Privacy Policy
Last updated: 2026-04-29
This Privacy Policy describes how Carrington Creative Labs LLC, a Washington, DC limited liability company with its principal place of business at 1250 4th St SW, Unit 708, Washington, DC 20024, United States (“we,” “us”), handles personal data in connection with the SupaDupa macOS application and the website at supadupa.tech.
The short version: SupaDupa runs on your Mac. We do not upload, index, or read the contents of your files. The only personal data we hold is what you provide when you buy a license and what your app sends when it activates that license.
1. Summary
| What we collect | When | Why |
|---|---|---|
| Email address | At purchase, and at license activation | Deliver the license key, contact you about your purchase, recover your key |
| Payment information | At purchase | Processed by Paddle (Merchant of Record); we never see card data |
| Country / region | At purchase | Tax compliance (VAT/GST), provided to us by Paddle |
| License key | At activation | Verify your Pro entitlement |
| Machine hash (SHA-256) | At activation, and weekly | Understand how many devices a license is active on; non-reversible identifier |
| Hostname (optional) | At activation | Help you recognize your own devices in support cases |
| App version | At activation, and weekly | Ensure your update window covers the version you’re running |
| Crash reports | When the app crashes, only if the Privacy → Crash Reports setting is enabled | Diagnose and fix bugs |
| Page views (website only) | When you visit supadupa.tech | Understand how the marketing site is performing |
What we do not collect:
- The names, contents, or paths of your files
- Your scan results or folder structures
- Any data the app generates about your local storage
- Cookies, ad-targeting identifiers, or fingerprinting signals on the website
2. Data we collect from your device
2.1 At purchase
When you buy SupaDupa through Paddle, you provide your email address and payment details directly to Paddle. Paddle is the merchant of record for the transaction and acts as a separate controller for checkout, billing, tax handling, and payment-related fraud prevention. Their privacy policy governs the collection of card data and billing information. See https://www.paddle.com/legal/privacy.
We receive from Paddle:
- Your email address
- Your country (for tax purposes)
- The order ID and customer ID (so we can look up your license if you contact support)
- Refund events and update-extension purchase events
We do not receive your card number, CVV, or full billing address.
2.2 At license activation
When you paste your license key into the app and click Activate, the app sends a single HTTPS request to our license backend containing:
- Your license key
- A machine hash:
SHA-256(machine_id + APP_SALT), wheremachine_idis the macOS hardware identifier andAPP_SALTis a constant compiled into the app. This hash is non-reversible; we cannot derive your machine identifier or any device-identifying detail from it. - Your device hostname (e.g. “Carrington’s MacBook Pro”), if your macOS user has set one. This is included so you can recognize your own devices if you contact support.
- Your app version (e.g.
0.2.0).
The license key itself is then stored locally in your macOS Keychain. It is not stored on disk in plain text and is not synced to iCloud unless you have enabled Keychain sync in macOS.
2.3 Periodic check-ins
About once per week, the app sends the same machine hash, hostname, and app version to our license backend. This serves three purposes:
- Confirm that the license has not been refunded (so the app can cleanly degrade to Free if it has)
- Update the “last seen” timestamp so we can understand the natural distribution of devices per license
- Communicate the current app version so we can decide whether your update window covers it
The check-in is best-effort. If the network call fails — your Mac is offline, our backend is down, you are on a captive-portal Wi-Fi — the app continues to work. We never lock you out of features you have already activated because of a failed online check.
2.4 Crash reports (optional, off-by-default for the privacy-conscious)
When SupaDupa crashes, the app can send a crash report to Sentry containing the stack trace, OS version, app version, and a short anonymous device identifier. This is gated by the Settings → Privacy → Crash Reports toggle. The setting defaults to on but can be turned off at any time, and the change is honored immediately by both the Rust and JavaScript halves of the app — no restart required.
