Privacy Policy

Effective: March 2026

Overview

WeaveHub Technologies LLC ("WeaveHub", "WeaveHub Technologies", "we", "our") develops software products including PocketSync (formerly HealthSync), PocketNOC, PocketSOC, PocketIntel, and WeaveLedger. This Privacy Policy covers data practices across all WeaveHub products and the weavehub.app website. Each product also has its own product-specific privacy policy with additional details.

Product-Specific Privacy Policies

For detailed data handling practices specific to each product, please refer to:

  • PocketNOC (SolarWinds infrastructure monitoring): pocket-noc.com/privacy
  • PocketSOC (Security alert aggregation): pocketsoc.com/privacy
  • PocketIntel (Cybersecurity intelligence aggregation): weavehub.app/pocketintel/privacy
  • PocketSync (Health Data Streaming & Cloud Sync): See PocketSync section below
  • WeaveLedger (Expense tracking, receipt scanning, and financial analytics): See WeaveLedger section below

Where a product-specific policy conflicts with this umbrella policy, the product-specific policy prevails for that product.

Data We Collect Across Products

Depending on which product(s) you use, we may collect:

  • Account identifiers: Email addresses, device identifiers (iOS Vendor ID, Android ID), UUID device IDs, and user IDs
  • Billing data: Stripe customer and subscription identifiers (we never store credit card numbers)
  • License keys: For products using license-based activation (PocketNOC)
  • Push notification tokens: Apple APNs and Google FCM tokens for alert and sync-completion delivery
  • Usage analytics: Anonymous app usage data via Firebase Analytics (app opens, screen views, feature usage)
  • Cloud account OAuth tokens and credentials: Encrypted access and refresh tokens for connected cloud providers (Google, Microsoft, Dropbox, Box) and CardDAV/CalDAV credentials, used by PocketSync Cloud Sync
  • File metadata: File paths, sizes, and modification dates from connected cloud storage accounts, used for delta sync tracking in PocketSync Cloud Sync
  • Contact data: Contact records (names, emails, phone numbers, addresses, organization, job title, birthday, notes, photos) from connected providers, processed during contact sync
  • Calendar data: Calendar events (titles, descriptions, attendees, locations, dates/times, recurrence, reminders) from connected providers, processed during calendar sync
  • Sync job data: Sync job configurations, run history (items synced, skipped, errored, bytes transferred), and conflict records for PocketSync Cloud Sync
  • API keys: Bearer tokens (stored as SHA-256 hashes) for authenticating PocketSync Cloud Sync API requests
  • Feed preferences and reading behavior (PocketIntel): Selected sectors, vendors, threat types, articles viewed, search queries, and interaction history used to personalize the cybersecurity intelligence feed
  • AI-processed content metadata (PocketIntel): PocketIntel uses Cloudflare Workers AI and OpenAI GPT-4o-mini (via Cloudflare AI Gateway) to summarize publicly available cybersecurity articles and extract indicators of compromise. AI processing is applied only to public source content, not to user personal data. No user data is used to train AI models.
  • Product-specific data: See product-specific policies for details on monitoring data (PocketNOC), security alert data (PocketSOC), cybersecurity intelligence data (PocketIntel), and health data (PocketSync)

PocketSync Data Practices

PocketSync (formerly HealthSync) provides two core features: Health Data Streaming and Cloud Sync. Each feature handles data differently.

Health Data Streaming

PocketSync reads Apple HealthKit data on your device and can write selected metrics to a Google Sheet you choose, stream them to Home Assistant, or send them to a custom webhook. Health data is processed on-device and sent directly to your configured destinations without passing through WeaveHub servers.

  • Google Sheets data: Spreadsheet metadata (such as file name and ID) and the specific sheet contents needed to write metrics to the sheet you select.
  • HealthKit data: The metrics you explicitly authorize (e.g., heart rate, sleep, activity). Processed on-device and sent only to your configured destinations.

