Privacy Policy

This Privacy Policy explains what the CARAPACE software and website at carapace.info do and do not collect, and what we do with the little information that does reach us. It applies to the Linux installer, the macOS application, the iOS application, and the carapace.info website.

1. What we don't collect

CARAPACE is a self-hosted personal AI operating layer. The whole point is your data doesn't leave your hardware.

• We do not run a server that receives your conversations, prompts, transcripts, images, or camera frames. Those go directly between your phone and the gateway you operate (Mac, Linux, or Pi).
• We do not log your API keys. They live in your phone's Keychain or in configuration files on your own machine.
• We do not require accounts, sign-in, or email. The iOS app and the macOS app do not have a login screen.
• We do not run analytics SDKs, advertising SDKs, or tracking pixels. There is no Segment, no Mixpanel, no Google Analytics, no Meta Pixel, no Amplitude — none of it.
• We do not sell, rent, or share personal data. There is nothing to sell.

2. What does flow over the internet

Running CARAPACE involves some network activity by design. Here's what goes where:

• Your phone ↔ your gateway. Chat, voice, camera, and context traffic moves directly between your iPhone and the gateway you're paired with, typically over your local network or your Tailnet. We never sit in the middle of this path. The specific fields the iPhone sends with each turn are enumerated in section 5.
• Your phone ↔ Apple Maps. When location permission is granted, the iOS app uses Apple's reverse-geocoder to resolve your coordinates into a street and locality, and Apple's MKLocalSearch to fetch nearby points of interest (businesses, landmarks). These queries go to Apple under Apple's privacy policy — they don't pass through our servers or your gateway.
• Your OpenClaw ↔ your AI provider. When you've configured your OpenClaw gateway with a third-party AI provider, your gateway sends your prompts to that provider using the API key you supply. Each provider operates under its own privacy policy. We recommend reviewing it — we don't control what they do with prompts and we don't pick which provider you use.
• App updates and installer. Downloading the macOS DMG or running the Linux installer fetches files from carapace.info (hosted on Cloudflare). Those requests are standard web-server logs (IP address, user agent, timestamp) and are retained briefly by Cloudflare for abuse prevention. We don't correlate them to identities.
• iOS app downloads and IAP. Installing the iOS app and any in-app purchase goes through Apple, under Apple's privacy policy — not ours. See section 3.

3. In-app purchases

The iOS app offers one-time, non-subscription in-app purchases that unlock how many gateways a single iPhone can pair with (Household, Power, Corporate). These purchases are processed entirely by Apple using your Apple ID.

• We do not receive your name, email, payment method, or billing address from Apple.
• We do not receive the exact dollar amount you paid — Apple handles pricing, taxes, and refunds.
• The iOS app asks Apple's StoreKit API which products you currently own on this Apple ID, to unlock the corresponding device cap. That check happens on-device; the answer is cached locally in the iOS Keychain and UserDefaults.
• Family Sharing propagation (if enabled) and refunds are handled by Apple; we honor whatever StoreKit reports.

If you want a refund, request it through Apple directly (Settings → Apple ID → Subscriptions → Report a Problem, or reportaproblem.apple.com). We don't have access to the transaction and can't issue refunds on Apple's behalf.

4. Data stored on your own hardware

The iOS app stores the following locally on your iPhone:

• The list of gateways you've paired with (nickname + URL + auth token), in the iOS Keychain and UserDefaults.
• Your API keys if you've entered any, in the iOS Keychain.
• Conversation history cache, to avoid re-fetching on every app open. This is local-only.
• App preferences (camera quality, wake word, voice selection, theme).
• Optional diagnostic logs if you enable the Debug Console. These are never transmitted unless you explicitly share them.

The macOS app and Linux installer store config, tokens, and cached conversations on the machine where they run. Deleting the app (or the config directory) removes the data.

5. What the iPhone app sends to your gateway

When you talk, scan, or open vision mode, the iOS app bundles the following fields with your message and sends them directly to the gateway you've paired with. None of this passes through our servers.