Crash reports are intended not to include the contents of your files, scan results, or your license key, and we do not intentionally send file paths as part of crash reporting.
2.5 Update checks
The Tauri auto-updater contacts GitHub Releases (or the configured update endpoint) approximately once per hour while the app is open to check for new versions. The update endpoint sees only your IP address and the user-agent string the updater sends. It is not connected to your license or your purchase record.
2.6 Support email
When you email support@supadupa.tech, we receive your email address, the subject and body of your message, and any attachments you choose to include. Inbound mail is forwarded by Cloudflare Email Routing to a managed inbox we operate; Cloudflare acts as a service provider in this path and does not store the messages persistently after delivery.
We use support emails to respond to your question, recover license keys, process refund requests, and handle privacy-rights requests. We retain support correspondence for 24 months after the issue is resolved so we can recognize repeat issues and respond to follow-ups, after which it is deleted. We do not feed support email contents into automated decision-making systems, and we do not use them to train machine-learning models.
3. Network calls the app makes
This is the complete list of network calls SupaDupa makes. If a future release adds a new outbound endpoint, this list will be updated and the change noted in the changelog.
| Endpoint | When | Data sent | Can be disabled? |
|---|---|---|---|
| Tauri auto-updater (GitHub Releases or our CDN) | Hourly while the app is open | App version, OS version | Yes — disable Settings → Updates → Automatic |
| License activation (one-time per device) | When you click Activate | License key, machine hash, hostname, app version | Required to use Pro features |
| License status check-in | Approximately weekly | Machine hash, hostname, app version | No (it’s the mechanism that detects refunds and version eligibility) |
| Sentry crash report | On crash | Stack trace, OS version, app version | Yes — toggle Settings → Privacy → Crash Reports |
Other than the endpoints listed above and ordinary network behavior outside our control (for example DNS, TLS, or operating-system-level certificate checks), SupaDupa is not designed to make other application-level outbound requests. It does not include usage analytics, heartbeat telemetry, or third-party ad/marketing SDKs.
4. The website (supadupa.tech)
4.1 Analytics
We use Plausible Analytics to understand how visitors use the marketing site. Plausible is a privacy-friendly analytics service that:
- Does not use cookies
- Does not use persistent identifiers to track visitors across sites
- Does not fingerprint visitors
- Is designed to minimize the personal data needed for aggregate site analytics
We see aggregate page views, top referrers, and country-level visitor counts. We cannot identify individual visitors.
See https://plausible.io/data-policy for what Plausible collects.
4.2 Cookies
The marketing site does not set any cookies. The Paddle checkout overlay may set cookies during a purchase; those are governed by Paddle’s privacy policy.
4.3 Email signup (release notes)
If you enter your email address into the “Subscribe to release notes” form on the changelog page, we store your email in a Resend audience. You will receive an email when we ship a notable release. There are no marketing campaigns, no upsells, and no third-party data sharing. Each email contains an unsubscribe link, and you can also email us to be removed.
5. Where data is stored
| Data | Stored where |
|---|---|
| License key (on your device) | macOS Keychain |
| License records, device records | Firestore (Google Cloud, US region) |
| Order history | Paddle |
| Crash reports | Sentry |
| Email subscriber list | Resend |
| Backend secrets (signing keys, webhook secrets) | Firebase Secret Manager |
We use Firebase (Google Cloud) and the other named providers as data processors. Each maintains its own security and privacy practices; we have selected providers that we consider responsible operators of the data they handle.