Google Sheets access for Health Data Streaming is used solely to write your selected PocketSync metrics. We do not share Google user data obtained through Health Data Streaming with third parties.

Cloud Sync

Cloud Sync allows you to connect cloud accounts (Google, Microsoft, Dropbox, Box, and CardDAV/CalDAV providers) and sync files, contacts, and calendars between them. Unlike Health Data Streaming, Cloud Sync operates through WeaveHub infrastructure:

  • OAuth tokens and credentials: When you connect a cloud account, we store an encrypted copy of your OAuth 2.0 access and refresh tokens (or CardDAV/CalDAV credentials). Tokens are encrypted with AES-256-GCM before storage in our database.
  • File metadata: File paths, sizes, and modification dates from your connected accounts are stored to enable delta sync (transferring only changed files).
  • Contact data: When syncing contacts, PocketSync reads and transfers contact records between providers. This may include names, email addresses, phone numbers, physical addresses, organization names, job titles, birthdays, notes, and profile photos. Contact data passes through WeaveHub infrastructure during transfer. Contacts contain personal data of third parties (the people in your address book). You are responsible for having a lawful basis to transfer this data.
  • Calendar data: When syncing calendars, PocketSync reads and transfers calendar events between providers. This may include event titles, descriptions, attendee names and email addresses, locations, dates/times, recurrence rules, and reminders. Calendar data passes through WeaveHub infrastructure during transfer and may contain personal data of third parties (event attendees).
  • Sync job configuration: Your sync rules (source, destination, sync mode, conflict-resolution preference, data type) are stored on our servers.
  • Sync run history: Records of each sync run, including items synced, skipped, errored, and bytes transferred.
  • Temporary data buffer: During a transfer, files are temporarily stored in a Cloudflare R2 buffer bucket while in transit between providers. Contact and calendar data is held in memory or temporary storage during transfer. All temporary data is automatically deleted within 1 hour of the transfer completing and is not retained beyond what is required for the sync to occur.
  • Device identifier: A UUID device ID is generated at registration and stored in the iOS Keychain on your device. A SHA-256 hash of your API key is stored server-side to authenticate requests.
  • Push notification tokens: FCM tokens for delivering sync completion notifications.

Cloud Sync does not access, read, or process the contents of your files, contacts, or calendar events beyond what is necessary to transfer them between providers. We do not index, analyze, scan, mine, or retain data contents after the transfer is complete.

Third-Party Personal Data in Contacts & Calendars

Contact and calendar sync involves processing personal data of third parties — the people in your address book and calendar event attendees. By using contact and calendar sync, you represent that you have a lawful basis (such as legitimate interest or consent) to transfer this personal data between providers through WeaveHub infrastructure. WeaveHub processes this third-party data solely as your processor, under your instructions, and does not use it for any independent purpose.

PocketSync's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Server-side storage of Google OAuth tokens, Google Drive file metadata, Google Contacts, and Google Calendar data is strictly necessary for providing Cloud Sync functionality and is not used for advertising, profiling, or any unrelated purpose.

WeaveLedger Data Practices

WeaveLedger is an expense tracking, receipt scanning, and financial analytics app that uses a self-hosted architecture. Your financial data is stored on a Cloudflare Workers instance that you deploy and control. WeaveHub Technologies does not receive, access, process, or store your financial data.

Data WeaveHub Collects for WeaveLedger

  • Subscription and licensing data: Apple App Store transaction identifiers and subscription status, processed by our licensing service to validate your active subscription. We do not receive your payment method or billing details — these are handled entirely by Apple.
  • No financial data: WeaveHub does not collect, receive, or have access to your expenses, receipts, receipt images, budget configurations, subscription analytics, tax records, or any other financial data you enter into WeaveLedger.
  • Camera access: WeaveLedger requests camera access to photograph receipts for AI-powered scanning. Receipt images are sent directly from your device to your self-hosted backend for processing. WeaveHub never receives your receipt images.
  • Self-hosted credentials: Your email address and password for your self-hosted instance are stored on your own Cloudflare Workers backend. WeaveHub does not have access to these credentials.

