// PRIVACY

Privacy policy

Last updated: 2026-04-28

FiftyCAL is built so most of what you record never leaves your Mac. Sessions, video, audio, transcripts, screenshots, input events — all written to local files in ~/Documents/Scope/ on your machine. We do not have access to those files.

What we collect

• Account data — your email, password hash (argon2id, never plaintext), optional handle, optional 2FA secret (encrypted at rest with AES-GCM).
• Aggregated stats — when you opt in to leaderboards / cross-Mac sync, your client uploads daily counters per metric per mode (sessions, words, mouse distance, keystrokes, etc). No transcripts, no audio, no video. The Mac app's StatsDB shows you exactly what gets uploaded.
• License data — your purchase email + license key from our merchant of record (handles global tax + checkout). See subprocessors for the current provider.
• Telemetry — anonymous product analytics (PostHog) and crash reports (Sentry). Opt-out toggle in Preferences → Advanced.

What we never collect

• Audio recordings — Whisper transcription is your client calling OpenAI's API directly with your key (or our paid relay if you prefer).
• Screen recordings — never uploaded to our servers. Hardscope sends frames to Google Gemini for summarization; transcripts come back, video doesn't persist.
• Transcripts of your sessions — those stay on disk.
• Clipboard contents — only the per-day kind histogram (text vs image vs file count), never the content.

Subprocessors

See the subprocessors page for the full list with addresses + purposes.

Your rights

GDPR + CCPA: you can export everything we have on you, or delete your account, by signing into the app and using Account → Delete account, or by emailing [email protected]. Account deletion is immediate; backup retention is 30 days.

Data retention

• Account data — until you delete it.
• Aggregated stats — kept while your account is active. Deleted with the account.
• Audit log of security events (sign-ins, password resets) — 90 days.
• Cloudflare D1 backups — 30 days.

Contact

Privacy questions: [email protected]. Data Protection Officer (interim): [email protected].