Privacy

This page explains what HWT collects, where it comes from, and what you can (and cannot) ask us to remove. It covers the website, the web “Submit Signal” flow, and the HWT browser extension.

Last updated: 2026-05-20GDPR-focusedNo adsNo third-party trackers

TL;DR

  • The browser extension is anonymous by default. It does not require sign-in and does not capture page content, browsing activity, screenshots, or archives. It sends only the URL of the tab you choose to submit, with the optional pseudonym and tags you add.
  • No real-world identity required: HWT does not require your real name, email address, or an account to submit signals.
  • Signals are kept: URLs (and attached tags) are treated as project data and are not deleted on request, except where required by law or for safety/security reasons.
  • Pseudonyms are removable: if you ask, we will delete or disassociate your pseudonym from stored submissions while keeping the underlying URLs.
  • Operational/security logs exist: our infrastructure logs requests (including IP addresses) to keep the service reliable and prevent abuse.

Key distinctions

Project dataSignals

Signals (URLs and tags) are treated as information about web resources. They are kept as part of an OSINT dataset.

Personal dataPseudonyms and logs

Analyst pseudonyms and IP addresses in logs can be personal data. We handle them as personal data and support removal/disassociation of pseudonyms on request.

Website visits

Operational

When you access hwt.lv, our infrastructure logs requests for reliability, abuse prevention, and incident response.

  • IP address: recorded by the server (or partial IP, depending on configuration).
  • Request data: time, requested path, response status code.
  • Client data: User-Agent and basic headers.
  • Referrer: only if your browser sends it (HWT sets a strict referrer policy).

These operational logs are not linked to submitted signals or analyst pseudonyms in normal operation, except where required for security/abuse investigations or by law.

Submit Signal (web)

Submission

When you submit a signal via the website, you send a URL and optional context.

  • RequiredSignal URL
  • OptionalTags
  • OptionalNotes

The web submission also creates standard operational logs (including IP address) as described under “Website visits”.

Browser extension

Submission

The extension is designed to send as little as possible. It is anonymous by default, requires no sign-in, and reads only the URL of the active tab when you click its toolbar icon. It does not capture page content, browsing activity, screenshots, or archives.

  • RequiredSignal URL (the active tab’s URL, optionally edited by you before submit)
  • OptionalPseudonym (free-text; can be any handle, leave blank to submit anonymously)
  • OptionalTags (short keywords you attach to a submission)
  • TechnicalInstallation ID (a random UUID generated once when the extension is installed, hashed before transit; used only for abuse prevention. Not linked to your browser profile, device, or identity.)
  • TechnicalClient metadata (extension version), page title, submission timestamp

Permissions

The extension declares activeTab and storageonly. The active tab’s URL is read only when you click the toolbar icon to open the popup. Nothing runs in the background; nothing reads other tabs.

Local storage

The extension stores your pseudonym choice and consent flags locally in your browser. HWT receives those values only when you explicitly submit a signal.

Account hash (for HWT account holders)

If you have an HWT account, you can find an account hash on your profile page — a string in the format hwt-XXXXXXXXXXXXXXXX. Pasting this hash into the extension’s pseudonym field links anonymous submissions to your HWT account on our side.

  • Optional. The extension never knows what the hash means. Submissions remain anonymous unless you choose to paste it.
  • No public display. The public view of a signal shows the hash, never your account name or email.
  • Erasable. You can ask us to remove the account-to-signal linkage at any time. The URL itself is kept (project data); only the linkage is removed. Contact privacy@hwt.lv.
  • Regeneratable. If you suspect your hash has been seen, regenerate it from your profile. The old hash stops working immediately.

Signals and personal data

Signals (URLs and tags)

A signal is a URL plus optional context (tags). We treat signals as facts about the web and as part of an OSINT dataset. Signals are not treated as personal data about the person submitting them. HWT does not delete submitted URLs or tags on request, except where required by law or where removal is necessary for safety/security (for example, during abuse investigations).

Analyst pseudonyms

An analyst pseudonym can be personal data if it identifies (or could be linked to) a natural person. HWT treats pseudonyms as personal data. If you request removal, HWT will delete or disassociate your pseudonym from stored submissions while retaining the underlying URLs.

Legal bases (GDPR)

  • Performance of a requested service (Art. 6(1)(b)): processing what you submit to perform the “submit signal” function.
  • Legitimate interests (Art. 6(1)(f)): operating and securing HWT; preventing abuse; maintaining reliability; running an OSINT collection/review workflow.
  • Legal obligation (Art. 6(1)(c)): where we must comply with applicable law or binding requests.

Retention

  • Signals (URLs, tags): retained for the lifetime of the HWT project (the dataset is the purpose of the service).
  • Pseudonyms: retained while linked to submissions, until removed/disassociated on request.
  • Security/access logs: retained for a limited operational period (typically days to weeks), and longer where needed for security/abuse investigations or legal obligations.

Your rights and requests

If GDPR applies to you, you may have rights to access, rectification, restriction, objection, portability, and erasure regarding your personal data.

We honorPersonal data requests
  • Pseudonym removal/disassociation
  • Account-to-signal linkage removal (account hash)
  • Access/clarification about what personal data we hold about your pseudonym or account
We generally declineSignal erasure requests

Requests to delete signals (submitted URLs, tags) are generally declined because signals are treated as project data (an OSINT dataset), not as personal data about the submitter.

Edge casesLegal and security
  • Legal obligations: we may remove or restrict content where required by law.
  • Abuse/security investigations: we may retain relevant logs or records to protect the service and its users.

Contact

Email

privacy@hwt.lv

You may use any email address. HWT does not require you to identify yourself beyond what is necessary to handle your request.

If your request is about a pseudonym, include the pseudonym string so we can locate it. If it’s about an account hash, include the hash (format hwt-XXXXXXXXXXXXXXXX).