Privacy Policy

Last updated: March 2026

1. What We Collect

WatchGuard processes the following data during proof-of-watch validation:

• Device fingerprint: A SHA-256 hash derived from Android hardware identifiers (model, manufacturer, build). The raw identifiers are hashed on-device; we store only the hash.
• IP address: Used for ASN reputation scoring and datacenter detection. Not stored long-term; replaced with ASN metadata after session completion.
• Network data usage: Byte counts from the device's network interface during video playback. Used to verify real data transfer occurred.
• Watch-session metadata: Session timestamps, heartbeat timing, video ID, duration, and verdict. Retained for billing and audit purposes.
• Battery and uptime data: Device battery level and uptime at session start/end. Used for device consistency checks.

2. How We Use It

All data is processed for three purposes:

• Fraud detection: Multi-factor analysis to distinguish genuine human viewing from automated or emulated activity
• Billing: Session verdicts determine charges to operators under their billing agreement
• Service improvement: Aggregated, anonymised patterns help improve detection accuracy

We do not use collected data for advertising, user profiling, or any purpose unrelated to watch validation.

3. Data Retention

• Session records: Retained for 12 months, then automatically purged
• Device fingerprints (hashes): Retained while the device is active; deleted 90 days after last session
• IP addresses: Replaced with ASN metadata within 24 hours of session completion
• Billing records: Retained for 7 years as required by financial regulations

4. Data Sharing

We share data only as follows:

• Operators: Receive session verdicts, confidence scores, and verdict tokens. They do not receive raw device fingerprints or IP addresses.
• Payment processors: Stripe processes operator billing data. Subject to Stripe's Privacy Policy.
• Law enforcement: Only when compelled by valid legal process.

5. Security

All API communication uses HTTPS/TLS 1.2+. Session data is authenticated with HMAC-SHA256. Device fingerprints are one-way hashed. Database backups are encrypted at rest.

6. Your Rights

Under applicable data protection laws (including POPIA and GDPR where applicable), you may:

• Access: Request a copy of data we hold about your device or operator account
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your data, subject to legal retention requirements
• Portability: Receive your data in a structured, machine-readable format

To exercise these rights, contact your operator (for end-user requests) or email us directly (for operator requests).

7. Cookies

The operator portal uses session cookies for authentication. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

8. Changes to This Policy

We will notify operators of material changes via email and update the "Last updated" date above. Continued use constitutes acceptance.