Privacy Policy

How Conditioning Control Panel handles your data

Summary

This summary provides key points from our privacy policy. You can find full details in the sections below.

What we collect: Display name, hashed email, OAuth provider IDs, progression data, and application settings — only if you opt into cloud features.
What we don't collect: IP addresses, media file content, browsing history, billing names, or any sensitive personal information.
Offline by default: The application works fully offline. Cloud sync, leaderboards, and accounts are entirely optional.
Open source: Our source code is publicly available so you can verify exactly how your data is handled.
Self-service data control: You can export or permanently delete all your data at any time directly from the app — no need to contact us.
No analytics or advertising: We do not use Google Analytics, behavioral tracking, or advertising cookies. The website embeds two third-party services (Google Fonts and a redgifs video player on the homepage); they load by default and you can opt out via the cookie banner.
Where data is stored: Server-side data is stored in the United States via Vercel and Upstash. All data is transmitted over HTTPS.
Age requirement: You must be at least 18 years old to use this application.

Data Controller

Conditioning Control Panel (CCP) is an open-source project maintained by CC Labs LLC. The source code is publicly available on GitHub.

CC Labs LLC is the data controller for any personal data processed through the cloud features of this application.

What Data We Collect

Account Information (Cloud Features)

If you sign in with Discord or Patreon, we store:

Display name — your chosen username
Email hash — a one-way HMAC-SHA256 hash of your email from your OAuth provider (Discord or Patreon). We do not store your plaintext email address.
Discord ID / Patreon ID — used to link your account
Patreon subscription tier — to verify premium access
Avatar URL — Discord profile picture, if you opt in to sharing it
Privacy preferences — online status visibility, profile picture sharing
Auth token hash — SHA-256 hash of your session token (not the plaintext token)
Timestamps — account creation, last seen, last synced, client version

Progression Data

When cloud sync is active, we store:

Level, XP, and seasonal statistics (flash clicks, video watches, bubble pops, etc.)
Achievement progress and unlock status
Quest completion data
Skill tree data (skill points and unlocked skills)
Total lifetime conditioning minutes
Companion AI progression (per-companion level and XP)
All-time aggregate statistics across seasons

Settings Backup

If you use the cloud settings backup feature, your application preferences are stored on the server so they can be restored on a fresh install.

Anti-Cheat Data

To maintain fair leaderboards, we monitor XP earning rates, session timing, and statistics consistency. Sessions are signed with HMAC to verify integrity. This data is used solely for detecting anomalies and is not shared with other users.

Automatically Collected Data

Our application does not log IP addresses, device fingerprints, or usage analytics. However, our hosting infrastructure (Vercel) may temporarily retain standard connection metadata (such as IP addresses) in their own server logs as part of normal operations. This is governed by Vercel's privacy policy and is outside our control. We do not access or use this infrastructure-level data.

What We Do NOT Collect

Plaintext email addresses (only one-way hashes are stored)
IP addresses (not logged by the application)
Content of your media files (images, videos, sounds stay local)
Browsing history or screen content
System information beyond what's needed for the app
Patreon billing name — used transiently during login for verification but NOT stored on the server
Sensitive personal information (race, religion, health data, biometrics, etc.)

Why We Collect It

Purpose	Data Used
Account sync across devices	Discord/Patreon ID, display name, email hash
Leaderboards	Display name, level, XP, statistics
Anti-cheat	XP rate, session timing, statistics consistency
Patreon tier verification	Patreon ID, subscription status
Settings backup/restore	Application preferences
AI companion chat	Messages sent to OpenRouter for AI responses (not stored on our server)

Legal Bases for Processing

We only process your personal data when we have a valid legal reason to do so. Depending on your location, the following legal bases apply:

If You Are in the EU, EEA, or UK (GDPR / UK GDPR)

Consent: Cloud features are entirely opt-in. By creating an account and enabling cloud sync, you consent to the processing described in this policy. You can withdraw consent at any time (see Withdrawing Consent below).
Legitimate Interests: We process anti-cheat data to maintain fair leaderboards and protect the integrity of the service. We believe this interest does not override your rights, as the data is minimal and not shared externally.
Legal Obligations: We may process or retain data if required by applicable law (e.g., responding to a lawful request from authorities).

If You Are in Canada

We process your information based on your express consent when you create an account and enable cloud features. You may withdraw consent at any time. In limited circumstances, we may process data without consent as permitted by Canadian law (e.g., fraud prevention, legal compliance).

