Legal

Privacy Policy

Effective May 28, 2026.


1. Who we are

The controller of personal data processed in connection with Hexink (the "Service") is the operator named in our Imprint ("we", "us"). For data-protection enquiries write to privacy@hexink.co.

2. What we process & why

We try hard to process as little as possible. The full list, with the GDPR legal basis under Art. 6 (1):

  • Anonymous sketching. If you never sign in, your drawings live entirely in your browser (IndexedDB + localStorage). We do not receive them. Only API calls that compute chemistry (formula, mass, reaction prediction) reach our backend — these contain the molecule data you submitted but no identifier we can tie back to you. Legal basis: Art. 6 (1) (b), performance of the contract you formed by using the tool.
  • Account data. If you create an account, we store your email address, a hashed password (Argon2id) or the subject identifier returned by Google when you sign in with Google, and a creation timestamp. Legal basis: Art. 6 (1) (b).
  • Session cookie (hx_session). A signed, HTTP-only cookie that keeps you logged in. Strictly necessary for authenticated routes; not used for analytics or advertising. Legal basis: Art. 6 (1) (b) and § 25 (2) Nr. 2 TTDSG.
  • Magic-link & password emails. When you request a magic link or reset your password we send a transactional email containing a one-shot token. The token is hashed at rest and expires quickly. We retain the dispatch record for delivery diagnostics. Legal basis: Art. 6 (1) (b).
  • Saved drawings. If you save a drawing to your library while signed in, we store the serialised molecule, the title you gave it, and created/updated timestamps, linked to your account. Legal basis: Art. 6 (1) (b).
  • Share links. When you mint a short link via /v1/shares, the payload and an opaque slug are stored server-side so the recipient can open it. If you were signed in at mint time, the row carries your owner ID so only you can later see who owns it — recipients and other signed-in users never see the owner. Legal basis: Art. 6 (1) (b).
  • Abuse-prevention log. The API records the IP address of failed administrative-access attempts and applies temporary bans for repeated probes. The address is sourced from X-Forwarded-For only when the request traverses a trusted proxy we operate — otherwise the direct socket peer is used (security review #3). Legal basis: Art. 6 (1) (f), our legitimate interest in keeping the Service available and secure. Bans expire automatically; rows older than 90 days are deleted.
  • Server & nginx logs. Standard request logs (timestamp, path, status, user-agent, truncated IP) are kept on the API host for up to 14 days for debugging and abuse triage. Legal basis: Art. 6 (1) (f).
  • Payment data. Subscriptions are processed by Stripe. We never see your card number; we receive a customer ID, the subscription state, and invoice metadata. Legal basis: Art. 6 (1) (b).
  • Free-tier advertising. The export celebration on the free tier embeds a Google AdSense slot for fifteen seconds before the download is released. AdSense may set cookies / read IP / read user-agent in order to serve and measure the ad. See § 4 below for the consent and opt-out flow. Legal basis: your consent under Art. 6 (1) (a) where consent is required; legitimate interest under Art. 6 (1) (f) for strictly non-personalised serving where that mode is selected.

3. Cookies & local storage

We classify storage by purpose:

  • Strictly necessary — the hx_session cookie (auth), any short-lived CSRF / nonce values, and the IndexedDB / localStorage keys the editor uses to remember the drawing you are currently working on. No consent required.
  • Preferences — small localStorage entries for editor settings (theme, hydrogen display, onboarding state). Stored client-side only.
  • Advertising — only set by the embedded AdSense slot, only on the free tier, only during the export celebration. See § 4.

We do not run third-party analytics (no Google Analytics, no Mixpanel, no session replay). Server-side logs are sufficient for the team's operational needs today.

4. Advertising (Google AdSense)

The free tier funds itself with a single AdSense slot inside the export-celebration dialog. The slot only mounts when a free-tier user triggers an export; Pro accounts never see it and never load the AdSense JavaScript. When the slot loads, Google may process your IP, user-agent, request URL, and ad-interaction signals to serve, measure, and combat fraud on the ad.

Joint responsibility. Google Ireland Limited acts as an independent controller for the advertising data it processes; we are the controller for the embedding decision. We have a data-processing arrangement with Google under Art. 26 GDPR for the shared portions of this processing.

Consent & opt-out. Where EU/EEA/UK consent is required (most cases), the AdSense slot operates in non-personalised mode unless you have granted consent through the on-screen prompt. You can withdraw consent at any time from the account page on the editor, or use Google's Ads Settings to disable personalised ads across all participating sites. You can also block the slot entirely with any standards-compliant content blocker; the celebration still releases the download after the timer.

Upgrading. Upgrading to Hexink Pro removes the slot permanently for your account and stops the AdSense JavaScript from loading for any export.

5. Who we share data with (sub-processors)

We use a small number of vendors to actually run the Service. Each receives only what they need:

  • Amazon Web Services (EU region) — hosting, object storage, transactional email through SES. Data processing agreement in place; SCCs where applicable.
  • Stripe Payments Europe Ltd — billing. You contract with Stripe directly for payment processing; we receive the metadata listed above.
  • Google Ireland Ltd — sign-in with Google (OAuth) when you choose it; AdSense for the free-tier export slot.
  • NodeSource / Astral — build-time package suppliers. No user data touches them.

We do not sell personal data and do not share it with advertising networks beyond the AdSense slot described in § 4.

6. International transfers

Our infrastructure runs in an EU AWS region. Where a sub-processor (Stripe, Google) transfers data to a country outside the EEA, the transfer is covered by Standard Contractual Clauses (Art. 46 (2) (c)) and the transfer-impact assessments the vendor publishes.

7. Retention

  • Account data: while the account exists, plus up to 30 days in encrypted backups after deletion.
  • Saved drawings: same as account.
  • Share links: until the owner deletes them, or 24 months of inactivity, whichever comes first.
  • Magic-link / password-reset tokens: invalidated on use; rows pruned after 24 hours.
  • Abuse-prevention bans & audit rows: 90 days.
  • Request logs: 14 days.
  • Stripe invoicing records: 10 years (statutory).

8. Your rights

Under the GDPR you have the right to: access your data (Art. 15), correct it (Art. 16), erase it (Art. 17), restrict processing (Art. 18), port it (Art. 20), and object to processing based on legitimate interest (Art. 21). Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights write to privacy@hexink.co — we respond within one month. You also have the right to lodge a complaint with your local supervisory authority (in Germany, the data-protection authority of the federal state where you reside).

Account deletion is available directly from your account page on the editor; it removes your stored drawings, your Stripe customer link, and your sign-in credentials.

9. Security

Connections are TLS-only (HSTS, no plain-text fallback). Passwords are hashed with Argon2id at production parameters. Session cookies are HTTP-only, Secure, and signed with a server-side secret. Administrative surfaces are protected by per-IP probe bans, additional rate limits, and an immutable audit ledger. Production dependencies are pinned with cryptographic hashes and verified at install time. See our codebase and the operational notes in our deployment runbook for the full picture.

10. Children

The Service is not directed at children under the age of digital consent in their country (16 in Germany). We do not knowingly collect data from such users; if you believe a child has provided us data, contact privacy@hexink.co and we will delete it.

11. Changes to this policy

We update this policy when we add a sub-processor, introduce a new processing purpose, or change a retention window. The effective date at the top of the page changes accordingly. Material changes trigger an in-app notice; minor edits do not.

12. Contact

Privacy enquiries: privacy@hexink.co. Postal address and company details are in the Imprint.