6. How we use your data
We use the data described above only to:
- Deliver and recover your license key
- Verify your Pro entitlement
- Notify you about your purchase, refund, or update window expiration
- Diagnose crashes (only if you have crash reporting enabled)
- Understand the device-count distribution across active licenses
- Comply with tax law
We do not:
- Sell your data, ever
- Share your data with advertisers, brokers, or marketing services
- Use your data to train machine-learning models
- Profile you for behavioral targeting
- Combine your data with third-party data sets
7. Legal bases, legitimate interests, and transfer safeguards
If you are in the EEA or UK, we rely on the following legal bases for the processing described in this policy:
| Activity | Data involved | Legal basis |
|---|---|---|
| Selling the app and delivering the license | Email address, country, order ID, customer ID, license key | Performance of a contract |
| Activating Pro and enforcing the update window | License key, machine hash, hostname (if provided), app version | Performance of a contract |
| Weekly license status check-ins | Machine hash, hostname (if provided), app version | Performance of a contract and our legitimate interests in preventing license abuse, honoring refunds, and confirming version eligibility |
| Purchase, refund, and support emails | Email address, order/license records, the contents of your support message | Performance of a contract and our legitimate interests in customer support and account administration |
| Crash reports | Stack trace, OS version, app version, short anonymous device identifier | Your consent, which you can withdraw at any time by turning off Settings → Privacy → Crash Reports |
| Release-notes emails | Email address | Your consent, which you can withdraw at any time using the unsubscribe link or by emailing us |
| Tax, accounting, and anti-fraud records | Country, order ID, customer ID, refund records | Compliance with legal obligations and our legitimate interests in keeping accurate business records and preventing abuse |
Our legitimate interests are narrow: preventing license abuse, keeping a minimal device registry so one license is not used by unrelated people, diagnosing service issues, maintaining basic business records, and communicating with customers about purchases, refunds, and update eligibility.
Data required for the contract: your purchase email address, license key, machine hash, and app version are required for us to sell, activate, and support the Pro license and any 12-month update extension you choose to buy. If you do not provide them, you can still use the free tier but we cannot activate or administer Pro. Your hostname is optional. Crash reports and release-notes emails are optional.
Paddle acts as a separate controller for checkout, billing, tax handling, and payment-related fraud prevention. We receive limited purchase data from Paddle so we can deliver and support your license. For our own systems, we use Google Cloud / Firebase (including Cloud Functions, Firestore, and Secret Manager), Sentry, and Resend as processors or service providers.
If you are in the EEA or UK, your personal data may be transferred to the United States. For transfers by our processors, we rely on Standard Contractual Clauses or equivalent lawful transfer mechanisms. You can request information about the safeguards relevant to your data by emailing support@supadupa.tech.
8. California Privacy Rights (CCPA/CPRA)
If you are a California resident, this section applies to you.
8.1 Categories of personal information we collect
In the preceding 12 months, we have collected the following categories of personal information:
- Identifiers: email address, license key, order ID, customer ID, device hostname (if you provide one), and hashed device identifier
- Commercial information: purchase, refund, and update-extension purchase records
- Internet or other electronic network activity information: app version, license check-in events, crash-report metadata if crash reporting is enabled, and aggregate website analytics
- Customer support information: the contents of support emails you send us and related correspondence
We collect this information directly from you, from your app when it activates or checks in, from Paddle in connection with your purchase, and from service providers that process data on our behalf.
8.2 Business and commercial purposes
We use this information only for the narrow purposes described in this policy, including to:
- Deliver and recover your license key
- Activate Pro features and administer your update window
- Detect refunds and version eligibility
- Maintain a minimal device registry to prevent license abuse
- Provide customer support
- Diagnose crashes if crash reporting is enabled
- Maintain tax, accounting, and fraud-prevention records
- Measure aggregate website traffic without cross-site behavioral tracking
Retention periods are described in §9 Data retention.
8.3 Sales, sharing, and sensitive personal information
We do not sell personal information.
We do not share personal information for cross-context behavioral advertising.
We do not knowingly collect or use Sensitive Personal Information as defined by California law, and we do not use or disclose sensitive personal information for purposes that would trigger a right to limit its use.
