Privacy Policy

Last updated: June 2026

Capiu is a free, ad-free memory-training project. This policy covers both the public site at capiu.org and the signed-in app at app.capiu.org. We collect as little data as possible and store nothing we don't need.

Public site — capiu.org

The static landing page, the blog, and the read-only Major System and focus-timer tools at capiu.org/major / capiu.org/focus run entirely in your browser. No account, no cookies set by us, no personal data leaves your device.

We use Cloudflare Web Analytics to see which pages are visited. It is cookie-free, does not track you across sites, and is designed to be privacy-first — Cloudflare aggregates page-load events at the edge without building per-visitor profiles.

The site is served by Cloudflare Pages. Cloudflare may log your IP address for security and abuse-prevention purposes. See Cloudflare's privacy policy.

Signed-in app — app.capiu.org

The app at app.capiu.org requires sign-in. The sections below explain what we collect when you create an account and use the app's features.

What we collect

• Email address — required for sign-in via one-time code, or read from your OAuth provider (Google / GitHub) if you choose that sign-in method.
• OAuth profile basics — if you sign in with Google or GitHub, we receive your provider-side display name and profile-picture URL. Nothing else from the provider.
• Your curation activity — entity suggestions you submit, number subscriptions you create, and the Major System picks you save are stored in our database so they sync across devices and feed the public catalog. These values are stored in plain form (not end-to-end encrypted), which means that we, and anyone with administrative access to the database, can technically read them. For this reason our terms of service ask you not to store active secrets — bank PINs, passwords, 2FA backup codes — in Capiu.
• Pseudonymized error reports — when something goes wrong in the app, we send the stack trace, browser type, and your internal user ID (a random UUID, never your email) to Sentry so we can fix it. We have disabled IP capture and session replay.

What we do not collect

• The contents of your memory palaces and pegs. By default the rooms, loci, images, and associations you build live only in your browser's IndexedDB and never reach our servers. If you turn on encrypted palace sync (described below), an end-to-end-encrypted copy is stored so it can sync across your devices — but it is encrypted with a key that never leaves your device, so we still cannot read the contents. Either way, we never see what is inside your palaces.
• No passwords. We never store passwords; sign-in is via a one-time email code or your existing Google / GitHub account.
• No ads, no tracking pixels, no third-party analytics beyond the cookie-free Cloudflare Web Analytics described above.

Encrypted palace sync (optional)

Palace sync is off by default. If you turn it on in your account settings (Settings → Security → Encrypted sync), you choose a passphrase, and from then on a copy of your palaces is stored on our servers so it can sync across your devices.

That copy is end-to-end encrypted (AES-256-GCM). The encryption key is derived from your passphrase — and from a one-time recovery code we show you at setup — and never leaves your device. We, Supabase, and anyone with administrative access to the database store only the ciphertext and can never decrypt your palace contents (this is "zero-knowledge" encryption). The encrypted blob is hosted on Supabase in the EU under the same per-user access rules as the rest of your data.

What the server can see is limited technical metadata: when you last synced, a counter that increases each time you sync (roughly, how often you edit), and — derivable from the stored ciphertext — its approximate size; never its contents.

Important: because only you hold the key, if you lose both your passphrase and your recovery code, the encrypted data is permanently unrecoverable — by design. Deleting your account removes the encrypted blob along with the rest of your account data.

Maps and Street View

The palace map is rendered with OpenFreeMap map tiles, and place search uses Nominatim (part of OpenStreetMap). When the map loads or you search for a place, your IP address (and your search query) reach those services so they can return the tiles and results.

A palace can also carry an optional Google Street View scene. To protect your privacy this embed does not load automatically — nothing is sent to Google until you click "Load Street View", or until you tick the "load scenes automatically" option yourself. When it does load, the scene's coordinates, your IP address, and your language are transmitted to Google; we restrict the referrer we send to our bare origin (app.capiu.org), so Google does not learn which palace you are viewing. This processing is based on your consent (Art. 6 (1) (a) GDPR), which you can withhold or withdraw at any time by not loading the scene or unticking the option. Loading the embed transfers data to Google LLC in the United States, which participates in the EU-US Data Privacy Framework.

Who processes your data

• Supabase — hosts our database and authentication. Our project is hosted in the EU. Supabase logs may temporarily contain your IP address for security purposes.
• Cloudflare — serves the app and provides the Turnstile captcha that protects sign-in from bots. Turnstile is privacy-preserving and does not use third-party cookies.
• Sentry — receives the pseudonymized error reports described above. Our Sentry project is hosted in the EU.
• Google / GitHub — only when you actively click the "Sign in with Google" or "Sign in with GitHub" button. The OAuth flow redirects you to the provider, which sends us a token and your basic profile information after you approve.
• Google — only if you load a Street View scene (see above). Google then receives the scene coordinates and your IP address as an independent controller. Transfer to the US under the EU-US Data Privacy Framework.
• OpenFreeMap — serves the palace map tiles; receives your IP address when the map loads.
• Nominatim / OpenStreetMap — powers place search; receives your search query and IP address when you search for a location.

Cookies and local storage

The signed-in app stores a Supabase session token in your browser's local storage so you don't have to sign in on every visit. It also stores your palaces, pegs, and TanStack Query cache in IndexedDB (strictly on your device). These are technically necessary for the app to work and do not require a consent banner under GDPR. We do not set any third-party cookies and we do not run advertising cookies.

A few feature preferences are also kept on your device only: whether to "load scenes automatically" (the Street View opt-in described above), and — if you use encrypted palace sync and choose to "stay unlocked on this device" — a device key that wraps your decryption key locally. Neither is sent to us.

Legal basis

Processing your email and sign-in data: contract performance (Art. 6 (1) (b) GDPR) — necessary to provide the account. Pseudonymized error reports and security/abuse prevention: legitimate interest (Art. 6 (1) (f) GDPR) — running a stable, abuse-free service. Cookie-free analytics on the public site: legitimate interest. Storing the end-to-end-encrypted palace-sync blob: contract performance (Art. 6 (1) (b) GDPR) — you opt in explicitly to the feature. Loading a Google Street View scene: consent (Art. 6 (1) (a) GDPR).

Retention

Your account data is kept until you delete your account from the in-app settings page (which hard-deletes the row and cascades all your catalog activity). Sentry error reports are kept for 90 days by default. Server logs are kept for 14 days.

Your rights

Under GDPR you have the right to access, correct, export, and delete your data. The in-app Delete account button immediately removes all account data from our primary database. Sentry error reports and server logs that contain only your random user ID then expire on the retention schedule above (90 / 14 days). For access or export requests, email contact@capiu.org — we will reply within the 30-day deadline set by GDPR Art. 12 (3). You also have the right to lodge a complaint with your national data-protection authority.

Changes to this policy

We may update this policy as the app evolves. The date at the top is always the most recent change. Material changes will be announced inside the app.

Contact

Questions or requests: contact@capiu.org. See also our imprint.