How we handle your data
We collect account information (email, hashed password), usage data (last login, settings preferences), security tool credentials (encrypted with AES-256-GCM at rest), and AI API keys (encrypted, never returned to the browser). We do not collect or store the contents of your security alerts beyond what is necessary to render the dashboard.
Account data is used solely to authenticate and personalise your experience. Credentials are used only to make API calls to your connected tools on your behalf. We do not sell, share, or use your data for advertising. AI API calls are made directly from our servers to Anthropic under your own API key — we do not log the content of those calls.
All data is stored in encrypted Redis (Upstash) hosted in the US. Credentials are encrypted with AES-256-GCM before storage. Passwords are hashed with bcrypt. Session tokens are HMAC-signed. TLS is enforced on all connections.
You may delete your account and all associated data at any time via Settings → Account → Delete Account. For data requests or questions, contact us at privacy@getwatchtower.io.
We use a single session cookie (httpOnly, secure, sameSite=strict) for authentication. No tracking or advertising cookies are used.
Watchtower Ltd · privacy@getwatchtower.io · Registered in England & Wales