8.4 Your California rights
Subject to applicable law, California residents may have the right to:
- Know the categories of personal information we collected, used, disclosed, and retained about you
- Request access to the specific pieces of personal information we collected about you
- Request deletion of personal information we collected from you
- Request correction of inaccurate personal information we maintain about you
- Opt out of the sale or sharing of personal information
- Limit the use and disclosure of sensitive personal information
- Receive equal service and pricing even if you exercise your privacy rights
- Use an authorized agent to make a request on your behalf
Because we do not sell or share personal information and do not use sensitive personal information in a way that triggers a limitation right, there is currently nothing for us to opt you out of on those points. You may still contact us if you have questions.
8.5 How to submit a verifiable consumer request
Email support@supadupa.tech from the email address associated with your license or purchase.
To verify your request, we will:
- Match the sender address against the email address associated with the license or purchase record, and
- Send a confirmation step to that same email address before acting on the request
If we cannot verify that you are the person associated with the record, we may ask for limited additional information or deny the request.
Authorized agents may submit requests by emailing support@supadupa.tech with proof of their authority to act for you. We may still require you to verify your identity directly with us.
8.6 Non-discrimination
We will not discriminate against you for exercising any privacy rights available to you under California law.
9. Data retention
| Record | Retention |
|---|---|
| License records | Indefinite while the license is active; archived 24 months after refund or expiration |
| Device records | Updated rolling; pruned 24 months after last seen |
| Email subscriber records | Until you unsubscribe |
| Crash reports | 90 days (Sentry default) |
| Order records (Paddle) | As required by tax law in your jurisdiction (typically 7 years) |
| Plausible analytics | No retention of individual visitor data; only aggregates |
You can request earlier deletion at any time using the contact details below.
10. Your rights
Depending on where you live, you may have rights under the GDPR (EEA/UK), the CCPA/CPRA (California), or other privacy laws. These can include:
- The right to access the data we hold about you
- The right to correct inaccurate data
- The right to delete your data (“right to be forgotten”)
- The right to export your data in a portable format
- The right to object to or restrict processing
- The right to lodge a complaint with your data protection authority
To exercise any of these rights, email us at support@supadupa.tech. We will respond within 30 days.
For the data Paddle holds about you (payment and billing records), you should contact Paddle directly via their privacy policy.
11. International transfers
We are based in the United States and use US-based data processors (Google Cloud, Sentry, Resend). If you are in the EEA or UK, your personal data is transferred to the US under the data processors’ Standard Contractual Clauses or equivalent safeguards.
12. Security
We protect your data with reasonable technical and organizational measures:
- All network traffic to and from the app is over HTTPS
- The license-signing private key is stored in Firebase Secret Manager and never logged or transmitted
- Webhook payloads from Paddle are signature-validated before processing
- License keys are stored on your device in the macOS Keychain, not in plain text on disk
- Machine identifiers are hashed on-device before transmission
No system is perfectly secure, but we work to minimize what we collect so that the impact of any breach would be small.
If a security incident affecting personal data occurs, we will notify affected individuals and any required regulators in accordance with applicable law. As a District of Columbia entity, we comply with D.C. Code § 28-3852 (Notification of security breach), which requires prompt notice to affected DC residents and, in qualifying incidents, to the DC Office of the Attorney General. Where other jurisdictions impose stricter timelines or content requirements (for example GDPR Article 33’s 72-hour controller-to-supervisory-authority window), we follow the stricter standard.
13. Children
SupaDupa is not directed at children under 13, and we do not knowingly collect personal data from anyone under 13. If you believe a child has provided us with personal data, please contact us and we will delete it.
14. Changes to this policy
We may update this policy from time to time. When we do, we will:
- Update the “Last updated” date at the top of this page
- For material changes that affect how we collect or use your data, post a note in the next app release’s changelog and email registered customers
The full revision history is in this repository’s git log.
15. Contact
Email: support@supadupa.tech
Carrington Creative Labs LLC 1250 4th St SW, Unit 708 Washington, DC 20024 United States