PocketSOC Privacy Policy

Last updated: February 2026

1. Overview

This Privacy Policy explains how WeaveHub Technologies LLC ("PocketSOC", "we", "us") collects, uses, and protects personal data in connection with the PocketSOC mobile application, web-based administration portal, and related services (the "Service"). Our backend infrastructure and email processing are operated through Cloudflare.

PocketSOC is available on the Apple App Store and Google Play Store. These distribution platforms may independently collect device or usage data under their own privacy policies; such collection is outside of PocketSOC's control.

2. Data We Collect

Depending on customer configuration and third-party security platform integrations, we may process:

• Device identifiers associated with mobile devices (iOS and Android) receiving notifications
• Organization identifiers, stored as cryptographic blind indexes (HMAC-SHA256 hashes)
• User email addresses and authentication data (processed via WorkOS for portal sign-in)
• Push notification tokens (encrypted at rest)
• Vendor API credentials provided by Customer (encrypted at rest with AES-256-GCM; used to retrieve alerts on behalf of Customer)
• Team membership, group assignments, and on-call schedule configurations
• Alert metadata transmitted by customer-authorized third-party security platforms (see Section 3)
• Audit log records of administrative actions (device registration, schedule changes, credential updates)
• Billing and subscription data (processed via Stripe; PocketSOC does not store payment card numbers)
• Limited server logs (IP address, timestamps, delivery status)

PocketSOC does not control the schema or content of alert data provided by third-party platforms.

On Android devices, limited technical data such as device type, OS version, and push token may be processed to enable app functionality and notification delivery. This data is not used for marketing, advertising, or profiling.

3. Alert Metadata

Alert metadata processed by PocketSOC may include identifiers such as usernames, hostnames, IP addresses, endpoint identifiers, and alert subject lines, as determined by the customer's third-party security platform configuration.

This data is processed solely for alert delivery and incident response functionality. It is not used for marketing, profiling, analytics unrelated to service delivery, or resale. Retention of alert metadata is limited to what is operationally necessary for notification delivery.

4. Purpose of Processing

We process data solely to:

• Deliver security alert push notifications by organization
• Manage team membership, group assignments, and vendor configurations through the administration portal
• Store and deliver encrypted vendor API credentials to authorized devices
• Enforce on-call schedules and group-based notification targeting
• Operate, secure, and maintain the Service
• Process billing and subscription management
• Troubleshoot delivery issues
• Comply with legal obligations

Alert data is not used for analytics, profiling, marketing, or monitoring.

5. Legal Bases for Processing (GDPR)

Where the GDPR applies, PocketSOC processes personal data on the following bases:

• Performance of a contract
• Legitimate interests in operating and securing the Service
• Consent, where required by applicable law

6. Data Retention

• User accounts and organization data: retained while the account is active; deleted upon account closure or Customer request
• Vendor API credentials (encrypted): retained while the vendor configuration is active; deleted when the configuration is removed
• Device registrations and push tokens (encrypted): retained while the device is active; deleted upon deactivation or unregistration
• On-call schedules and group assignments: retained while the associated configuration is active
• Audit log records: retained for up to 1 year for security and compliance purposes
• Alert metadata for push notifications: processed transiently for notification delivery and not persistently stored
• Server logs: retained for up to 90 days, unless required longer for security or legal reasons
• Billing data: retained as required by applicable tax and financial regulations

7. Account Deletion

When a user account is deleted by a customer administrator, associated account data is removed from active systems. Certain transactional records, such as email invitation logs, may be retained for operational, fraud prevention, or audit purposes. Users may request deletion of any residual records by contacting us via our contact form.

8. International Data Transfers

Data may be processed in the United States and other jurisdictions where our service providers operate. For international transfers of personal data outside the European Economic Area (EEA) or United Kingdom, appropriate safeguards such as Standard Contractual Clauses (SCCs) are used where applicable.

9. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, or port your personal data. Requests may be submitted via our contact form.

Requests for access, correction, export, or deletion will be acknowledged within a reasonable timeframe and fulfilled within 30 days, unless an extension is legally permitted and necessary.

10. Security Measures

We implement technical and organizational safeguards, including:

• TLS encryption for all data in transit
• AES-256-GCM encryption for vendor credentials, device tokens, and sensitive fields at rest
• HMAC-SHA256 blind indexes for identifier lookups (no plaintext storage of tokens or identifiers)
• Platform-native secure storage (iOS Keychain, Android Keystore) for on-device credentials
• Least-privilege access controls and role-based permissions
• Biometric authentication (Face ID, fingerprint) required for sensitive actions
• Automated processing of alert content without human review
• Rate limiting and abuse prevention on all API endpoints

11. Subprocessors

We use the following subprocessors to operate the Service:

• Cloudflare, Inc. — hosting, Workers, backend infrastructure, and email processing
• Apple Inc. — push notification delivery via Apple Push Notification service (APNs)
• Google LLC (Firebase Cloud Messaging) — push notification delivery to Android devices
• Google LLC (Google Play) — Android application distribution
• Resend — transactional email delivery for portal invitations
• Stripe, Inc. — payment processing and subscription management
• WorkOS, Inc. — portal authentication and identity management

Firebase Cloud Messaging (FCM) is used solely to deliver push notifications to Android devices. Only device push tokens are transmitted for notification delivery. No analytics, advertising, or behavioral profiling features of Firebase are enabled. Firebase operates under Google's privacy policy.

We will notify customers of material changes to this subprocessor list. A current list is also available upon request.

12. Contact

For privacy-related questions or to exercise your data subject rights, please use our contact form.