Privacy Policy

HugMyTools.com is operated by RISI Technologies Inc. ("we", "us", "our"). This Privacy Policy explains what information we collect, why, and how we protect it.

Data controller: RISI Technologies Inc. · Contact: privacy@hugmytools.com

Account information (if you register): email address, hashed password, display name (optional). We never store plaintext passwords — bcrypt is used with cost factor 12.

Files you upload: temporarily stored in encrypted ephemeral storage for processing and delivery. See Section 4 for retention periods. We do not read or analyze file contents beyond what is required to complete your requested operation.

Usage data: operation counts per tool (for tier enforcement), timestamps, tool slug used, file sizes (bytes only). No file names or content are logged.

Technical data: IP address (for rate limiting and abuse prevention), browser User-Agent (for session security), error logs (anonymized after 7 days).

Payment data: handled entirely by Stripe. We never see or store full card numbers. We receive only a Stripe customer ID and subscription status.

• Delivering the file processing operations you request
• Enforcing tier limits and premium usage allowances
• Authenticating your account and maintaining session security
• Preventing abuse, spam, and unauthorized access
• Billing and subscription management via Stripe
• Sending transactional emails (email verification, password reset, billing receipts)

We do not use your data for: advertising targeting, selling to third parties, training AI/ML models, behavioral profiling, or any purpose not listed above.

Files are stored only for the duration needed to deliver the result and for a short retention window so you can re-download:

• Free: 1 hour
• Starter: 6 hours
• Pro: 24 hours
• Business: 72 hours
• Enterprise: 7 days

After retention expires, files are permanently deleted from storage using secure deletion. They are not recoverable. Unauthenticated sessions: files are deleted 1 hour after processing regardless of any other setting.

We use minimal storage:

• HttpOnly cookie: refresh token (JWT) — necessary for authenticated sessions, inaccessible to JavaScript
• sessionStorage: access token (JWT) — cleared when browser tab closes
• localStorage: UI preferences (theme, etc.) if applicable — no personal data

We do not use third-party tracking cookies. We do not use Google Analytics or any behavioral analytics platform.

We use a small number of trusted processors:

• Stripe — payment processing (PCI-DSS Level 1 certified)
• Google — Google Sign In (if you use OAuth)
• Apple — Sign in with Apple (if you use OAuth)
• S3-compatible storage provider — encrypted ephemeral file storage

Each processor operates under its own privacy policy. We do not share data beyond what is required to operate the Service.

Security measures in place:

• TLS encryption for all data in transit
• AES-256 encryption for files at rest
• bcrypt (cost 12) for all password hashes
• JWT with short-lived access tokens (15 min) and rotated refresh tokens
• Workers run in egress-disabled sandboxes — no outbound network access
• Magic-byte file validation before processing
• Rate limiting on all endpoints
• Security headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options

To report a security vulnerability: security@hugmytools.com. We respond within 24 hours and follow responsible disclosure.

You have the right to:

• Access: request a copy of data we hold about you
• Correction: update inaccurate account information (via Settings)
• Deletion: delete your account and all associated data (via Settings → Danger Zone)
• Portability: export your account data in a machine-readable format
• Objection: object to any processing you believe is unlawful

Exercise any right by emailing privacy@hugmytools.com. We respond within 30 days.

The Service is not directed at children under 13. We do not knowingly collect data from children under 13. If we learn that we have, we will delete it immediately. Contact privacy@hugmytools.com if you believe a child has used the Service.

We will notify registered users by email of material changes at least 14 days before they take effect. The "Last updated" date at the top of this page will always reflect the current version.

Privacy inquiries: privacy@hugmytools.com

General contact: Contact page