Privacy Policy

Last updated: 2026-05-06.

This Privacy Policy describes how Capreolus ("we", "us", "our") collects, uses, and protects information when you use the Capreolus mobile application and the capreolus.app website (together, the "Service").

1. Who we are

Capreolus is operated by Eolan Enterprises ("the Company"). For privacy matters, contact:

• Email: [email protected]
• Postal: address available on request via [email protected]

If you are in the European Economic Area (EEA) or the United Kingdom, the Company is the data controller for personal data collected through the Service.

2. What data we collect

2.1 Account information

When you create an account we collect:

• Email address (used as your sign-in identifier)
• Display name
• Account ID issued by our identity provider (Keycloak)
• Password (stored only as a salted hash by Keycloak; never visible to us)

2.2 Usage telemetry (optional, opt-out in Settings)

To improve the product we collect anonymized telemetry:

• Which screens you open and in what order
• Aggregate timing data (how long a screen took to load)
• Which features you use (e.g. "Agent chat sent")

We do not record the content of your chats or the values of your business metrics in this telemetry stream.

2.3 Crash and error reports

When the app crashes or hits an unhandled error, we collect:

• A stack trace, OS version, device model, and app version
• A non-identifying installation ID (regenerated when you reinstall)

We use Sentry for crash reporting. Sentry is configured to scrub IP addresses and free-form text fields before storage.

2.4 Push notification tokens

If you grant push permission, we store the Expo push token issued for your device so we can deliver notifications. The token is rotated by the OS and does not identify you outside of your Capreolus account.

2.5 Subscription and payment information

We do not see your credit card or bank details. Apple (App Store) and Google (Play Store) handle the transaction. We receive only:

• A subscription receipt (entitlement, expiry, product ID)
• A pseudonymous "user ID" issued by RevenueCat to link entitlements to your Capreolus account

2.6 Data you bring in

The metrics and project content you connect to Capreolus (Stripe revenue, Sentry incidents, App Store ratings, etc.) are processed under your direction. We act as a data processor for that content under our standard DPA.

3. How we use the data

We use the data above to:

• Provide and operate the Service (you can't sign in without an account)
• Send you transactional and notification emails
• Diagnose crashes and fix bugs
• Measure aggregate usage to prioritize features
• Comply with legal obligations (e.g. tax record retention)

We do not use your data to train AI models. The Project Brain feature sends prompts to Anthropic's Claude API under a zero-retention agreement; Anthropic does not retain or train on those prompts.

4. Legal basis (GDPR / UK)

If you are in the EEA or the UK, we rely on the following legal bases under GDPR Article 6:

• Contract performance for account, telemetry tied to features you use, and notification delivery
• Legitimate interest for crash reporting and aggregate usage analytics
• Legal obligation for tax-record retention (invoices)
• Consent for optional marketing emails (you can withdraw at any time)

5. Retention

• Account: kept as long as your account exists. Deleted within 30 days of account deletion (some legally-required records, like invoices, are retained for 7 years for tax compliance).
• Crash reports: 90 days
• Aggregate telemetry: 13 months, then deleted or fully anonymized

6. Your rights

You have the right to:

• Access the data we hold about you
• Correct inaccurate data
• Delete your account (Settings → Account → Delete Account, or email [email protected])
• Export your data (request via [email protected] — fulfilled within 30 days)
• Object to processing based on legitimate interest
• Lodge a complaint with your local supervisory authority

US California residents have additional rights under CCPA / CPRA: right to know, right to delete, right to correct, right to opt-out of "sharing" (we do not share or sell). Submit requests via [email protected].

7. International transfers

We are based in the United States and our infrastructure is hosted in the US and the EU. If we transfer EEA / UK personal data outside those regions, we rely on Standard Contractual Clauses (SCCs) with our subprocessors.

8. Cookies and similar

The mobile app does not use cookies. The capreolus.app website uses only strictly-necessary cookies for authentication; no advertising or analytics cookies are set.

9. Third parties

The following service providers process data on our behalf under DPA:

• Sentry — crash and error reports (US)
• Anthropic — Project Brain inference (US, zero-retention)
• RevenueCat — subscription receipts (US)
• Apple and Google — payment processing for IAP (subject to their policies)
• Cloudflare — content delivery and DDoS protection (global)

We do not sell or share personal data for cross-context behavioral advertising.

10. Children

The Service is not directed at children under 13 (or 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has provided us data, contact [email protected] and we will delete it.

11. Changes

We may update this Policy. Material changes will be announced via in-app notification at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the current version.

12. Contact

[email protected] — we respond within 5 business days.