Privacy Policy
Last updated: 2026-04-24
// Data controller
Michał Wojciechowski DEV
ul. Wałowa 3a/10, 37-450 Stalowa Wola, Poland
NIP: 9452272167 · REGON: 525109472
Contact: contact@kaption.one
We have not appointed a separate Data Protection Officer — for now, all privacy matters go to the address above.
// Short version
If you sign up, we store your email, name, and avatar (from Google or Discord). If you buy a plan, LemonSqueezy handles the payment — we only see what they tell us (tier, expiry, order ID). The desktop app runs OCR on your screen locally; screenshots and dialogue text never leave your machine. We don't use Google Analytics, we don't run ads, and we don't sell anything. The only cookies we set are the ones that keep you logged in.
// What we collect
Per category: what · why (legal basis under Art. 6(1) GDPR) · where it lives.
Waitlist email
Email address if you joined the waitlist. Legal basis: consent — Art. 6(1)(a). Stored in: Supabase.
OAuth profile (Google / Discord)
Name, email address, avatar URL, and the provider-side user ID. We never see your password. Legal basis: contract — Art. 6(1)(b) (to let you log in and manage your license). Stored in: Cloudflare D1.
License purchase metadata
Order ID, tier (30/180 days), purchase and expiry dates. Card data is handled end-to-end by LemonSqueezy — we never see it. Legal basis: contract — Art. 6(1)(b); plus legal obligation for invoicing/accounting — Art. 6(1)(c). Stored in: Cloudflare D1 + LemonSqueezy.
Session cookies
An HttpOnly JWT cookie (kaption_session) after sign-in and a non-HttpOnly hint cookie (kaption_signed_in) so the page knows whether to ask the server about you. Legal basis: legitimate interest — Art. 6(1)(f) (keeping you logged in). Stored in: your browser.
Device registration
Up to two machines per account: a friendly device name (e.g. your Windows hostname) and a hashed device fingerprint. Legal basis: contract — Art. 6(1)(b) (to enforce the two-device cap). Stored in: Cloudflare D1.
Feedback submissions
Free-text message you send through the Setup Wizard plus the account it came from. Rate-limited to 5 per IP per day. Legal basis: legitimate interest — Art. 6(1)(f) (improving the product). Stored in: Cloudflare D1.
Vote fingerprint
A random hash generated in your browser when you vote for a language. Not linked to your email, IP, or account — it just blocks duplicate votes. Legal basis: legitimate interest — Art. 6(1)(f). Stored in: Supabase + your browser's localStorage.
Opt-in crash reports
Sent only if you ticked the box on the first-run EULA dialog. Contains a stack trace, OS version, app version, and a machine fingerprint — no personal files, no dialogue text, no screenshots. You can turn it off anytime in Settings. Legal basis: consent — Art. 6(1)(a). Stored in: GlitchTip.
// What we do NOT collect
- ✓ Screen contents. OCR runs locally on your machine — no screenshots, no dialogue text, no game footage is ever uploaded.
- ✓ Card numbers. Payments go through LemonSqueezy end-to-end; our servers only receive webhook events.
- ✓ No Google Analytics, Facebook Pixel, Hotjar, ad trackers, or behavioural profiling of any kind.
- ✓ Your game account credentials. The app never touches the game client.
// Cookies and local storage
We set exactly two cookies, both strictly necessary:
- --
kaption_session— HttpOnly JWT that keeps you logged in across pages. Set only after you sign in via Google or Discord. - --
kaption_signed_in— a non-HttpOnly flag so the page knows whether to call/api/me. Saves round-trips for anonymous visitors.
Both fall under the "strictly necessary" carve-out in the ePrivacy Directive (Art. 5(3)) — authentication cookies needed to deliver a service the user explicitly requested do not require a consent banner. That's why we don't show one. If you sign out or clear your cookies, both are removed.
Separately, the site uses your browser's localStorage to remember a few preferences between visits:
- -- Whether you joined the waitlist (so the form shows a confirmation instead of asking again).
- -- Your preferred site language.
- -- Your vote choice and vote fingerprint (duplicate-vote prevention).
- -- First-run flags (to avoid showing welcome banners twice) and, if you arrived via a referral or attribution link, the code that brought you in.
localStorage entries are first-party only and never shared with third parties. You can clear them at any time via your browser settings.
// Third parties (processors)
The following providers process data on our behalf under Art. 28 GDPR data-processing agreements. Each link below goes to their own privacy policy.
Cloudflare
Hosts this landing page, the api.kaption.one Worker, and the D1 database (accounts, devices, feedback). May log IP addresses and request headers for abuse protection. Privacy policy.
Supabase
Hosts the legacy waitlist and language-vote tables. Privacy policy.
LemonSqueezy
Our merchant of record. Handles checkout, card processing, tax, and invoicing. We receive webhook events (order ID, tier, expiry) — never card data. Privacy policy.
Google (OAuth)
Only if you choose "Sign in with Google". Returns your name, email, and avatar URL — no passwords, no contacts, no Drive access. Privacy policy.
Discord (OAuth)
Only if you choose "Sign in with Discord". Returns your Discord username, email, and avatar URL. Privacy policy.
GlitchTip
Receives crash reports only if you opt in during first-run. Privacy policy.
YouTube
The homepage shows a static YouTube thumbnail for the demo video. YouTube's own cookies are only set if you actually click the thumbnail and start playback. Privacy policy.
// Data retention
- -- Waitlist emails — kept until you ask to be removed.
- -- Account & device data — kept until you request deletion.
- -- Purchase and invoicing records — 5 years after the end of the tax year, as required by Polish accounting law (Art. 74 Ordynacja podatkowa).
- -- Session logs — 30 days or less.
- -- Crash reports — 90 days, then purged automatically.
- -- Feedback submissions — 12 months, unless we need them longer to diagnose a specific issue you reported.
- -- Anonymous votes — indefinitely (no personal data attached).
// Your rights under GDPR
Because we store personal data, EU and UK users have the following rights:
- Art. 15 Right of access — ask what we have on you.
- Art. 16 Right to rectification — ask us to fix anything inaccurate.
- Art. 17 Right to erasure ("right to be forgotten").
- Art. 18 Right to restriction of processing.
- Art. 20 Right to data portability — get your data in a machine-readable format.
- Art. 21 Right to object to processing based on legitimate interests.
- Art. 7(3) Right to withdraw consent at any time (e.g. for crash reporting).
- Art. 77 Right to lodge a complaint with a supervisory authority.
To exercise any of these, write to contact@kaption.one. We'll reply within 30 days (GDPR's default deadline).
// International data transfers
Some of our processors (Cloudflare, LemonSqueezy, GlitchTip) are based in the United States or operate globally. When data leaves the EEA, transfers rely on the EU Standard Contractual Clauses and — where available — the EU–US Data Privacy Framework. Cloudflare gives us regional-routing controls and we pick EU regions wherever a choice exists.
// Children
Kaption is not aimed at children under 16. Under Art. 8 GDPR, EU users below 16 need parental consent to use online services that rely on consent as the legal basis. If you believe a child has given us data without that consent, email us and we'll delete it.
// Changes to this policy
When we update this policy, we bump the date at the top. Material changes get flagged on the home page for at least two weeks — we won't email you for minor edits.
// Supervisory authority
If you're in Poland and think we've mishandled your data, you can complain to:
EU users outside Poland can file with their national data-protection authority instead.