Privacy Policy

The short version

Hugin is a local-first tool. Your traffic, your findings, your workflows — all of it stays on your machine. We have no analytics, no telemetry, no crash reporting, and no tracking of any kind. Accounts are anonymous. We don't want to know who you are.

What we don't collect

No email addresses. No passwords. No names. No usage analytics. No crash reports. No feature tracking. No A/B testing. No fingerprinting for advertising. No third-party analytics scripts. No social media trackers. No pixel tags. Nothing that profiles you or your behavior.

What we do store

Account identifier

When you create an account, you receive an anonymous ID in the format HGN-XXXXXXXX. We store a SHA-256 hash of this ID on our servers — not the ID itself. We cannot look up your account by any personal information because we don't have any. If you lose your account ID, we cannot recover it.

Payment records

If you purchase Pro, payments are processed by Stripe (card) or BTCPay Server (Bitcoin). We store the transaction ID returned by these processors for reconciliation and refund purposes. We do not store card numbers, bank details, or billing addresses. Stripe and BTCPay handle payment data under their own privacy policies.

Device fingerprints

To enforce the per-account device limit, we generate a SHA-256 hash from machine identifiers (hardware IDs, OS install ID) on your device. Only the hash is sent to our server. We cannot reverse it to identify your hardware. This hash is checked during license validation, which happens once every 24 hours.

Trial data

To prevent repeated trial claims, we store a device fingerprint hash and your IP address when you activate a trial. The IP address is stored as-is (not hashed) because hashing IPs from a small keyspace provides no real anonymity — we'd rather be honest about it. This data is used solely for lifetime trial cap enforcement.

Student verification

If you claim the free student Pro license, we store your GitHub user ID and username to prevent double-claiming. This is the only feature that links to an external identity. The GitHub data is used for nothing else.

The desktop application

Hugin runs entirely on your machine. All intercepted traffic, scan results, findings, repeater history, intruder attacks, decoded data, scope rules, and project files are stored locally in a SQLite database on your filesystem. None of this data is sent to our servers.

The only network calls the desktop app makes to hugin.nu are:

License checks — your account ID hash and device fingerprint hash, sent once per 24 hours to verify your license status. No other data is included in this request.

Update checks — a version number check against our release API. No identifying information is sent.

Collaboration

Hugin Pro includes real-time collaboration. All shared data (flows, findings, scope) is end-to-end encrypted before leaving your machine. Our server receives and relays encrypted blobs. We cannot read, inspect, or decrypt your shared data. The encryption keys never leave the collaborating devices.

Cookies

The hugin.nu website uses a single session cookie (hugin_session) for the web account portal. It is HttpOnly, Secure, and SameSite=Strict. We do not use third-party cookies. There are no advertising cookies, no analytics cookies, and no cross-site tracking cookies.

Server logs

Our web server records standard HTTP access logs: IP address, request path, status code, and timestamp. These logs are retained for 30 days for abuse prevention and infrastructure debugging, then automatically deleted. We do not correlate logs with account data.

Third parties

We do not sell, rent, share, or trade your data with anyone. The only third parties that receive any data are:

Stripe — if you pay by card. Stripe processes the payment and is subject to their own privacy policy. Stripe.js is loaded only on the checkout page, nowhere else.

BTCPay Server — if you pay with Bitcoin. Self-hosted or third-party instance, depending on configuration. Handles only the payment transaction.

No other third parties receive data from us. No analytics providers, no advertising networks, no data brokers.

Data location

Our servers are located in the EU. All data described on this page is stored and processed within the European Union.

Your rights (GDPR)

You can request deletion of your account and all associated data at any time via our contact page. Since accounts are anonymous, you will need to provide your account ID (HGN-XXXXXXXX) to identify which data to delete. We will delete the account hash, device fingerprints, payment records, and any trial data associated with your account.

Because we store minimal data and no personal identifiers, there is generally nothing to export under a data access request. But if you ask, we'll tell you exactly what we have.

Changes to this policy

If we change this policy, we'll update this page and note the date below. We won't start collecting data we said we wouldn't collect — that would defeat the entire point of building Hugin the way we did.

Last updated: March 2026