Privacy Policy

// What we collect

• 01
  OAuth identity. When you sign in with Google or Discord, we receive your email address, display name, and avatar URL. We do not see your password. We store: a generated account UUID, the email, name, avatar, which provider you used, the provider's user ID, your tier (free beta / free / paid), and timestamps for account creation and last login.
• 02
  Activation metadata. When the desktop app activates on a device, we store a SHA-256 hash of a soft machine fingerprint (CPU model, motherboard UUID, first boot disk serial), a device label you can edit, and timestamps. The fingerprint is hashed before it reaches the server; the raw values never leave your machine.
• 03
  Activity events. Activation, heartbeat, download, and revocation events are logged with a timestamp and an SHA-256 hash of your IP (salted daily, so the hash rotates). We use these to investigate abuse and to show you a device list. Raw IPs are never stored.
• 04
  Optional crash reports. If you opt in from Settings -> Diagnostics, the desktop app sends exception stack traces to Sentry. We strip file paths that contain your username before sending. Opt-in is off by default. You can revoke consent at any time.
• 05
  Website analytics. None. No cookies beyond the session cookie set when you log in. No Google Analytics, no Plausible, no Fathom. The only request that leaves kaption.one is to Cloudflare itself (which handles CDN + edge caching).
• 06
  Acquisition source. If you arrive via a link that carries ?src=... or utm_source=... (e.g. a post in our Discord), we store that slug and standard UTM fields in your browser's localStorage for 30 days. As a fallback when no URL parameter is present, we also check the referring site's hostname (e.g. facebook.com, youtube.com) and map it to a generic channel slug. When you sign up, the slug is saved to your account record so we can count signups per channel and grant channel-specific bonuses. We also record one anonymous hit per unique browser + channel + day (stored server-side with a hashed IP subnet, 90-day retention) so we can measure conversion rates. No raw IP, no cross-site identifiers, no third-party analytics.

// What we don't collect

• ✗ No screenshots, no pixel data, no OCR results. Screen content never leaves your machine.
• ✗ No game files, no game memory, no save data.
• ✗ No keystrokes, no mouse input.
• ✗ No tracking cookies, no ad pixels, no third-party scripts on the landing.
• ✗ No raw IP addresses (we only store salted hashes).

// Where your data lives

Everything server-side runs on Cloudflare. User records sit in Cloudflare D1 (their serverless SQLite), installer files in Cloudflare R2. We request EU-region placement for both. Cloudflare is our sole processor; we don't share data with third parties except:

• -- Google and Discord, during OAuth (they get nothing from us; we get your public profile from them).
• -- Sentry, only for opted-in crash reports, with path-stripped payloads.

// How long we keep it

• →
  Account data: as long as you have an account. Delete the account and it's gone.
• →
  Download logs: 90 days, then purged.
• →
  Desktop app logs: kept on your machine at %APPDATA%\Kaption\Logs for 30 days, then rotated out. Never uploaded.
• →
  OAuth state nonces: 10 minutes, then deleted.
• →
  Crash reports: 30 days in Sentry (we don't extend their default).

// Your rights (GDPR)

If you're in the EU/UK, GDPR gives you the right to access, correct, delete, export, or restrict processing of your data. The desktop dashboard has a "Download my data" button (JSON export) and a "Delete my account" button. You can also email contact@kaption.one from your signed-up address and we'll process within 30 days.

You can also complain to your local data-protection authority. In Poland that's UODO.

// Cookies

One cookie, set only if you log in. Name: kaption_session. Purpose: keep you logged in. HttpOnly, Secure, SameSite=Lax. Expires after 30 days of inactivity. Clearing it logs you out. No tracking cookies, no consent banner needed — the session cookie falls under the "strictly necessary" exemption.

// Changes

If we change how data is collected or shared, we'll update the date at the top and note what changed in the changelog. For material changes (new third-party processor, new data category) we'll email signed-up users before the change takes effect.

// Contact

Data controller: Kaption (sole developer), Poland. Email: contact@kaption.one.