Privacy Policy

Effective April 1, 2026

Overview

HiveBear is an open-source desktop application and peer-to-peer mesh network for distributed AI inference, built by Beckham Labs LLC (“we”, “us”, “our”). This policy explains what data HiveBear collects, why, and how we protect it.

We designed HiveBear to be privacy-first. Your chat history never leaves your machine. Hardware details are anonymized before transmission. The desktop app contains zero analytics or telemetry. You can participate in the mesh with only a cryptographic key pair — no email or personal information required.

1. Desktop Application

Data stored locally on your device

Chat history— conversations are stored in a local SQLite database. They are never sent to our servers.
Configuration— inference settings, mesh preferences, and model cache paths.
Downloaded models— model files downloaded from HuggingFace, stored in a local cache directory.
Cryptographic identity— an Ed25519 key pair generated on first run, used as your pseudonymous mesh identity. The private key is stored in your operating system’s keychain (macOS Keychain, Windows Credential Manager, or Linux libsecret), never in plaintext config files.
API keys— optional cloud provider keys (OpenAI, Anthropic, etc.) are stored in your OS keychain.

Data sent to our coordination server

When you enable the mesh network, the desktop app communicates with our coordination server at mesh.hivebear.com. The following data is transmitted:

Anonymized hardware fingerprint— your hardware is not sent as raw details. CPU cores, RAM, and GPU VRAM are bucketed into broad categories (e.g., “8 cores”, “16 GB RAM”, “Mid-tier GPU”) and hashed with SHA-256. No individual device can be identified from this fingerprint.
Node ID— your Ed25519 public key, used as a pseudonymous identifier. It is not linked to your real identity unless you voluntarily create an email account.
Network information— your IP address is visible to the coordination server during registration and heartbeats. External IP addresses discovered via STUN are used for NAT traversal (peer-to-peer hole-punching) and are not stored permanently.
Heartbeats— periodic keep-alive messages sent while connected. Peers that stop heartbeating are removed from the server within 5 minutes.

Peer-to-peer mesh data

When participating in distributed inference, intermediate model computations (tensor data) are transmitted directly between peers. All peer-to-peer traffic is encrypted with QUIC (TLS 1.3). This data is ephemeral and never stored on any server.

Benchmark sharing (opt-in)

If you choose to share benchmark results with the community, the following is submitted: model name, quantization, inference speed (tokens/sec), peak memory usage, and your anonymized hardware fingerprint. A one-way hash of your identity is used for deduplication — your actual node ID is not stored with benchmarks. Community benchmarks are automatically deleted after 180 days.

Analytics and telemetry

The desktop application contains no analytics, telemetry, or tracking of any kind. No usage data is collected or transmitted. Logging is local only.

2. Accounts

HiveBear supports two authentication modes:

Device-key authentication (default)— uses your Ed25519 key pair via a cryptographic challenge-response. No personal information is required. You are identified only by your public key.
Email authentication (optional)— if you create an account, we collect your email address, display name, and a password. Passwords are hashed with Argon2id and never stored in plaintext. You may optionally link a device key to an email account.

3. Payments

Paid subscriptions (Pro, Team, Enterprise) are processed through Stripe. When you upgrade, you are redirected to a Stripe-hosted checkout page. We never receive, process, or store your payment card details. Our server receives only webhook notifications from Stripe to update your subscription tier.

We store your Stripe customer ID and subscription ID solely to manage your subscription status. See Stripe’s Privacy Policy for how they handle your payment data.

4. Website (hivebear.com)

Analytics

The hivebear.com marketing website uses Vercel Analytics and Vercel Speed Insights to measure page performance and visitor trends. These tools collect anonymized data including page views, referrer, device type, and Core Web Vitals. No cookies are used for analytics. This applies to the website only, not the desktop application.

Cookies

If you log in on the website, we set the following cookies:

Session cookies(httpOnly, secure) — contain your authentication token and refresh token. Used solely for session management.
Tier cookie— stores your subscription tier for UI display purposes.

We do not use advertising cookies, tracking pixels, or any third-party marketing trackers.

5. Data Sharing

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

Stripe— payment processing, as described above.
Vercel— website hosting and analytics.
Mesh peers— when you participate in distributed inference, tensor data is shared directly with other peers in your swarm. This is the core functionality of the product and is encrypted in transit.
Legal obligations— we may disclose information if required by law, court order, or governmental request.

6. Data Retention

Data	Retention
Mesh peer registrations	Deleted after 5 minutes of inactivity
Auth challenge nonces	60 seconds
Login sessions	30 days
Community benchmarks	180 days
Chat history	Local only, until you delete it
Account data	Until you delete your account
Usage logs	Retained for billing accuracy

7. Security

Passwords are hashed with Argon2id, the current recommended password hashing algorithm.
Authentication tokens are stored as one-way hashes on the server — if the database were compromised, tokens cannot be extracted.
All peer-to-peer mesh traffic is encrypted with QUIC (TLS 1.3). The coordination server enforces HTTPS in production.
Sensitive secrets (private keys, API keys) are stored in your operating system’s native keychain, never in plaintext files.
The coordination server enforces strict CORS, rate limiting, and Ed25519 proof-of-key verification for peer registration.

8. Your Rights

You can:

Use HiveBear anonymously— device-key authentication requires no personal information.
Delete your account— removes your email, profile, and associated data from our servers.
Revoke API keys— immediately invalidates any issued keys.
Unlink devices— disconnect device keys from email accounts.
Leave the mesh— deregister from the coordination server and disconnect from all peers.
Delete local data— chat history, config files, and cached models can be removed at any time from your device.

If you are a resident of the European Economic Area, United Kingdom, or California, you may have additional rights under the GDPR, UK GDPR, or CCPA respectively, including the right to access, correct, or request deletion of your personal data. Contact us at the address below.

9. Children

HiveBear is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, please contact us and we will delete it.

10. Open Source Transparency

HiveBear is open source under the MIT license. You can audit exactly what data the application collects by inspecting the source code at github.com/BeckhamLabsLLC/HiveBear. The hardware anonymization logic, mesh protocol, and all data transmission code are publicly auditable.

11. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be announced via the GitHub repository and the HiveBear website. The “Effective” date at the top indicates the latest revision.

12. Contact

If you have questions about this privacy policy or your data, contact us at:

Beckham Labs LLC
privacy@hivebear.com