Hexed · Green Labs LLC
Privacy Policy
Last updated July 16, 2026
This policy covers the Hexed iOS app and the hexedapp.com website, operated by Green Labs LLC ("we", "us"), the data controller for both. The short version: Hexed collects the minimum needed to run a social spellcasting app, nothing is ever sold to anyone, there is no advertising, and there is no tracking across other companies' apps or sites.
What we collect
- Account. Your phone number, verified by one-time code, is your account identifier. The number itself lives with our authentication provider; for friend matching we keep an irreversible cryptographic hash of it. You may optionally attach a recovery email address; it is used only to recover your account.
- Profile. Your birthdate (required, for the age gate and your chart), your birth hour (optional, for your rising sign), and the identity built in onboarding: witch name, craft, element, familiar, and signs.
- Contacts, only if you allow it. Contacts are read on your device to let you choose who to summon. For matching, phone numbers are converted to irreversible codes (SHA-256) on your phone before anything leaves it. We never receive names, never store your address book, never message anyone in it, and store nothing about people who do not use Hexed. You can revoke access at any time in iOS Settings.
- Activity. The workings you cast, covens you form, circles you join, letters you receive and unseal, and any blocks or reports you file. If you allow notifications, we store a device push token.
- Purchases. Payment runs entirely through Apple. We receive Apple's signed transaction receipts to unlock what you bought; we never see card numbers or payment details.
- Usage analytics. A short, fixed list of named events (for example "contract sealed", "letter unsealed") tied to a random install identifier, so we can see whether the app works. No advertising SDK, no automatic capture, no location, no behavioral profile.
- Website. hexedapp.com is served by Cloudflare, which keeps standard, short-lived server logs (such as IP address) to run and protect the site. The site sets no advertising cookies.
How we use it, and the legal bases
- To run Hexed: accounts, casting, covens, letters, purchases (performance of our contract with you).
- To connect you with people you choose: contact matching and invitations (your consent, revocable any time).
- To notify you: push notifications you opted into (your consent). Every notification corresponds to a real action by a real user; we never fabricate activity.
- To keep witches safe: enforcing blocks, reviewing reports, preventing fraud and abuse (our legitimate interests, and legal obligations where they apply).
- To improve the app: the pseudonymous usage analytics above (our legitimate interests).
We do not use your data to train AI models, and we make no automated decisions about you with legal or similarly significant effects.
What other witches see
Binding to a coven shares your chart (sun, rising, craft, element, familiar) with your covenmates; this is stated in the app at the moment you accept a summons. Casting on someone reveals to them only what the reveal mechanics show. Blocked witches cannot target you with anything, in either direction.
Who we share with
Only service providers acting on our instructions, each receiving only what its function requires:
- Supabase – database, authentication, and server functions (hosted in the United States).
- Twilio – delivers your verification code by SMS.
- Apple – purchases and push notifications, under Apple's own terms.
- PostHog – the pseudonymous usage analytics described above (hosted in the United States).
- Cloudflare – serves this website.
We never sell your personal information, never share it for cross-context behavioral advertising, and never give it to data brokers. We would disclose data if validly required by law, and we would tell you unless legally barred from doing so.
Tracking
None. Hexed does not track you across other companies' apps or websites, which is why iOS never shows you an App Tracking Transparency prompt for us. Browser signals like Global Privacy Control find nothing here to switch off.
Retention and deletion
- Unrevealed incoming letters turn to ash after three nights and are gone.
- Everything else is kept only while your account exists.
- Deleting your account (Chart → Unmake your witch, or by emailing us) is immediate and permanent: your account and everything it owns is erased, and records held by other witches that referenced you (a seat in their coven, a working cast upon you) are unlinked from you. Apple retains its own records of your purchases under Apple's policy, and we may retain minimal transaction records where tax or fraud law requires.
Your rights
Wherever you live, you can ask us to access, correct, delete, or export your data, or to restrict or object to our use of it, by emailing dev@hexedapp.com. We will verify the request (usually by confirming control of the account phone number) and answer within the time your law requires. We never discriminate against anyone for exercising a privacy right.
European Economic Area and United Kingdom. The bases we rely on are listed above; where we rely on consent you may withdraw it any time, and you may lodge a complaint with your supervisory authority. Our servers are in the United States; where required, transfers rest on Standard Contractual Clauses with our providers.
California. The categories we collect are identifiers, commercial information, and app activity, as described above. We do not "sell" or "share" personal information as the CCPA defines those terms, and we collect no sensitive personal information requiring a limitation right. You have the rights to know, correct, and delete, exercisable as described above, including through an authorized agent.
Security
Data moves over TLS and rests behind row-level security, so each witch can read only what is hers. Phone numbers used for matching are hashed irreversibly before they travel. No system is beyond all reach; if we learn of a breach affecting you, we will notify you and the authorities as the law requires. Found a weakness? Write to us at the address below.
Age
Hexed is for those 17 and older. We do not knowingly hold an account for anyone younger, and if we learn of one it is unmade. The app is not directed at children and we do not knowingly collect children's data.
Changes
When this policy changes, the date above changes with it, and material changes will be announced in the app before they take effect. Continued use after that is acceptance.
Contact
Green Labs LLC · dev@hexedapp.com