HEIMO is a tactical companion app for Star Citizen squads. We help organizations coordinate operations, manage rosters, track resources, and integrate with tools like Google Calendar. This document explains what data we collect, why we collect it, and how we keep it safe.
We try to write this in plain English. If anything is unclear, email rodriguezp809rd@gmail.com and we'll explain.
What we collect
- Account info from Discord.When you sign in with Discord, we store your Discord ID, display name (handle), and avatar URL. We don't see your Discord password or message history — Discord handles authentication, we just receive your identity tokens.
- Org membership. Your role within your squad (leader, lieutenant, operative, applicant, tech) and any feedback ratings other members give you.
- Operations you create or join. Mission intent, briefing, scheduled time, squad assignments, route waypoints, loadout, outcome notes.
- Resources and ships you register.Cargo inventory, ship models you own, who's flying what.
- Google Calendar tokens (only if you connect).If you opt in to Google Calendar sync via Settings, we store the OAuth refresh token Google issues for your account. This token lets us push HEIMO operations to your calendar; it doesn't let us read other events you have. You can disconnect at any time and we'll delete the token plus revoke our access.
- Audit log entries.Who changed what (member promotions, operation transitions, etc.). Useful for squad leadership; we don't share it externally.
- Browser/device info. Standard server logs (IP address, user agent, request timestamps) kept by our hosting provider for security and debugging. Auto-deleted after ~30 days.
We do not collect your real name, address, phone number, government ID, payment info, or anything else not listed above.
How we use it
- To make HEIMO work — show you your squad, your ops, your resources, etc.
- To enforce permissions (e.g., only leaders can promote members).
- To push your scheduled operations to Google Calendar, if you connected it.
- To send Discord webhook notifications to channels your squad has configured.
- To investigate and fix bugs when something breaks.
We do notsell, rent, or trade your data with anyone. We don't use it for advertising. We don't use it to train AI models.
Google API Services User Data Policy
HEIMO's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Specifically, when you connect Google Calendar to HEIMO:
- We only request the calendar.events scope, which lets us create and edit events. We cannot read events created by other apps or read your other calendar settings.
- Calendar data we receive is used onlyto push HEIMO operations to your calendar. We don't analyze, aggregate, or sell calendar data.
- We do not transfer Google user data to third parties except as needed to deliver the service (i.e., our hosting provider Vercel and our database provider Supabase, both of which are processors bound by their own privacy commitments).
- We do not use Google user data to serve ads, build user profiles, or train machine learning models.
- No human at HEIMO reads your Google data, except (a) with your explicit consent for support purposes, (b) as needed for security investigations, or (c) to comply with applicable law.
Who we share data with
- Supabase — our database provider. They host your data on encrypted disks and have their own privacy policy.
- Vercel — our application hosting provider. They handle web traffic and see standard server logs. Their privacy policy covers their handling.
- Discord— only when your squad has configured a Discord webhook URL, we POST mission summaries to that channel. Discord doesn't share that data back.
- Google — only if you connected Google Calendar; we send event details (title, time, description) to push them to your calendar.
- UEX, Star Citizen Wiki, Regolith — we read public game data from these sources. We do not send any of your personal data to them.
Data protection
We protect your data — especially the sensitive bits like Google Calendar tokens — with a combination of transport encryption, at-rest encryption, strict access controls, and minimum-scope design. Specifically:
- Encryption in transit. All HEIMO traffic — between your browser and our servers, between our servers and Supabase, and between us and Google — uses TLS 1.2 or higher. Plain HTTP is never accepted.
- Encryption at rest.The Supabase Postgres database storing your data is encrypted on disk by Supabase's infrastructure (AES-256). Vercel's edge storage similarly encrypts every blob at rest.
- Google Calendar tokens are isolated. Refresh and access tokens live in a dedicated gcal_tokens table protected by Postgres Row-Level Security (RLS) policies that deny read access to every authenticated user, including the token's owner. Only HEIMO server actions running with the service-role key can read the tokens, and they only do so to refresh expired access tokens or push events you authorized. The tokens never reach the browser.
- Minimum-scope OAuth. When you connect Google Calendar we requesthttps://www.googleapis.com/auth/calendar.events only. We do not request calendar.readonly,calendar (full access), or any other scope. This means we cannot read calendars created by other apps and cannot see your account email address.
- Token revocation on disconnect. Settings → Google Calendar → Disconnect performs three actions: deletes the row from gcal_tokens, calls Google's OAuth revocation endpoint to invalidate the refresh token server-side at Google, and removes any cached metadata from the UI state. Once you disconnect, even if our database leaked, the leaked tokens would be useless.
- Authentication-layer access controls.Every database query goes through Postgres RLS policies that gate reads/writes by your authenticated member row. A signed-in operative cannot read another squad's data, and an applicant cannot read leadership-only fields. Permissions are enforced at the database layer, not just in app code, so a server bug cannot bypass them.
- End-to-end encryption for squad-broadcast events.The Game Log Engine's squad-sync layer (introduced in HEIMO 0.13) encrypts every broadcast event with a per-squad symmetric key (XSalsa20-Poly1305 / libsodium semantics) and signs each one with a per-member Ed25519 key. The Supabase Realtime server cannot read the contents of these broadcasts — it relays opaque ciphertext.
- Local-only secrets. Cryptographic keys for the squad-broadcast layer never leave your computer. They are stored in the Windows Credential Manager (which uses DPAPI for encryption) and never transmitted to our servers. If our database leaked, no broadcast events could be decrypted by the attacker.
- Encrypted offline buffer. When HEIMO queues outgoing broadcasts during a network outage, they are stored on your local disk encrypted with a key derived from your local-only identity secret. A copied disk file from another machine cannot be decrypted.
- Retention.Standard server logs (IP, user agent, timestamp) are kept by our hosting provider for ~30 days, then auto-deleted. Audit log entries inside HEIMO live as long as the squad does. On account deletion (see “Your rights”) we delete or anonymize all your data within 30 days.
- Incident response. If we discover a breach affecting your data, we will notify you within 72 hours via the email associated with your account and post an in-app changelog entry, even where local law does not strictly require it.
- Limited human access. No HEIMO operator routinely reads your Google data, your audit log, or your operations. Access to production data is restricted to the project owner, only for security investigations, support requests with your explicit consent, or compliance with applicable law.
Your rights
- Access — you can see most of your data inside HEIMO. For raw exports, email us.
- Correction — most fields you can edit yourself in your profile.
- Deletion— email us and we'll delete your account and associated data within 30 days. Operations you created will be anonymized (so the squad's history isn't broken).
- Disconnect Google Calendar— Settings → Google Calendar sync → Disconnect. We delete your tokens immediately and revoke our access at Google's side.
Cookies and tracking
We use one essential cookie to keep you signed in (a Supabase auth session token). We don't use analytics cookies, tracking pixels, or third-party advertising trackers.
Children
HEIMO is intended for Star Citizen players, who are typically 13+ per Star Citizen's own terms. We don't knowingly collect data from children under 13. If you believe a child has given us their data, email us and we'll delete it.
Changes to this policy
We'll update this page if our practices change. Material changes (e.g., new third parties, new data types collected) will be announced in HEIMO's in-app changelog before taking effect.
