Privacy Policy for Heron

Effective Date: September 26, 2025

This Privacy Policy describes how Heron ("we," "us," or "our"), an open source client for the AT Protocol, handles your information.

We are committed to protecting your privacy. Heron is designed to function with maximum privacy and minimal data collection.

1. Information We DO NOT Collect or Save

As an open-source client, our philosophy is to not collect, store, or save any personal or usage information that is not essential for the core function of the AT Protocol service itself.

  • We do not collect or store your AT Protocol password.
  • We do not collect or store any identifying personal information (such as your name, email address, or IP address).
  • We do not use analytics, tracking cookies, or third-party services to monitor your activity within the application.
  • We do not collect or save data related to your in-app usage or browsing history (e.g., which posts you view).

2. Information We Handle (Data Created via AT Protocol API)

The only information handled by Heron is that which is necessary to connect you to and operate an AT Protocol server (like your Personal Data Server (PDS) host**) via its xrpc endpoints.

Authentication

When you sign in to Heron, you provide your AT Protocol credentials directly to your designated AT Protocol server (PDS host) to receive an access token. This token is a credential that authorizes our application to interact with that AT Protocol server on your behalf (e.g., to load your feed, post new content, or follow users).

  • Your access token is stored locally on your device for the duration of your session to authenticate your requests to the AT Protocol server.
  • This access token is never transmitted to us (the Heron developer) or any other third party.
  • Your access token only grants access to your own account via the server's official AT Protocol API; it is not data collected by Heron.

User-Generated Content and Actions

Any content you create or any action you take using Heron (such as posting a new message, liking a post, following a user, or updating your profile) is immediately sent to your designated PDS host's xrpc endpoints. The data you create is then stored and managed by that AT Protocol server itself, not by Heron.

IMPORTANT: Since Heron connects to a Personal Data Server (PDS) chosen by you (which may be a third-party or self-hosted server), you must refer to the separate privacy policy of your chosen PDS and/or AT Protocol server for details on how they collect, store, and manage your data.

3. Data Storage and Open Source Transparency

Local Device Storage

Heron may utilize local storage on your device (e.g., your computer or phone's file system) to temporarily save your session's access token and possibly non-identifying application preferences (like the address of your PDS host, theme, or layout settings) to improve user experience. This data is not transmitted off your device.

Open Source Nature

Heron is an open source project. This means the complete source code is publicly available for anyone to inspect. This transparency allows users and security researchers to verify that the application only handles data as described in this policy.

4. Future Feature Development

We reserve the right to add more features to Heron in the future to support new use cases, such as custom feed creation or push notifications. If a new feature requires the collection, storage, or processing of any user data (even anonymous data) beyond what is outlined here, this Privacy Policy will be immediately updated to reflect those changes. We will take reasonable steps to notify our users of any significant changes.

5. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top. You are advised to review this Privacy Policy periodically for any changes.

6. Contact Us

If you have any questions about this Privacy Policy, please contact us: