
- API key security: API keys are stored as SHA-256 hashes. We cannot retrieve your original key after creation.
- Passkey security: Only your public key is stored on our servers. Private keys and biometric data remain on your device.
- Session tokens: Signed with HMAC-SHA256 and include an expiration timestamp. Tokens cannot be forged or extended.
5. Data Retention
- Active accounts: Data is retained as long as your account is active.
- Anonymous accounts: Unclaimed anonymous accounts and their data may be deleted after 90 days of inactivity.
- Function logs: Retained for 90 days, then automatically deleted.
- Deleted projects: Project data (database, files, logs) is permanently deleted within 30 days of project deletion.
- Closed accounts: All data is permanently deleted within 30 days of account closure.
6. Data Sharing
We do not sell your personal information. We may share data with:
- Infrastructure providers: AWS (hosting, database, storage) — as necessary to operate the Service
- Legal requirements: When required by law, subpoena, or court order
- Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users
We do not use your project code or data to train AI models.
7. Collaborators and Shared Projects
When you are invited as a collaborator on a project, the project owner can see your handle and email address. Your role (viewer, user, editor, admin) determines what project data you can access. Project owners can remove collaborators at any time.
When you request access to a private project, the project owner can see your handle and any message you include with the request.
8. Your Rights
- Access: View all data associated with your account via the console or API
- Export: Download your project files and database contents at any time
- Delete: Delete individual projects or your entire account
- Correct: Update your account information at any time
- Revoke passkeys: Remove any registered passkeys through the console
If you are in the EU/EEA, you also have rights under the GDPR including the right to data portability and the right to lodge a complaint with a supervisory authority.
9. International Data Transfers
Our infrastructure is hosted in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. We rely on standard contractual clauses for EU data transfers where applicable.
10. Children's Privacy
Hatchable is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "last updated" date at the top reflects the most recent revision.
12. Contact
For privacy-related questions or requests, contact Woobox LLC at privacy@hatchable.com.