Data Storage and Control

Your WeaveLedger financial data is stored in a Cloudflare D1 database within your own Cloudflare account. You have full control over this data, including the ability to access, export, modify, and delete it. WeaveHub cannot access your self-hosted data. Licensing and subscription data is stored on WeaveHub infrastructure and retained while your subscription is active.

Account Deletion

Your financial data: You can delete all data on your self-hosted instance at any time through the WeaveLedger app or by deleting the Cloudflare Workers deployment from your Cloudflare dashboard.

WeaveHub licensing data: To request deletion of your subscription and transaction records from our licensing service, contact us at privacy@weavehub.app. We will delete this data within 30 days.

Demo Server

A demonstration server (demo-ledger.weavehub.app) is available for evaluation. Data entered on the demo server is not private and may be periodically reset.

Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), UK, and Switzerland, we process personal data under the following legal bases:

  • Performance of a contract (Article 6(1)(b)): Processing necessary to provide the PocketSync service you requested, including Cloud Sync operations, Health Data Streaming, and account management.
  • Legitimate interests (Article 6(1)(f)): Anonymous analytics to improve our products and services, provided these interests are not overridden by your data protection rights.
  • Consent (Article 6(1)(a)): Where you explicitly authorize access to HealthKit data or cloud storage accounts through OAuth.

For WeaveLedger, we process subscription and licensing data under performance of a contract (Article 6(1)(b)). WeaveHub does not process your financial data and is not a data controller or processor for data stored on your self-hosted instance.

Automated Processing

PocketSync Cloud Sync runs scheduled sync jobs automatically (approximately every 5 minutes when active). These automated processes access your connected cloud accounts, compare metadata to detect changes, and transfer new or modified files, contacts, or calendar events between providers as configured in your sync job. No human review of your data occurs during this process. You can pause or delete sync jobs at any time within the app. No automated decision-making or profiling as defined under GDPR Article 22 is performed.

Data Storage & Protection

  • PocketSync Health Data Streaming: No Google Sheets user data or HealthKit data is stored on our servers. Google Sheets access is via OAuth over HTTPS.
  • PocketSync Cloud Sync: OAuth tokens and CardDAV/CalDAV credentials for connected providers are encrypted with AES-256-GCM and stored in a Cloudflare D1 database. API keys are hashed with SHA-256 before storage. Files in transit are temporarily held in a Cloudflare R2 buffer bucket and automatically deleted within 1 hour. Contact and calendar data is held in memory or temporary storage during transfer. File metadata, contact/calendar sync state, and sync history are stored in Cloudflare D1. All API communication uses HTTPS via a Cloudflare Worker.
  • PocketNOC: SolarWinds credentials are stored exclusively on your device in platform-native secure storage (iOS Keychain / Android EncryptedSharedPreferences). License data is stored on Cloudflare infrastructure with encryption at rest.
  • PocketSOC: Vendor API credentials are encrypted with AES-256-GCM at rest. All communications use TLS encryption.
  • All products: Sensitive data is protected using industry-standard encryption in transit (TLS) and at rest.

Data Retention & Deletion

  • PocketSync Health Data Streaming: WeaveHub retains no HealthKit or Google Sheets data on its servers. Revoke Google Sheets access at any time in your Google account settings.
  • PocketSync Cloud Sync: When you disconnect a cloud account, we delete the corresponding encrypted OAuth tokens or CardDAV/CalDAV credentials from our database. Deleting a sync job deletes all associated file metadata, contact/calendar sync state, sync history, and any data on WeaveHub servers associated with that job. Files in the R2 transfer buffer are automatically deleted within 1 hour regardless of account status. Database backups that may contain Cloud Sync data are retained for 30 days and then permanently deleted. You may also revoke PocketSync's access directly through your cloud provider's app permissions settings (e.g., Google Account, Microsoft Account, Dropbox Settings, Box Account). Device identifiers can be removed by uninstalling the app.
  • PocketNOC: Licensing data is retained while your license is active. Deleted upon verified request or license expiration.
  • PocketSOC: Account data is retained while active. Alert metadata is transient and not persistently stored beyond operational necessity.
  • All products: You may request deletion of your data at any time by contacting us. We will respond to deletion requests within 30 days.

