Privacy & GDPR

Data controller

The data controller is the independent developer of Cavemode, reachable at support@cavemode.app. EU residents may contact this address to exercise their GDPR rights (see "Your rights" below).

Lawful basis (GDPR Art. 6)

• Consent — you paste your claude.ai session key into Cavemode knowingly. No data processing happens before that action. You can withdraw at any time by quitting the app and deleting the Keychain entry (Keychain Access → search "cavemode" → delete).
• Contract performance — license verification against api.polar.sh is necessary to deliver the product you purchased.
• No legitimate-interest processing, no profiling, no automated decision-making.

What Cavemode stores

• Your Claude session key — stored in the macOS Keychain under the service identifier app.cavemode.session. Never transmitted to any server owned by us. Used only to make requests to claude.ai on your behalf, the same way your browser does.
• Usage snapshots — saved locally in your Library/Application Support/Cavemode/ folder so Cavemode can draw the weekly devolution report. Never uploaded.
• App preferences — sound on/off, refresh interval, launch-at-login. Stored in UserDefaults.
• Minigame best scores — stored locally. Not uploaded.
• Polar license state — your license key and the Polar activation id are stored in the macOS Keychain under app.cavemode.license so Cavemode doesn't re-prompt on every launch.

Accelerometer reads (Slap Attack minigame only)

On Apple Silicon MacBooks (M1 Pro and later), the Slap Attack minigame reads the laptop's built-in motion sensor so a real physical slap can trigger a hit. Data is processed locally and discarded after each sample — nothing is written to disk, nothing is transmitted, and the sensor is only opened while the minigame is on-screen. Desktop Macs and other Apple Silicon models without the sensor fall back to click input with no motion access.

Network requests

Cavemode makes at most three kinds of network requests:

1. To claude.ai — to read your own usage, every 60s, using the session key you provided during onboarding. Plus one immediate fetch the first time you paste a session key, so Cavemode can show your current devolution stage before you ever close the onboarding window. This is identical to what your browser does when you open Claude.
2. To api.polar.sh — cavemode.app download only. Once at first launch to activate your license key, and a lightweight re-check roughly every 30 days so Polar can revoke refunded or shared keys. The request contains the license key, a device label (your Mac's hostname, e.g. Johns-MacBook-Pro), and an activation id; no user-identifying data beyond that. Excluded entirely from the Mac App Store build.
3. To Apple StoreKit — Mac App Store build only. Standard Apple in-app purchase / restore flow, handled by the operating system. Cavemode reads Transaction.currentEntitlements locally to verify the lifetime unlock; Apple processes payment and card data under its own privacy policy. Excluded entirely from the cavemode.app download.

No default-on analytics, crash reporting, or telemetry. The two optional toggles in Settings → Privacy & diagnostics (described in the next section) are the only paths by which anything can leave your device — and both are off out of the box.

Optional diagnostics & product analytics (opt-in, off by default)

Settings → Privacy & diagnostics exposes two toggles, both defaulting to off. Turning them on is the only way any diagnostic or product event leaves your device. Toggle them off at any time and the outbound pipe stops immediately.

• Anonymous crash reports — when on, Cavemode routes symbolicated crash traces, main-thread hang reports, and error breadcrumbs to a crash-reporting processor. Every outbound payload passes through an on-device redaction pass that strips /Users/<your-name> paths, URL query strings, Claude session keys matching sk-ant-sid01-…, Polar license keys, and Authorization / Cookie header values. No email, IP, or device serial is sent.
• Anonymous usage stats — when on, Cavemode sends a small set of typed product events (onboarding completed, paywall viewed, minigame started, share exported, quest claimed, …) to a product-analytics processor. Each event is tagged with a random device UUID generated locally on first opt-in and reset the moment you opt out. Event properties are typed enums only — no free-form strings, no file paths, no license keys, no session keys.

Current status: the toggles are in place; the outbound integration to the chosen processors (Sentry, EU region; PostHog, EU cloud — both under signed DPAs) ships in a subsequent release. Enabling a toggle today stores only your preference locally (a boolean under UserDefaults key diagnostics.crashReportingEnabled or diagnostics.productAnalyticsEnabled). No payloads go out until the integration ships, and the release note at that time will re-announce the change.

