Privacy

This page explains what HWT collects, where it comes from, and what you can (and cannot) ask us to remove. It covers the website, the web “Submit Signal” flow, and the HWT browser extension.

Last updated: 2026-03-01GDPR-focusedNo adsNo third-party trackers

TL;DR

  • No real-world identity required: HWT does not require your real name, email address, or an account to submit signals.
  • No forced pseudonym: neither the web submit flow nor the Extension requires a pseudonym. The Extension optionally accepts a handle (used only to distinguish submissions during review); it can be any pseudonym and does not need to be your identity. If you log in to HWT, the pseudonym is not used.
  • Signals are kept: URLs (and attached tags/notes) are treated as project data and are not deleted on request, except where required by law or for safety/security reasons.
  • Pseudonyms are removable: if you ask, we will delete or disassociate your analyst pseudonym from stored submissions.
  • Operational/security logs exist: our infrastructure logs requests (including IP addresses) to keep the service reliable and to prevent abuse.

Key distinctions

Project dataSignals

Signals (URLs, tags, and your optional notes) are treated as information about web resources. They are kept as part of an OSINT dataset.

Personal dataPseudonyms and logs

Analyst pseudonyms and IP addresses in logs can be personal data. We handle them as personal data and support removal/disassociation of pseudonyms on request.

Website visits

Operational

When you access hwt.lv, our infrastructure logs requests for reliability, abuse prevention, and incident response.

  • IP address: recorded by the server (or partial IP, depending on configuration).
  • Request data: time, requested path, response status code.
  • Client data: User-Agent and basic headers.
  • Referrer: only if your browser sends it (HWT sets a strict referrer policy).

We also retain broader infrastructure logs (e.g., firewall/reverse-proxy/rate-limiting logs). These are not used for advertising or behavioral tracking.

These operational logs are not linked to submitted signals or analyst pseudonyms in normal operation, except where required for security/abuse investigations or by law.

Submit Signal (web)

Submission

When you submit a signal via the website, you send a URL and optional context.

  • RequiredSignal URL
  • OptionalTags
  • OptionalNotes

The web submission also creates standard operational logs (including IP address) as described under “Website visits”.

Browser extension

Submission

When you submit a signal via the Extension, it sends the page URL plus the metadata needed to operate the workflow. The Extension supports both anonymous and authenticated submissions.

  • RequiredSignal URL
  • OptionalAnalyst pseudonym (can be any handle; does not need to be your identity). Not sent when authenticated.
  • OptionalAnnotations (tags, note, selected text)
  • OperationalInstallation ID (a random UUID generated once when the Extension is installed; used solely for abuse prevention and rate limiting. It is not linked to your browser profile, device, or identity.)
  • OperationalClient metadata (extension version), page title, submission timestamp

Authentication

The Extension can optionally link to your HWT account. When you log in to hwt.lv in your browser, the Extension reads the session cookie (for the hwt.lv domain only) and verifies it with the server. If valid, submissions are linked to your account instead of a pseudonym.

  • Cookie access: limited to hwt.lv session cookies only. No other site cookies are read.
  • Session verification: the cookie value is sent to hwt.lv/v1/session over HTTPS. The server returns your display name and role. Your email address is not returned to the Extension.
  • No passive tracking: authentication status is only checked when you open the Extension popup or options page, never in the background.

Local storage

The Extension stores settings, submission history, and cached tag data locally in your browser. HWT receives those values only when you explicitly submit a signal. Submission history (last 200 entries) is stored locally and never sent to the server.

Signals and personal data

Signals (URLs, tags, and notes)

A signal is a URL plus optional context (tags and notes). We treat signals as facts about the web and as part of an OSINT dataset. Signals are not treated as personal data about the person submitting them. HWT does not delete submitted URLs, tags, or notes on request, except where required by law or where removal is necessary for safety/security (for example, during abuse investigations).

Free-text fields are user-supplied: if you include personal data in notes or selected text, you are choosing to submit that content. Do not submit secrets. If a signal contains clearly unnecessary personal data in free text, HWT may redact it where feasible.

Analyst pseudonyms

An analyst pseudonym can be personal data if it identifies (or could be linked to) a natural person. HWT treats pseudonyms as personal data. If you request removal, HWT will delete or disassociate your pseudonym from stored submissions while retaining the underlying signals.

Legal bases (GDPR)

  • Performance of a requested service (Art. 6(1)(b)): processing what you submit to perform the “submit signal” function.
  • Legitimate interests (Art. 6(1)(f)): operating and securing HWT; preventing abuse; maintaining reliability; running an OSINT collection/review workflow.
  • Legal obligation (Art. 6(1)(c)): where we must comply with applicable law or binding requests.

Retention

  • Signals and signal data: retained for the lifetime of the HWT project (the dataset is the purpose of the service).
  • Pseudonyms: retained while linked to submissions, until removed/disassociated on request.
  • Security/access logs: retained for a limited operational period (typically days to weeks), and longer where needed for security/abuse investigations or legal obligations.

Your rights and requests

If GDPR applies to you, you may have rights to access, rectification, restriction, objection, portability, and erasure regarding your personal data.

We honorPersonal data requests
  • Pseudonym removal/disassociation
  • Access/clarification about what personal data we hold about your pseudonym
We generally declineSignal erasure requests

Requests to delete signals (submitted URLs, tags, notes) are generally declined because signals are treated as project data (an OSINT dataset), not as personal data about the submitter.

Edge casesLegal and security
  • Legal obligations: we may remove or restrict content where required by law.
  • Abuse/security investigations: we may retain relevant logs or records to protect the service and its users.
  • User-supplied personal data: if a signal contains personal data in free text, we may consider targeted redaction where feasible.

Contact

Email

privacy@hwt.lv

You may use any email address. HWT does not require you to identify yourself beyond what is necessary to handle your request.

If your request is about a pseudonym, include the pseudonym string so we can locate it.