Privacy Policy
Last updated: June 20, 2026
This Privacy Policy describes what personal data GUIMIN ZHOU ("we", "us", "Huginara") collects, why we collect it, who else processes it, how long we keep it, and the rights you may exercise over it. It also marks the boundary between data we control and data Paddle controls. The controller for service data is GUIMIN ZHOU; the controller for payment data is Paddle (see §1).
The "Service" means the website at huginara.com and the desktop applications we publish — Heimdall (paid) and the free tools Bifrost and Signet. The applications run on your own machine; the website is a static site with no user accounts.
Summary
- The website has no accounts and no login. We store no passwords because there are none.
- The desktop applications run entirely on your machine. They contain no analytics or telemetry, do not transmit your captured traffic or settings to us, and verify a licence offline.
- When you buy Heimdall, Paddle takes the payment as Merchant of Record. We never receive the full card number, CVV, or BIN.
- We do not use advertising trackers or cross-site analytics, and we do not sell or rent personal data.
- Questions and data requests go to support@huginara.com.
1. Independent data controllers
Because Huginara sells through Paddle as Merchant of Record, two parties process personal data about a purchase, each as an independent data controller. Neither acts as the other's processor in respect of that data.
- Huginara controls service data. A small set: website request logs, any correspondence you send us, and the order metadata Paddle returns after a sale — your email address, an order reference, the product purchased, and the billing country used for tax. Detailed in §2.
- Paddle controls payment data. This includes the full card number, CVV, BIN, fraud-risk score, and the billing address used to calculate tax. Paddle's processing is governed by Paddle's privacy policy. We do not receive this data.
Practical consequence: requests about service data come to us; requests about payment data go to Paddle. If a request reaches the wrong party, we will redirect it and confirm.
2. Categories of personal data we collect
- Website log data. When you visit huginara.com, our CDN / edge provider receives your IP address, user agent, referrer, and the paths requested, together with timestamps and security events such as rate-limit triggers. We use aggregate counts (requests, country, referrer) to understand how the site is used.
- Correspondence. If you email us, we hold your message and address until the matter is resolved and for a reasonable period afterwards as a record.
- Order metadata received from Paddle. After a purchase, Paddle returns your email address, an order or transaction reference, the product, and the billing country for tax records. This is the only payment-adjacent data we hold, and we use it to deliver and support your licence.
- Cookies and local storage. A single strictly necessary entry — your theme (light or dark) preference — stored locally in your browser. No advertising cookies, no cross-site trackers.
The desktop applications themselves collect no personal data: they have no accounts, no telemetry, and no callback home. A Heimdall licence key is verified locally against a public key embedded in the app; the key is never sent to us.
3. Purposes and lawful bases
Under the GDPR and UK GDPR we rely on the following lawful bases:
- Performance of a contract (Art. 6(1)(b)) — to deliver and support a Heimdall licence you have purchased.
- Legitimate interests (Art. 6(1)(f)) — to serve and secure the website, prevent abuse, and understand aggregate usage. We collect only what is proportionate.
- Legal obligation (Art. 6(1)(c)) — to keep the records tax and accounting law require; the tax side is handled by Paddle as Merchant of Record.
The standards on this page are designed to meet or exceed the GDPR, UK GDPR, and CCPA.
4. Recipients of personal data
We do not sell or rent personal data. To operate the Service we rely on a limited set of third parties, identified by their legal role.
Independent data controller — holds a direct relationship with you under its own policy:
- Paddle.com Market Ltd — Merchant of Record; processes payment and tax data. See Paddle's privacy policy.
Sub-processors — process service data on our instructions only:
- CDN and edge-security provider — content delivery, DNS, and DDoS / bot mitigation for the website. Receives request metadata such as IP address and headers.
- Transactional email — where used to reach you about an order or a support reply. Your Heimdall licence key is delivered by Paddle from its own systems.
We disclose data to public authorities only where legally required, or where necessary to protect the rights, safety, and property of Huginara, our users, or others.
5. International data transfers
Our providers may operate in jurisdictions including the United States and the European Economic Area. Where personal data is transferred out of the EEA or the UK, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable). A copy of the applicable clauses is available on request to support@huginara.com.
6. Retention periods
- Website logs: retained for up to 90 days for security and diagnostics, then deleted.
- Correspondence: retained while a matter is open and for a reasonable record period afterwards.
- Order metadata: retained as long as tax and accounting law require (up to 7 years in some jurisdictions). Paddle retains the underlying tax records under its own policy.
7. Your rights
Depending on where you reside, you may have the rights to access, rectification, erasure, restriction, portability, and objection, and the right to lodge a complaint with your supervisory authority (for example the UK ICO, the Irish DPC, or the data-protection authority of your country).
To exercise any of these, write to support@huginara.com. We respond within 30 days and may ask you to verify your identity first. For payment data held by Paddle — the full card number, billing address, and fraud-risk data — direct the request to Paddle via its privacy policy; if it reaches us, we forward it and confirm.
8. California residents (CCPA / CPRA)
California residents have the right to know the categories of personal information we collect and why (§2 and §3), to access and delete it, to correct it, and not to face discrimination for exercising these rights. We do not sell or share personal information as those terms are defined in the CCPA and CPRA, and we do not use it for cross-context behavioural advertising. Requests go to support@huginara.com.
9. Children
The Service is not directed to children under 13 (or under 16 where local law requires it), and we do not knowingly collect personal data from them. If you believe a child has provided us personal data, contact support@huginara.com and we will delete it.
10. Security
The website is served over TLS. We hold very little personal data, and we never handle raw card data — that is administered by Paddle under its PCI-DSS regime, so our systems are out of PCI scope. No system is perfectly secure; if we become aware of an incident that materially affects your data, we will notify you and the relevant authorities as required by law.
11. The desktop applications
Heimdall, Bifrost, and Signet run entirely on your own machine. They contain no analytics or telemetry and make no callback to us. Heimdall is a network-inspection tool: the traffic it captures, the certificates it handles, and the files it writes stay on your computer and are never transmitted to us. A purchased licence is verified offline against a public key embedded in the application. We therefore hold no usage data, no captured-traffic data, and no device identifiers from the applications.
12. Changes to this Privacy Policy
We may update this Policy. The "Last updated" date above reflects the current version. For changes that materially affect your rights, we will note them here and, where we hold a way to reach you about an order, by email. Continued use of the Service after a change takes effect constitutes acceptance.
13. Contact
Privacy questions and data-subject requests go to support@huginara.com — marking the subject "Privacy" helps with routing. The controller for service data is GUIMIN ZHOU; the independent controller for payment data is Paddle (see §1).