• Microphone audio. Streamed only while a voice session is active. The optional "Hey Claw" wake-word setting runs detection locally on your iPhone — no audio leaves the device until the wake word fires and a session opens.
• Camera frames. Streamed only while a vision session or scan is active.
• On-device scene perception. The Vision framework runs OCR (text), object classification, barcode decoding, and document detection on each frame on-device; the structured results (text, labels, bounding boxes) ride along with the frame so the gateway can answer faster.
• Location. When permission is granted: latitude, longitude, accuracy, altitude, speed, course/heading, and Apple's reverse-geocoded street + locality. Sent only while the app is in use; never in the background.
• Nearby places. Names, categories, and distances of nearby points of interest fetched via Apple's MKLocalSearch (cached per ~50m grid cell for ~6 hours).
• Motion activity. A coarse classification from Apple's CoreMotion: stationary, walking, running, cycling, or driving. No raw accelerometer data is uploaded.
• Device context. Time of day, ambient light bucket, and (on LiDAR devices) a coarse depth read of the scene.

You can turn the contextual fields (location, motion, nearby places, scene perception bundling) off any time in Settings → Rumination. With Rumination off, only the message itself, microphone audio, and camera frames are sent.

5b. Long-term memory ("Rumination" and Deep Scan)

Your gateway can optionally remember what it has seen and heard across sessions, so future answers are grounded in past context (sub-areas you've visited, objects it has identified, recent utterances). This is on by default and is what we call Rumination.

The memory database lives entirely on the machine running your gateway. We don't operate any memory server, and we never receive or proxy this data.

Deep Scan (off by default, surfaced in Settings as experimental) is a 60-second passive ingestion sweep that uploads ~25–40 deduplicated frame summaries (scene description, top object labels, recognized text — never raw images for the deep-scan path) to your gateway's /cognitive/ingest-frame endpoint, so future answers at this location are richer.

You can disable Rumination or Deep Scan at any time, and you can wipe the memory database directly on your gateway machine.

6. Cookies and local storage

The carapace.info website uses no tracking cookies. The only storage is first-party, same-origin localStorage used to remember UI preferences (e.g. which carousel card you scrolled to). No third-party scripts (other than Tailwind CSS and Google Fonts, both delivered via CDN) run on the site.

7. Children

The CARAPACE iOS app is not directed at children under 13. We do not knowingly collect data from anyone, but because the app processes inputs (voice, text, camera) that may be sensitive, younger users should use CARAPACE through a parent's Apple ID under Apple Family Sharing, which applies parental controls and purchase approvals.

8. Third-party services we rely on

Running the service requires us to rely on a handful of third parties. None of them receive your prompts or conversations:

• Apple — App Store distribution, StoreKit in-app purchases, iCloud Keychain (for your own device, at your option). Apple's privacy policy governs this layer.
• Cloudflare — CDN and static hosting for carapace.info and the installer. Standard edge logging.
• GitHub — source code hosting and the issue tracker. If you open an issue, everything you paste becomes public. We don't control GitHub.
• The AI provider you configure on your OpenClaw — your choice of third-party service. Your gateway talks to it directly using the API key you provide. That provider's policy governs how they handle your prompts; we have no relationship with them and do not select, recommend, or endorse any specific provider.

9. Your rights

Because CARAPACE is self-hosted, most of your data is already in your hands — there's no "data export" request to make of us for your conversations. If you have questions about specific data you believe we hold (for example, installer logs tied to an IP address), contact us at the address below and we'll respond within 30 days.

If you're in a jurisdiction that grants rights to access, correct, or delete personal data (GDPR, CCPA, etc.), those rights apply to the limited data we do have. The main practical exercise of those rights is: request deletion, which will be honored to the extent any data exists to delete.

10. Security

We take reasonable technical and administrative measures to protect the limited data we do hold. That said, no system is perfectly secure. Because the architecture keeps your conversations off our servers, a breach of our servers would not expose your AI interactions. Breaches of your gateway (your Mac, your VPS, your Pi) are out of our control — securing that hardware is your responsibility.

If we become aware of a security incident affecting data we hold that relates to you, we will notify affected users to the extent required by applicable law.

11. Changes

If we update this Policy, the new version will always be at carapace.info/privacy/, with a fresh Effective Date at the top. Material changes will also be announced in the iOS app's Settings → About section and on the website. Continued use of the Software after an update means you accept the updated Policy.

12. Contact

Privacy questions, concerns, or data-deletion requests: open an issue at github.com/mikeypaepke-gif/carapace-site/issues (public) or reach us privately through the contact form at carapace.info.