Privacy Policy

Effective date: April 10, 2026

What We Collect

TraceWaves collects only what is necessary to provide the service:

• Account identity — Name, email, and avatar from your OAuth provider (Google, Microsoft, or GitHub). We do not store passwords.
• Scan data — Wi-Fi AP observations, Bluetooth device data, connection test results, and GPS coordinates. All scan data is user-initiated.
• Journal entries — Notes, photos, and tags you create.
• Sync metadata — Timestamps and record counts needed for cross-device sync.

What We Do Not Collect

• We do not collect data from networks you are not authorized to scan.
• We do not track your location in the background. GPS is polled only when you initiate a scan.
• We do not sell, share, or monetize your data.
• We do not log PII (personally identifiable information) in server logs.

Data Storage & Security

• All data transmitted over TLS 1.2+.
• Database encrypted at rest with AES-256.
• Auth tokens stored in OS keychain (native) or httpOnly secure cookies (PWA). Never in localStorage.
• JWT access tokens expire in 15 minutes. Refresh tokens rotate on use.

Data Retention & Deletion

• You control your data. Delete any journal entry at any time.
• Account deletion removes all synced data from our servers within 24 hours.
• Local data on your device is always under your control.

Third Parties

• OAuth providers — Google, Microsoft, and GitHub process sign-in only.
• NVD (NIST) — CVE data is fetched from the public NVD API. No user data is sent to NVD.
• OpenStreetMap — Map tiles are loaded from OSM servers. No user data is sent beyond tile coordinates.

Your Rights

You may request export or deletion of all your data at any time by contacting us or using the in-app account settings.

Contact

Questions about this policy: privacy@tracewaves.com