BeeSnare Privacy Policy
The short version
BeeSnare runs on your own device. It plants decoy credential files and alerts you when one is accessed. Almost nothing about you reaches us, because there is no BeeSnare account, no BeeSnare login, and no cloud database. Your decoys, your real credentials, your category labels, and your activity history stay on your device. The only things that ever leave your device are a phone alert that identifies nothing and your subscription payment, which is handled by a third party. This policy explains exactly what that means.
1. We do not run accounts or a cloud database
BeeSnare has no user registration, no email-and-password account with us, and no server-side login. "Unlocking" BeeSnare means decrypting a vault that lives on your own Windows device. We do not operate a server that stores your vault, verifies your identity, or holds your decoy data. We cannot reach your vault remotely, because there is nowhere remote for it to be.
2. What stays on your device and never reaches us
The following are created, stored, and used only on your device, and are never transmitted to us or to any server:
- Your decoy credentials (the fake passwords and fake email addresses, whether generated by BeeSnare or customized by you)
- Your real passwords and accounts (we never ask for, see, or store these)
- Your category labels, snare labels, and trap settings
- Your attack log and detection history
- Your vault password, if you set one (it is processed locally and never sent anywhere)
3. What leaves your device, and why
There is currently one way data leaves your device, plus an optional website visit. A second (phone alerts via the mobile companion) is coming soon.
a) The phone alert (only if you pair the mobile app). Coming soon When a decoy is accessed, your desktop sends one fixed message, "Your files have been accessed," to our alert relay, which forwards it to your paired phone as a push notification. The relay is an anonymous service hosted on Cloudflare. It stores only a random pairing identifier and the technical subscription your browser needs to receive push notifications. It does not receive or store which decoy fired, any label, any credential, your identity, or any vault data. The fixed message names nothing. The pairing identifier is random and is not linked to you, your device, or your vault.
b) Subscription and payment. Payments are handled by Polar, our payment provider and merchant of record. When you subscribe, Polar collects and processes your payment and billing information under Polar's own privacy policy. We do not store your card details. At startup, BeeSnare makes one request to Polar to confirm your license key is active; this request sends only the license key and a BeeSnare organization identifier, and never any vault or decoy data. If the check fails, BeeSnare simply falls back to the free tier; your vault stays accessible either way.
c) Software updates. The desktop app checks for software updates, delivered through GitHub Releases (GitHub, Inc., a Microsoft company). An update check transmits only the technical information needed to offer the correct update, such as your current app version and your operating-system platform, plus your IP address (inherent to any internet request). It sends no vault or decoy data. Updates are cryptographically signed, and the app verifies the signature before installing, so only authentic BeeSnare updates are applied. Updates install automatically.
d) The mobile web app and website. Coming soon The mobile companion will be a Progressive Web App at app.beesnare.com, hosted on Cloudflare. It will use no analytics or tracking cookies; it will store only what your browser needs to receive alerts (a push subscription and minimal local storage). The desktop app uses no cookies or web tracking.
4. Third parties that may receive data
| Provider | Role | What they receive |
|---|---|---|
| Cloudflare, Inc. | Hosts the anonymous alert relay (Worker + KV) and the mobile web app (app.beesnare.com) coming soon | A random pairing identifier and your browser push subscription. No vault data, no identity. |
| Polar | Payment provider and merchant of record | Your payment and billing information at purchase; the license key and organization identifier at startup validation. |
| GitHub, Inc. (a Microsoft company) | Delivers desktop software updates (GitHub Releases) | Your app version, platform, and IP address when the app checks for or downloads an update. No vault or decoy data. |
| Your browser's push service (Google, Apple, Mozilla, or Microsoft) coming soon | Delivers push notifications to your phone | An encrypted push payload containing only the fixed alert string. The payload content is end-to-end encrypted and cannot be read by the push service. |
We do not sell your personal information, and we do not share it for advertising.
5. Data retention
- On-device data (vault, decoys, labels, attack log) stays until you delete it or wipe the vault. We never receive it, so we cannot retain it.
- The push pairing record on Cloudflare (mobile alerts, coming soon) expires automatically 90 days after the last successful delivery, and is renewed on each delivery.
- Payment and billing data is retained by Polar under Polar's policy and applicable financial-record laws.
6. Your choices and rights
- Stop the phone alerts / delete the pairing coming soon: unpair the mobile app, or let the 90-day expiry lapse.
- Delete your on-device data: use the in-app vault wipe, which irreversibly deletes all vault data from your device.
- Payment and billing data: contact Polar at support@polar.sh.
- Access, correction, deletion, and other rights under laws such as the GDPR/UK GDPR and the CCPA/CPRA: contact us at support@beesnare.com. Note that we cannot access on-device data we never receive.
7. Security
Your vault is encrypted at rest on your device. Access is tied to your Windows user account. If you set an optional master password, it is processed on your device using a memory-hard key derivation function (Argon2id) and is never sent to us. We do not operate accounts or servers that store your vault, and we cannot access your vault remotely.
8. Children
BeeSnare is not directed to children under 16, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us information, contact support@beesnare.com.
9. International users
BeeSnare is operated from Texas, USA. Our payment provider and infrastructure providers may process limited data (as described above) in other countries. Where required, we rely on appropriate safeguards for any such processing.
10. Changes to this policy
We may update this policy. We will post the updated version with a new effective date, and for material changes we will provide reasonable notice.
11. Contact
BeeSnare, Rachel Brown · support@beesnare.com · Payment/billing: support@polar.sh (Polar)