Last updated: 16 May 2026
Herald is an independent, unofficial companion that lets you view your own activity from the platforms you connect — currently Discord, Reddit, YouTube, Twitch, and Bluesky — read public X (Twitter) posts, and see live crypto market data (Augur), on Meta Ray-Ban Display glasses and a companion website. This policy explains exactly what we store, why, and the control you have. We collect as little as possible and never sell data.
Herald is a product operated by Ascent (“we”, “us”) and hosted on the ascents.gg domain. The operating legal entity and data-controller identity are those of Ascent; where Ascent publishes company-wide privacy terms, those describe the controller and apply alongside this product-specific policy. For privacy or data requests, contact privacy@ascents.gg. Security reports: security@ascents.gg (see security.txt).
| Data | Why | Retention |
|---|---|---|
| OAuth access & refresh tokens for the platforms you connect via official OAuth (Discord, Reddit, Google/YouTube, Twitch) | To fetch your feeds and act on requests you make (e.g. vote, save). Stored encrypted at rest (AES-256-GCM) and only on our server — never on the glasses. | Until you disconnect or delete your data |
| Bluesky session token, derived from an app password you generate in Bluesky’s own settings and enter on the companion site | To show your Bluesky timeline & notifications. We exchange the app password for a session token and store only the token, encrypted — the app password itself is never stored. | Until you disconnect or delete your data |
| X (Twitter): the search terms and public @handles you choose to view | Herald reads public X posts through a third-party data provider using a server-side key — there is no X login and no X account is connected. Your query/handle is sent to that provider to return results; we don’t store X tokens. | Not retained beyond fulfilling the request (brief cache) |
| A stable account key (your Discord user ID, Reddit username, YouTube channel ID, or Bluesky handle) | So your settings follow you when you re-pair glasses or sign in on the web | Until you delete your data |
| Your preferences (subreddits, watchlist, quick replies, glance order, YouTube queue) | To curate what the glasses surface | Until you change or delete them |
| Compose “drafts” you start on the glasses | To finish/post them from the web (the glasses can’t compose long text) | Until completed, discarded, or deleted |
| Short pairing codes | To link a pair of glasses to your account | Auto-expires in 10 minutes |
| One secure session cookie (companion site) | Holds only a random session reference — never your tokens. When you pair, the browser you paired with is bound to your glasses’ session so you can manage connected accounts, preferences and drafts for those glasses from that phone. HttpOnly, Secure, SameSite=Lax. | 30 days, or until you sign out / delete your data |
| Guest (anonymous) sessions | “Browse as guest” — no account, no tokens, no personal data | Automatically deleted after ~7 days |
| Minimal server logs (method, path, status, timing, a one-way hashed session tag, and the requesting IP at our reverse proxy) | Reliability, abuse prevention, debugging | Rolling, short-term |
| Optional error reports | Diagnosing crashes. Sent to Sentry only if enabled; we do not attach tokens or message content. | Per Sentry’s defaults |
We do not use advertising, analytics SDKs, third-party trackers, or cookies beyond a single secure session cookie on the companion site. Most connections use the platforms’ own OAuth sign-in (Discord, Reddit, Google/YouTube, Twitch) — we never see or store those passwords. Bluesky has no OAuth, so it uses a revocable app password you generate in Bluesky’s settings and enter yourself on the companion site; we exchange it for a session token and do not store the app password. We never ask for your main platform passwords and do not create accounts on your behalf.
Pairing & the session cookie. Completing pairing (entering the code shown on your glasses) links the browser you used to that glasses session, via the cookie above, so the same phone can manage the connected accounts afterwards. That cookie carries only a high-entropy random reference — your encrypted tokens never leave the server and are never exposed to the browser. Because anyone who completes pairing with that code can manage that session, pair on a device you trust and somewhere your glasses’ code can’t be seen by others; the code expires in 10 minutes and each pairing is single-use. Sign out, “Delete all my data”, or 30-day expiry clears the binding.
When you view Discord or Reddit through Herald, that content may include other people’s posts and messages. Herald fetches it live to show you and does not retain it beyond what is needed to display it to you.
We never sell your data. We share it only with infrastructure providers needed to run Herald: our server host, our secrets manager (Doppler), and—if enabled—our error monitor (Sentry). To retrieve public content from some platforms, Herald also relies on third-party data providers: a third-party API for public X (Twitter) posts, and, only when YouTube’s official API is temporarily unavailable, public proxy instances for public YouTube metadata. Only the minimum needed to fulfil your request is sent to them (for example a search term or a public handle); your account tokens are never shared with these providers.
When you connect a platform, your activity is also governed by that platform’s own privacy policy: Google/YouTube, Reddit, Discord, Twitch, Bluesky. Herald’s use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements: Google/YouTube data is used only to provide and improve the features you use, is not sold, is not used for advertising, and is not transferred to others except as needed to provide the service, for security, or to comply with law. You can revoke Herald’s access to your Google account at Google security settings.
Tokens are encrypted at rest with AES-256-GCM and are never stored on the glasses, which hold only a short, revocable session reference. Traffic is HTTPS-only. Secrets are managed outside the codebase. No system is perfectly secure; report concerns to security@ascents.gg.
Herald is not directed to children. You must be at least 13 (or the minimum age in your country, and the minimum age of each platform you connect) to use it.
Herald is operated from, and data is processed in, the operator’s and providers’ jurisdictions, which may differ from yours. By using Herald you consent to that processing.
We’ll update this page and the “last updated” date when practices change. Material changes will be reflected before they take effect.