Privacy Policy
Effective Date: April 30, 2026
1. Overview
HugsyAlert is built with a privacy-first architecture. We collect only the data necessary to operate the check-in monitoring and emergency escalation system. This policy describes what data we collect, how we use it, what we share with third parties, and your rights regarding your data.
Your Contact Data, in Plain Language
Because HugsyAlert helps coordinate help during an emergency, people sometimes worry about how it handles contact information. Here is the short, plain-language version; the detailed breakdown follows in the numbered sections below.
What we collect:
- Your email address when you sign up.
- If you choose to add helpers, the email address and/or Telegram username you type in for them.
- A numeric Telegram chat ID for you or a helper, but only after that person taps an official connect link from inside HugsyAlert. This is an internal identifier used to deliver notifications — not a phone number. Where set, your Telegram username and first name may also be recorded in audit logs during the connect flow.
What we do not collect:
- We do not collect your personal phone number. There is no user phone-number field in the app. Vet/emergency contact phone numbers you optionally add to your pet's profile are stored but used only for the pet care dossier sent to helpers during emergencies.
- We do not read your Telegram contacts or any messages sent outside the HugsyAlert bot. Messages you send to the HugsyAlert bot are processed by the safety system (see §2.6).
How it is used and protected:
- Contact data is used only to operate check-ins and to reach the right people during an escalation. We do not sell your data, and we do not use it for advertising.
- The email we send invitations and alerts to is handed only to our email provider (Resend) to deliver the message you asked us to send. Resend is the only outside party that receives email addresses as part of normal operation.
- A helper's Telegram username is visible to the owner who added that helper, so the owner can identify who they've linked. It is not shared with other users or third parties.
- If no display name is set, your email may appear as a fallback label inside Telegram safety messages and in email alerts sent to your helpers, so be precise about what you set as your display name.
- When you delete your account, your Telegram chat ID is removed right away and your main account record is soft-deleted immediately. Helper and pet contact data in subcollection records is permanently purged within the retention window described in §8.
We do not sell or share your contact information for marketing or advertising. Outside parties that receive data as part of normal operation (such as Resend for email delivery) are listed in §6. We can't control everything that happens outside HugsyAlert, though — unsolicited messages often come from unrelated sources such as prior data breaches, data brokers, scraped records, contact-syncing, or your own messaging-app privacy settings. If you ever get a message claiming to be us from an unexpected place, see the official channels & reporting note in Help.
2. Data We Collect
2.1. Account Information
- Email address and display name (required for account creation).
- Profile photo (if using Google sign-in).
- Telegram chat ID — a numeric identifier used to send you notifications. Where available, Telegram username and first name may also be recorded in audit logs during the account-linking flow. We do not access your Telegram messages sent outside the HugsyAlert bot, your contacts, or your groups.
2.2. Pet Information
- Name, species, breed, age, weight.
- Medical conditions, medications, and special care instructions.
- Veterinarian contact information.
2.3. Helper & Emergency Contact Information
- Helper name, email, and Telegram username.
- Relationship to the pet owner.
- Helper acknowledgment status and response history.
2.4. Check-In & Activity Data
- Timestamps of check-ins, missed check-ins, and safety mode changes.
- Check-in interval preferences and schedule configuration.
- Emergency event records (trigger type, escalation stage, helper responses).
- Drill and test event logs.
2.5. Device & Browser Telemetry
When the dashboard is open, we collect passive device signals to enhance safety assessment accuracy. This data is collected via browser APIs and includes:
- Battery level and charging status.
- Network connection type (Wi-Fi, cellular, offline).
- Tab visibility (whether the browser tab is active or backgrounded).
- Device motion (whether device movement is detected—used as a liveness signal, not for tracking location).
- Last user interaction timestamp (keyboard/mouse/touch activity).
- Online/offline status.
This telemetry is used solely for safety assessment during escalation decisions (e.g., determining if a missed check-in may be due to a dead battery vs. an actual emergency). We do not collect GPS location, browsing history, or app usage outside of HugsyAlert.
2.6. Conversational Data (Talk to Watchdog)
Messages you send through the "Talk to Watchdog" AI chat interface are:
- Stored in our database as part of your safety context.
- Sent to Google Gemini AI for intent classification and safety assessment.
- Used to build behavioral patterns that inform escalation decisions.
Emergency keywords ("help", "emergency", "SOS", "911") in your messages are treated as strong safety signals. They may contribute to emergency escalation decisions, and may be used as a fallback trigger if AI classification is unavailable.
2.7. Behavioral Patterns
We derive behavioral patterns from your check-in history and activity, including:
- Typical check-in times and day-of-week patterns.
- Average check-in intervals.
- Recurring activity schedules (if you choose to share them).
These patterns help reduce false alarms and improve the accuracy of safety assessments.
3. Data We Do NOT Collect or Store
Sensitive location and access information is never stored in our systems:
- Home addresses or GPS coordinates.
- House keys, access codes, lockbox combinations, or security system details.
- Financial information or payment data.
- Health records or medical data about the pet owner.
- Browsing history or activity outside of HugsyAlert.
Physical access information is shared directly between pet owners and their helpers through private channels (Telegram, in-person, etc.), ensuring that even a complete database breach would not expose this sensitive data.
4. How We Use Your Data
- Core service operation: Operating the check-in timer, escalation pipeline, and emergency alert system.
- Notifications: Sending check-in reminders, escalation alerts, and emergency dispatches via Telegram and email.
- Safety assessment: Combining device telemetry, behavioral patterns, and AI analysis to make escalation decisions.
- Rescuer's Dossier: Providing pet care details to helpers during active emergencies.
