Privacy Policy

This Privacy Policy describes how CursorHop ("Company," "we," "us," or "our") collects, uses, and shares information when you use our desktop application, website (cursorhop.com), and related services (collectively, the "Service"). By using the Service, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

Information you provide

• Account information - When you create an account, we collect your email address and a hashed password. We do not store passwords in plain text.
• Payment information - When you purchase a license, payment is processed by Stripe. We do not store credit card numbers or full payment details. We receive and store your Stripe customer ID and transaction identifiers for billing records.
• Support communications - If you contact us for support, we collect the information you provide in your message (email address, description of the issue).

Information collected automatically

• Device information — When you register a device, we collect your device name (hostname), platform type (Windows or macOS), and a device fingerprint. The fingerprint is a one-way SHA-256 hash derived from hardware identifiers (such as the Windows MachineGuid or macOS IOPlatformUUID combined with the network adapter MAC address). The raw hardware identifiers are never sent to our servers — only the resulting hash. This fingerprint cannot be reversed to recover your hardware IDs and is used solely to enforce license limits, prevent trial abuse, and identify your registered devices.
• Login activity — When you sign in, we log your IP address and browser or application user agent string. This data is stored in your account for security monitoring and is visible in your account dashboard under login activity.

Information we do NOT collect

• Mouse movements, cursor positions, or pointer data
• Keystrokes, typed text, or keyboard input
• Clipboard content or copied data
• Files transferred between your devices
• Screen content, screenshots, or display data
• Usage patterns, browsing history, or application activity
• Analytics or telemetry of any kind — we do not use Google Analytics, Mixpanel, Sentry, or any third-party tracking service
• Crash reports — crash logs are stored locally on your device and are never sent to our servers

All input sharing (mouse, keyboard, clipboard, files) happens directly between your devices over your local network. This data never passes through our servers.

2. How We Use Your Information

We use the information we collect to:

• Create and manage your account
• Authenticate your identity and verify your license
• Enforce device limits according to your plan tier
• Process payments and issue receipts
• Send essential service communications (password resets, security alerts, purchase confirmations)
• Respond to support inquiries
• Improve the Service and fix bugs

We do not use your information for advertising, user profiling, or selling to third parties.

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We share data only with the following service providers who are necessary to operate the Service:

• Stripe - Processes payments securely. Stripe receives your payment method details directly; we only receive transaction identifiers. See Stripe's Privacy Policy.
• Supabase - Hosts our authentication system and database. Data is encrypted at rest and in transit. See Supabase's Privacy Policy.
• Resend - Sends transactional emails on our behalf (purchase receipts, password resets). See Resend's Privacy Policy.
• Vercel - Hosts our website. See Vercel's Privacy Policy.

We may also disclose your information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4. Data Storage and Security

Server-side storage

Your account data is stored on Supabase's cloud infrastructure with the following protections:

• All data is encrypted at rest using AES-256 encryption
• All data transmitted between your device and our servers uses TLS 1.2+ encryption
• Passwords are hashed using bcrypt with industry-standard salt rounds
• Database access is restricted through row-level security policies
• Administrative access requires service-role authentication

Desktop application local storage

The CursorHop desktop application stores the following data locally on your computer:

• Authentication tokens — encrypted at rest using OS-level encryption (Windows DPAPI or macOS Keychain via Electron's safeStorage API). Stored in your application data directory (e.g., %APPDATA%/CursorHop/ on Windows, ~/Library/Application Support/CursorHop/ on macOS). Deleted when you sign out.
• Application database — a local SQLite database containing your app settings, screen layout configurations, paired device public keys, session history (device IDs and timestamps), and diagnostic logs (capped at 10,000 entries, auto-rotated). No account credentials are stored in this database.
• Cryptographic keypair — an Ed25519 keypair generated locally for encrypted device-to-device connections. The private key never leaves your device.
• Crash logs — stored locally for diagnostics. Never sent to our servers.

All locally stored data can be deleted by uninstalling the application or removing its data directory.

Device-to-device communication

When devices are connected, all communication between them is encrypted using the Noise Protocol (Noise_XX_25519_ChaChaPoly_SHA256) with full mutual authentication. Input events, clipboard contents, and file transfers are encrypted end-to-end and travel only over your local network — they are never routed through CursorHop servers.

Device discovery uses mDNS on your local network. During discovery, your device broadcasts its device name, platform, and an identifier to other CursorHop devices on the same network. This information does not leave your local network.

While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

5. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

• Account data - Retained until you request account deletion
• Device registrations - Retained until you remove the device or delete your account
• Payment records - Retained for up to 7 years for tax and legal compliance
• Support communications - Retained for up to 2 years after resolution

6. Your Rights

You have the following rights regarding your personal data:

• Access - You can view your account information, registered devices, and license details through your account dashboard at any time.
• Correction - You can update your account information through the dashboard or by contacting support.
• Deletion — You can delete your account and all associated data directly from your account settings. Account deletion permanently removes all server-side data, including your profile, license, device registrations, and login activity. You may also request deletion by contacting support@cursorhop.com.
• Data export - You can request a copy of all personal data we hold about you by contacting support.
• Withdraw consent - You can withdraw consent for non-essential communications at any time.

7. Cookies and Local Storage

Website (cursorhop.com): Our website uses the following cookies:

• Authentication cookies (sb-access-token, sb-refresh-token) — Essential, httpOnly cookies used to maintain your login session on the website. These are strictly necessary for the Service to function and cannot be disabled.

We do not use advertising cookies, tracking cookies, or third-party analytics cookies.

Desktop application: The CursorHop desktop application does not use cookies. Authentication tokens are stored as encrypted files on your device using OS-level encryption (Windows DPAPI or macOS Keychain). See Section 4 for details on local data storage.

8. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information promptly. If you believe a child under 13 has provided us with personal information, please contact us at support@cursorhop.com.

9. International Data Transfers

Your information may be stored and processed in any country where our service providers maintain facilities. By using the Service, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection rules.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, through email notification or a notice on our website. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

support@cursorhop.com