Third-Party Service Providers

Depending on which product(s) you use, data may be processed by:

  • Cloudflare, Inc. — Hosting, Workers runtime, D1 database, R2 object storage
  • Apple Inc. — Push notifications (APNs), App Store distribution
  • Google LLC — Firebase Analytics, Cloud Messaging (FCM), Play Store distribution, Google Drive API, Google Contacts API, Google Calendar API (PocketSync Cloud Sync), Google Sheets API (PocketSync Health Data Streaming)
  • Microsoft Corporation — OneDrive, Outlook Contacts, Outlook Calendar / Microsoft Graph API (PocketSync Cloud Sync)
  • Dropbox, Inc. — Dropbox API (PocketSync Cloud Sync)
  • Box, Inc. — Box API (PocketSync Cloud Sync)
  • CardDAV/CalDAV providers — Any user-configured CardDAV or CalDAV server for contact and calendar sync (PocketSync Cloud Sync). The specific provider depends on your configuration.
  • Stripe, Inc. — Payment processing
  • OpenAI, LLC — AI content summarization via Cloudflare AI Gateway (PocketIntel). Only publicly available article content is sent; no user personal data is transmitted.

These providers process data only as necessary to perform services on our behalf.

International Data Transfers

WeaveHub is based in the United States. Where personal data originating from the EEA, UK, or Switzerland is processed, we rely on the EU Commission's Standard Contractual Clauses (SCCs) for appropriate safeguards. See product-specific DPAs for details: PocketNOC DPA | PocketSOC DPA | PocketSync DPA.

For PocketSync Cloud Sync, WeaveHub acts as a data processor when handling files, contacts, calendars, and metadata on your behalf. Our sub-processors include:

  • Cloudflare, Inc. (United States) — Workers compute, D1 database, R2 object storage
  • Google LLC (United States) — Firebase Cloud Messaging

Website Analytics

Our website (weavehub.app) uses analytics to understand visitor traffic and improve the site experience. Analytics may collect:

  • Usage data: Pages visited, session duration, and referral source
  • Device information: Browser type, operating system, and screen resolution
  • Identifiers: Anonymous, randomly generated identifiers not linked to your name, email, or any personal account

Website analytics does not collect personally identifiable information and is not linked to any app data.

Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, restrict, or port your personal data.

  • EU/EEA/UK residents (GDPR): You have the right to access, rectify, erase, restrict processing, data portability, and object to processing of your personal data. For PocketSync Cloud Sync, you may request export of your sync job configurations and sync history in machine-readable format (JSON). See our DPAs linked above. To exercise these rights, contact us.
  • California residents (CCPA/CPRA): You have the right to know what personal information we collect, request deletion of your personal information, and opt out of any sale of personal information. WeaveHub does not sell personal information. For PocketSync Cloud Sync, the categories of personal information collected include: identifiers (device ID, provider email), internet or network activity (sync history, file metadata), commercial information (subscription status), and personal records (contact names, emails, phone numbers, addresses, and calendar event details processed during sync). For PocketNOC and PocketSOC CCPA notices, see: PocketNOC | PocketSOC. For WeaveLedger, categories of personal information collected include: commercial information (App Store transaction identifiers and subscription status). WeaveHub does not collect financial information through WeaveLedger beyond what Apple provides for subscription validation. To exercise these rights, contact us.

We will respond to all verified data subject requests within 30 days.

Contact

Questions about this policy or your data? Contact us.