- Pattern learning: Building check-in and activity patterns to reduce false positives.
- R&D (beta period): Analyzing anonymized usage data to improve system accuracy and reliability.
- Security: Audit logging, rate limiting, and abuse prevention.
5. Cookies & Local Storage
HugsyAlert uses the following cookies and browser storage:
- Session cookie — An HMAC-SHA256 signed cookie containing your authentication session. Essential for login. Expires after 7 days or when you log out. No tracking cookies are used.
- CSRF token cookie — A double-submit cookie used to protect against cross-site request forgery attacks. Essential for security.
- Firebase Auth tokens — Stored in browser local storage by Firebase SDK for authentication state persistence.
- Vercel protection bypass — A cookie set during preview deployments for authorized testing access.
We do not use advertising cookies, analytics trackers (Google Analytics, etc.), or any third-party tracking pixels.
6. Third-Party Services
We use the following third-party services to operate HugsyAlert. Each service receives only the minimum data necessary for its function:
| Service | Purpose | Data Shared |
|---|---|---|
| Firebase (Google Cloud) | Authentication and database | Email, display name, all app data stored in Firestore. US data centers. |
| Google Gemini AI | AI intent classification and safety assessment | "Talk to Watchdog" chat messages, safety context summaries. Processed per Google's AI data policies. |
| Telegram Bot API | Notifications and check-in bot | Chat ID, notification content. We only send messages; we do not read your conversations. |
| Resend | Email notifications | Recipient email address, email content (alerts, helper invitations). |
| Vercel | Application hosting and serverless functions | HTTP request metadata (IP, user agent) processed during normal web hosting. |
7. AI Usage Disclosure
HugsyAlert uses Google Gemini to power the "Talk to Watchdog" conversational interface. When you send a message to the Watchdog:
- Your message is sent to Google's Gemini API along with recent conversation context and safety state.
- Gemini classifies the intent of your message (e.g., casual chat, travel notice, distress signal).
- The AI response and safety assessment are stored in your account for pattern learning.
- This data is used to calibrate escalation sensitivity and reduce false alarms.
We do not use your conversations to train third-party AI models. Google Gemini API data handling is governed by Google's Gemini API Terms of Service.
8. Data Retention & Deletion
- Active account data: Retained as long as your account is active.
- Device sensor data: The most recent sensor snapshot is retained per device (one entry per browser/device, overwritten on each heartbeat). No historical sensor traces are stored.
- Aggregate patterns: Retained indefinitely in anonymized form for service improvement.
- Audit logs: Retained for 90 days with automatic TTL-based expiry.
- Soft-deleted data: When you delete your account, all data is immediately soft-deleted (hidden from all queries and inaccessible) and permanently purged within 30 days.
- Immediate deletion: You can request immediate, permanent deletion of all your data by contacting us at the email below.
9. Data Security
- All data is encrypted in transit (HTTPS/TLS) and at rest (Firebase default encryption).
- Session cookies are cryptographically signed with HMAC-SHA256 to prevent forgery.
- Firestore security rules enforce per-user data isolation.
- CSRF protection on all server actions (double-submit cookie pattern).
- Rate limiting on authentication, check-in, and sensitive API operations.
- Security headers: HSTS, X-Frame-Options, Content-Security-Policy, X-Content-Type-Options.
- Automated secret scanning (gitleaks) on all code commits.
- Server-only Data Access Layer prevents client-side database access.
10. Your Rights
You have the right to:
- Access your data through your account dashboard.
- Correct inaccurate data through your settings.
- Delete your account and all associated data from the Safety & Settings page.
- Export your data upon request.
- Withdraw consent for beta R&D data collection by deleting your account.
- Object to specific data processing by contacting us.
10a. Virginia Consumer Rights (VCDPA)
HugsyAlert is operated from the Commonwealth of Virginia. If you are a Virginia resident, the Virginia Consumer Data Protection Act (VCDPA, Va. Code §59.1-575 et seq.) provides you with additional rights, including the right to confirm whether we process your personal data, to access and obtain a copy of that data, to correct inaccuracies, to request deletion, and to opt out of processing for purposes of targeted advertising, the sale of personal data, or significant profiling. We do not sell personal data and do not use it for targeted advertising.
To exercise any of these rights, email support@hugsyalert.com with the subject line VCDPA Request. We will respond within forty-five (45) days. If we decline your request, you may appeal that decision by emailing the same address with the subject line VCDPA Appeal; we will respond to appeals in writing within sixty (60) days. If your appeal is denied, you may submit a complaint to the Virginia Attorney General at www.oag.state.va.us/consumercomplaintform.
Sensitive data. Under VCDPA, certain categories of data require opt-in consent before processing. HugsyAlert does not collect precise geolocation data, biometric data, racial or ethnic origin, religious beliefs, citizenship or immigration status, mental or physical health diagnoses, sexual orientation, or data from a known child. Behavioral signals such as missed-check-in timing are processed as part of the core service function and are limited to safeguard purposes.
11. Children's Privacy (COPPA)
HugsyAlert is not intended for use by children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us immediately and we will take steps to delete such information.
12. International Data Transfers
HugsyAlert is hosted on infrastructure located in the United States (Vercel and Google Cloud / Firebase). If you access the service from outside the United States, your data will be transferred to and processed in the United States. By using HugsyAlert, you consent to this transfer.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or in-app notification. The "Effective Date" at the top of this page indicates when this policy was last revised. Continued use of the service after changes constitutes acceptance of the updated policy.
14. Contact
For privacy-related questions, data requests, or to exercise any of your rights, contact us at support@hugsyalert.com.