If You Are in Switzerland

Processing is based on your consent and our legitimate interests as described above. You may contact the Federal Data Protection and Information Commissioner if you believe your data is being processed unlawfully.

You can withdraw your consent to data processing at any time by:

Deleting your account using the Delete Account button in Settings — this removes all server-side data immediately
Disabling cloud sync to stop ongoing data transmission while keeping your account
Contacting us at support@cclabs.app to request data deletion or processing restrictions

Withdrawing consent does not affect the lawfulness of processing that occurred before withdrawal. The application will continue to work fully offline after consent is withdrawn.

How Data Is Stored

Server-Side

Cloud data is stored in Upstash Redis, a managed database service. The server runs on Vercel (serverless functions). Data is transmitted over HTTPS.

Client-Side

Settings and progress are stored as JSON files in %APPDATA%/ConditioningControlPanel/
OAuth tokens (Discord/Patreon) are encrypted locally using Windows DPAPI (Data Protection API), tied to your Windows user account
Auth tokens for the sync server are stored in application settings and validated via SHA-256 hashing

International Data Transfers

Our servers and infrastructure are located in the United States. If you are accessing our services from outside the United States — including from the European Economic Area (EEA), United Kingdom (UK), Switzerland, or Canada — your data will be transferred to, stored, and processed in the United States.

The United States may not have data protection laws as comprehensive as those in your country. However, we take the following measures to protect your data:

All data is transmitted over HTTPS (TLS encryption in transit)
Email addresses are hashed before storage (not stored in plaintext)
Auth tokens are stored as SHA-256 hashes (not plaintext)
OAuth tokens are encrypted locally with Windows DPAPI
Our source code is open source, allowing public verification of data handling practices

Our third-party infrastructure providers (Vercel and Upstash) maintain their own data protection practices and compliance measures. Please refer to their respective privacy policies linked in the Third-Party Services section.

If you are located in the EEA or UK and believe your data is being processed unlawfully, you have the right to lodge a complaint with your local data protection authority.

Third-Party Services

Service	Purpose	Data Shared
Patreon	OAuth login, subscription verification	OAuth tokens (via their API)
Discord	OAuth login, account linking	OAuth tokens (via their API)
OpenRouter	AI companion chat (if enabled)	Chat messages you send to the companion
Vercel	Server hosting	API requests are processed through Vercel
Upstash	Database hosting (Redis)	All server-side user data is stored here
GitHub	Auto-updates, source code hosting	Update check requests

Business Transfers

If this project is transferred to a new owner or organization, your data may be transferred as part of that transition. In such an event, the new data controller will be bound by this privacy policy or will notify you of any changes before they take effect. You will always retain the right to delete your account and data.

Cookies & Tracking Technologies

The website is a static site hosted on Vercel. We do not run analytics, advertising, or behavioral-tracking scripts of any kind, and the desktop application does not phone home or transmit usage telemetry.

First-party storage we set ourselves

rc_last_code — localStorage entry on the remote-control page (/remote/) only. Remembers the last code you entered so the field pre-fills next time. Stored in your browser, never transmitted to us. Strictly necessary for that page to be useful.
ccp_consent_v1 — localStorage entry that records your cookie banner choice so we don't ask again on every page load. Strictly necessary for the consent banner itself.

Third-party content (loaded by default, opt-out available)

Two services load from outside our infrastructure on every page load. They are active by default; you can opt out at any time via the cookie banner or the “Cookie preferences” footer link, and your choice persists.

Google Fonts — the Poppins typeface is fetched from fonts.googleapis.com and fonts.gstatic.com. Loading these transmits your IP address to Google. If you opt out, the site falls back to your system font.
redgifs video embed — the homepage features a hero video served by redgifs.com in an iframe. Loading the iframe transmits your IP and may set cookies on the redgifs domain (governed by their privacy policy). If you opt out, the video is replaced by a click-to-load card.

Managing your choice

The first time you visit, a banner offers Accept all, Reject all, and Customize. You can change your decision at any time using the “Cookie preferences” link in the footer of every page, or by clearing site data for cclabs.app in your browser. Your stored choice expires after 12 months, after which we will ask again.

Third-party services you interact with intentionally (Discord, Patreon, GitHub) may set their own cookies when you authenticate or click through to them. Those cookies are set on their own domains and are governed by their respective privacy policies.

Data Retention

Active accounts: Data is retained as long as your account is active and you continue using the application.
Inactive accounts: There is currently no automatic deletion of inactive accounts. Your data persists until you request deletion.
Deleted accounts: When you delete your account, all associated data (user record, index entries, leaderboard entries, legacy keys) is removed immediately and permanently.
IP addresses: The application does not log IP addresses. Standard Vercel infrastructure logs may briefly retain connection metadata per their own policy.
AI chat messages: Messages sent to the AI companion are forwarded to OpenRouter in real-time and are not stored on our server. Refer to OpenRouter's privacy policy for their retention practices.

Age Requirement

You must be at least 18 years of age to use this application. By using Conditioning Control Panel, you represent and warrant that you are 18 years of age or older.

We do not knowingly collect personal information from anyone under 18. If we become aware that a user is under 18, we will:

Deactivate the account immediately
Delete all associated data from our servers
Remove all leaderboard entries and index records

If you believe that we have inadvertently collected data from someone under 18, please contact us immediately at support@cclabs.app so we can take appropriate action.

Your Rights

Depending on your location, you may have some or all of the following rights regarding your personal data:

Access & Export Your Data

You can export a full copy of your data at any time using the Export Data button in the app's Settings tab (under Account). This calls the /v2/user/export-data endpoint and returns all stored data associated with your account.

Rectification

You can update your display name through the application. If other data is incorrect, contact us and we will correct it.

Delete Your Account

You can permanently delete your account and all associated data using the Delete Account button in the app's Settings tab. This removes:

Your user record and all progression data
All index entries (email hash, display name, Discord ID, Patreon ID)
All leaderboard entries across all seasons
Settings backups
Legacy data from previous versions

Deletion Is Permanent

Account deletion cannot be undone. All data is removed immediately from the server.

Restrict or Object to Processing

If you are in the EEA, UK, or Switzerland, you may request that we restrict or stop processing your personal data. Contact us at support@cclabs.app to make such a request.

Data Portability

The Export Data feature provides your data in a structured, machine-readable JSON format that you can take to another service.

Withdraw Consent

See Withdrawing Consent in the Legal Bases section above.

Offline Use

You are not required to create an account or use any cloud features. The application works fully offline — cloud sync, leaderboards, and account features are entirely optional.

Lodge a Complaint

If you are in the EEA, UK, or Switzerland and believe we are processing your data unlawfully, you have the right to lodge a complaint with your local data protection authority.

California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you specific rights regarding your personal information.

Categories of Personal Information Collected

Category	Collected?	Examples
A. Identifiers	YES (limited)	Display name, hashed email, Discord/Patreon IDs
B. Personal info (CA Customer Records)	NO	—
C. Protected classifications	NO	—
D. Commercial information	NO	—
E. Biometric information	NO	—
F. Internet/network activity	NO	—
G. Geolocation data	NO	—
H. Audio/visual information	NO	—
I. Professional/employment info	NO	—
J. Education information	NO	—
K. Inferences	NO	—
L. Sensitive personal information	NO	—

Your California Rights

Right to Know: You can request what personal information we have collected about you. Use the Export Data button in the app for immediate access.
Right to Delete: You can request deletion of your personal information. Use the Delete Account button in the app for immediate deletion.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
Right to Opt Out of Sale: We do not sell or share your personal information with third parties for monetary or other valuable consideration. There is nothing to opt out of.

To exercise any of these rights, you can use the self-service tools in the app or contact us at support@cclabs.app.

Do-Not-Track

We do not track users across websites or applications. We do not run analytics or behavioral-tracking scripts, and the third-party content we embed (Google Fonts, redgifs video) only loads after you opt in via the cookie banner — so a Do-Not-Track (DNT) signal would not change anything we send. We respect your privacy regardless of your DNT settings.

Changes to This Policy

We may update this privacy policy from time to time. When we do:

The "Last updated" date at the bottom of this page will be revised
Material changes (e.g., new data collection, new third-party sharing) will be communicated via an in-app notification or announcement in our Discord server
The previous version of this policy will remain accessible in our public git history

We encourage you to review this policy periodically. Your continued use of the application after changes are posted constitutes acceptance of the updated policy.

Contact

If you have questions about your data, want to exercise your privacy rights, or have concerns about this policy:

Email: support@cclabs.app
GitHub Issues: Open an issue
Discord: Join the Discord server

We will respond to privacy-related requests within 30 days.

Last updated: April 1, 2026