Lawful basis: consent (GDPR Art. 6(1)(a)). Withdraw at any time by flipping the toggle off. Retention (planned): crash reports 90 days, product events 12 months. Right to erasure (GDPR Art. 17): email support@cavemode.app with the anonymous device UUID shown under Settings; we submit deletion requests to both processors within 30 days and reply when they confirm.

Cookies + third-party services on this website

This site (cavemode.app) is a pure static SvelteKit build hosted on Cloudflare Pages. It sets zero cookies, loads zero third-party scripts, and embeds no fonts from external CDNs. Your browser's localStorage stores a single key — theme — to remember your light/dark/auto preference. That value never leaves your device.

Clicking a "Download" button sends you to polar.sh, a separate service with its own privacy policy (polar.sh/legal/privacy). Polar is the Merchant of Record and data controller for your purchase, email, and payment info — we receive only the email and license key Polar issues.

Cloudflare Pages, our static host, processes standard IP-level access logs for DDoS protection and diagnostics under their processor agreement (cloudflare.com/privacypolicy). These logs are not correlated with any Cavemode-specific data.

Share links and attribution

When you tap a Share button inside Cavemode (death certificate, weekly report, current-usage snapshot, or Slap Attack receipt), the link embedded in your caption is a cavemode.app URL decorated with ?utm_source, utm_medium, utm_campaign, and ref query parameters. The ref value is an 8-character random token generated on your Mac the first time you share. The token is opaque, contains no personal data, and exists so that if someone clicks a link you posted and buys, Polar's checkout record keeps a note of which link they came from — useful for us to measure whether Cavemode's share buttons actually convince anyone and, in future, to reward people whose links drive purchases.

When a visitor lands on cavemode.app carrying those query parameters, we stash them in the browser's sessionStorage under the key cavemode_ref for up to 30 days so that the ref can flow through to Polar's checkout if the visitor buys. No cookies are set for this, no identifier links the token to your Apple ID, payment, or device hostname, and nothing is transmitted to our servers outside of the Polar checkout URL the visitor deliberately opens.

You can reset your own ref token any time by running defaults delete app.cavemode.Cavemode app.cavemode.shareId in Terminal. The next share regenerates a fresh token. The Instagram mechanic also writes share images to ~/Pictures/Cavemode/ on your Mac so you can AirDrop them to your phone — drag them to Trash any time to delete.

Your rights (GDPR Art. 15–22)

• Right of access & portability — Cavemode stores nothing on any server. The data on your device (Keychain + local files) is already in your possession; export it via macOS tools at any time.
• Right to rectification — re-enter your session key in Cavemode's settings.
• Right to erasure ("right to be forgotten") — quit Cavemode, delete the Keychain entries app.cavemode.session and app.cavemode.license, and drag ~/Library/Application Support/Cavemode to the Trash. Nothing remains. For Polar order data, contact Polar directly.
• Right to object, right to restrict processing — stop using the app; no processing continues.
• Right to lodge a complaint — with the supervisory authority in your EU member state.

Data transfers

The app calls claude.ai (Anthropic PBC — USA) and api.polar.sh (Polar Software Inc. — USA) using your authenticated session. These are direct peer-to-peer calls from your Mac; Cavemode does not proxy, log, or observe them. Both providers have published data-transfer mechanisms (SCCs) for EU↔US flows.

Retention

Local files rotate according to your usage history settings (default: 7 days of snapshots). All retention happens on your device. The app never sends retention metadata anywhere.

Children

Cavemode is a developer tool. We do not knowingly collect or process data from anyone under 16.

What Cavemode never does

• Send your prompts, conversations, or responses anywhere
• Log what you type into Claude
• Read Claude's web interface DOM
• Share your session key with anyone, ever
• Install kernel extensions, system services, or anything else invasive

Changes to this policy

Material changes (new data categories, new third parties, new retention periods) will be announced in the in-app release notes and on the changelog at least 14 days before taking effect. Minor wording updates bump the "Last updated" date above.

Questions?

Email support@cavemode.app — replies within 72 hours on weekdays. GDPR data-subject requests are honoured within 30 days (Art. 12).