Privacy Policy

EFFECTIVE: MAY 19, 2026  ·  LAST UPDATED: MAY 19, 2026

Watch Owl Labs ("we") builds offensive security tools. This privacy policy explains what data each of our products processes, where that data goes, and why. We do our best to be concrete rather than abstract — when a section says "we don't transmit X anywhere," that statement reflects what the code actually does.

This policy covers two products:

  • Hoot — our AI-powered security assessment agent. Runs locally on the operator's machine, with a web UI at http://localhost:7337.
  • Hoot Interceptor — a Chrome browser extension that captures HTTP/HTTPS traffic from the DevTools panel and uploads it to a local Hoot installation.

If you only care about one of them, jump to the relevant section.

Hoot

What Hoot processes

Hoot is a locally-installed application. Everything an operator does in Hoot — engagements, sessions, findings, files, tools, reports, evidence — is stored on the operator's own machine, in the configured data directory (default ~/.hoot/).

The agent's reasoning model (Anthropic Claude) is called using the operator's own configured API key (see "Operator-initiated AI inference" below).

What Hoot transmits off the machine

Only two outbound calls exist by design:

  1. Authentication (operator-initiated). When the operator logs in or refreshes their session, Hoot calls Supabase Auth (our authentication provider) at the Supabase project URL configured in /api/config. Email and password (or refresh token) are transmitted; on success, a JWT is returned. This call only happens when the operator clicks "Sign in" or "Refresh."
  2. License heartbeat (daily). Hoot's license client sends a single POST request once every ~24 hours to the Watch Owl Labs license service. The payload contains exactly: license_key, install_id (a random UUID generated on first run), Hoot version, and os (platform string). It contains no operator identity, no engagement data, no target hostnames, no findings, no AI prompts, no file content.

Hoot does NOT transmit:

  • Engagement, target, session, finding, file, tool, or report data
  • AI prompts or model responses (those go to Anthropic, see below — never to Watch Owl Labs)
  • Telemetry, analytics, crash reports, or usage events
  • Browser cookies, IP addresses, or system fingerprinting data

Operator-initiated AI inference

When the operator chats with the Hoot agent, the agent calls the Anthropic Claude API using the operator's own configured ANTHROPIC_API_KEY. The contents of that exchange (prompts, tool results, referenced file content) are sent to Anthropic, which governs its own data handling under its terms: anthropic.com/legal/privacy.

Watch Owl Labs has no access to those API calls. The operator establishes the relationship with Anthropic directly by providing their own API key.

What Hoot stores at rest

Everything stays in the operator's ~/.hoot/ directory:

  • hoot.db — SQLite database with engagements, targets, sessions, findings, etc.
  • target_files/ — operator-uploaded artifacts and Hoot Interceptor captures
  • reports/ — generated assessment reports
  • evidence/ — screenshots, PoC outputs
  • .key — Fernet encryption key used to encrypt sensitive fields at rest
  • install_id — stable UUID identifying this install for license heartbeats

Operator-supplied secrets (Anthropic API key, tool credentials, JWT tokens, etc.) are encrypted at rest with the local Fernet key. They are never transmitted off-machine.

Hoot privacy posture summary

Aside from authentication and the license heartbeat, Hoot is a local-only application. No engagement data, no operator activity, no findings ever leave the operator's machine.

Hoot Interceptor

What the extension processes

While DevTools is open and the operator is actively browsing a target web application in the inspected tab, Hoot Interceptor reads the following from the browser's chrome.devtools.network API:

  • Web history — the URL of each HTTP/HTTPS request the inspected tab makes
  • Website content — the response body of each request (text, JSON, HTML, etc.)
  • Authentication information — request headers including Authorization, Cookie, and other auth-relevant fields
  • User activity — request method, status code, timing, and resource type per request

The extension does NOT capture mouse movements, keystrokes, clipboard content, page DOM, browser history outside the inspected tab, or any data outside the DevTools network panel.

Where the captured data goes

All captured data is sent ONLY to the user's local Hoot installation at http://localhost:7337.

The extension does NOT:

  • Transmit captured data to Watch Owl Labs servers
  • Transmit data to Google, advertisers, analytics providers, or any third party
  • Sell, share, or monetize captured data in any way
  • Store captured data on any remote server

The connection from the extension to Hoot is a local loopback request (localhost / 127.0.0.1). The data never leaves the user's machine.

Shared

Third-party services

Across both products, the only third parties involved are:

Neither product uses analytics, advertising, error reporting, crash reporting, or telemetry providers of any kind.

Authorization and operator responsibility

Hoot and Hoot Interceptor are intended for offensive security professionals — penetration testers, red teamers, security engineers — who have explicit written authorization to test the target application. Operators are responsible for ensuring they have authorization to test or intercept traffic from any application they target with our tools.

Data retention

Watch Owl Labs retains no operator data. License heartbeat metadata is retained for service operation and aggregated for update-notification purposes, but is not tied to any operator identity beyond the install_id UUID. Local data is retained on the operator's machine subject to the operator's own retention policy.

Contact

Questions about this policy or our data practices: