Privacy
Effective June 30, 2026
The short version
AnchorGrid collects the minimum data needed to run iOS remote support sessions and operate a workspace: account info you provide, session metadata, and audit logs. We do not store the contents of screen-share video. We do not sell data or share it for advertising. We use a small set of named infrastructure providers, listed below.
What we collect
Account information. Name and email address when you accept an invitation or sign up. If you set a password, we store only its bcrypt hash, never the password itself. If you sign in via Microsoft 365, we receive your profile email and display name from Microsoft.
Session metadata. When a technician joins a session, we record: timestamp, the technician's identity, the IP address the connection came from, the transport path used (direct-LAN vs. relayed), and the device name the iOS app reported. This is what powers the audit log inside your workspace.
Audit events. Workspace changes (member added or removed, role changed, support-access grant enabled or revoked, tenant settings updated) are recorded with the actor's identity and a timestamp.
What we do NOT collect. The contents of the iOS screen during a session are relayed in real time and never stored on our servers. No video recording, no frame logging, no audio capture.
Screen sharing: what a technician can see
A support session shares the end user's live screen with a technician. This is the most significant privacy surface in AnchorGrid, so to be explicit about it:
- View-only. The technician can see the screen but cannot tap, type, or control the device. iOS does not permit one app to control the device on another person's behalf, so remote control is not possible.
- Consent-driven. Nothing is shared until the end user starts a session, confirms an in-app consent screen (which names the technician and their verified workspace), and then confirms the iOS system broadcast prompt.
- Visible while active. iOS shows its own recording indicator for the entire session. Only what is on screen is shared, and only while the broadcast is active. Nothing is captured before the user presses Start or after they stop.
- No microphone. AnchorGrid never captures or transmits device audio.
- No file access. AnchorGrid cannot reach files, photos, or passwords on the device. The technician sees only what the end user chooses to show on screen.
- Not recorded. The screen is streamed live for the session and is not saved by AnchorGrid as a video recording.
Because the technician sees whatever is on screen, end users should avoid displaying passwords or other sensitive information they do not want the technician to see during a session. A plain-language explainer that can be forwarded to end users lives at docs.anchorgrid.io.
Cookies and tracking
We use one cookie: anchorgrid.sid, an httpOnly session cookie that
keeps you signed in. It is scoped to your workspace domain and to
anchorgrid.io. We do not use third-party analytics, advertising
cookies, or cross-site tracking.
Sub-processors
AnchorGrid runs on infrastructure operated by third parties. They process data on our behalf strictly to deliver the service:
- Railway: application hosting and database
- Cloudflare: DNS, TLS, and CDN at the edge
- Fly.io: the TURN relay server used as a fallback network path (see below)
- Resend: transactional email (invitations, verifications, notifications)
- Sentry: error monitoring; events are scrubbed of cookies, tokens, and email addresses before they leave our systems
Session video is sent peer-to-peer between the iOS device and the technician's browser whenever the network allows. When a firewall blocks a direct path, the encrypted media is relayed through a TURN server (Fly.io). That relay forwards the encrypted packets without decrypting them, so no third-party service can see the screen contents.
We do not share data with any other third parties. We do not sell data. We do not use data to train machine-learning models.
How long we keep things
Account and workspace data persists for as long as the workspace is active. Deleting a workspace removes the records, with a brief backup-retention window for disaster recovery (typically 30 days).
Session codes expire 10 minutes after they're generated, or as soon as a technician claims one (single-use). After a claimed session ends, the row is retained for audit purposes; expired-but-unclaimed codes are deleted within five minutes by a background prune.
Audit logs persist indefinitely while the workspace exists, because that's what makes them useful as an audit trail.
Your rights
You can request an export of the data AnchorGrid holds about you, request its deletion, or request correction of any inaccurate fields, by emailing the address below. We'll respond within 30 days. If you are in a jurisdiction with GDPR, CCPA, or similar regulations, these rights exist regardless of this policy.
Workspace administrators can directly edit member identities, remove members, and view the audit log from the Settings and People pages inside the workspace. Members can update their own profile from the Account page.
Security
All traffic is served over HTTPS. The WebRTC media path is encrypted by the protocol itself. Passwords are stored as bcrypt hashes (cost factor 10) and never recoverable. Cross-tenant reads are blocked at the application middleware layer: a session for workspace A cannot return any data from workspace B.
AnchorGrid does not currently hold SOC 2, ISO 27001, or HIPAA certifications. The underlying providers (Railway, Cloudflare) hold certifications relevant to their layer.
Changes to this policy
When we change this policy materially, we'll update the “effective date” above and email workspace administrators. For non-material changes (typos, clarifications) we'll just update the page.
Contact
Questions about this policy, or about how AnchorGrid handles your data: alex.cthompson97@gmail.com.