Privacy Policy
How Conditioning Control Panel handles your data
On This Page
Summary
This summary provides key points from our privacy policy. You can find full details in the sections below.
- What we collect: Display name, hashed email, OAuth provider IDs, progression data, and application settings — only if you opt into cloud features.
- What we don't collect: IP addresses, media file content, browsing history, billing names, or any sensitive personal information.
- Offline by default: The application works fully offline. Cloud sync, leaderboards, and accounts are entirely optional.
- Open source: Our source code is publicly available so you can verify exactly how your data is handled.
- Self-service data control: You can export or permanently delete all your data at any time directly from the app — no need to contact us.
- No tracking or analytics: We do not use cookies, Google Analytics, or any tracking technologies.
- Where data is stored: Server-side data is stored in the United States via Vercel and Upstash. All data is transmitted over HTTPS.
- Age requirement: You must be at least 18 years old to use this application.
Data Controller
Conditioning Control Panel (CCP) is an open-source project maintained by CodeBambi. The source code is publicly available on GitHub.
Because this is an open-source hobby project, there is no registered company behind it. CodeBambi acts as the data controller for any personal data processed through the cloud features.
What Data We Collect
Account Information (Cloud Features)
If you sign in with Discord or Patreon, we store:
- Display name — your chosen username
- Email hash — a one-way HMAC-SHA256 hash of your email from your OAuth provider (Discord or Patreon). We do not store your plaintext email address.
- Discord ID / Patreon ID — used to link your account
- Patreon subscription tier — to verify premium access
- Avatar URL — Discord profile picture, if you opt in to sharing it
- Privacy preferences — online status visibility, profile picture sharing
- Auth token hash — SHA-256 hash of your session token (not the plaintext token)
- Timestamps — account creation, last seen, last synced, client version
Progression Data
When cloud sync is active, we store:
- Level, XP, and seasonal statistics (flash clicks, video watches, bubble pops, etc.)
- Achievement progress and unlock status
- Quest completion data
- Skill tree data (skill points and unlocked skills)
- Total lifetime conditioning minutes
- Companion AI progression (per-companion level and XP)
- All-time aggregate statistics across seasons
Settings Backup
If you use the cloud settings backup feature, your application preferences are stored on the server so they can be restored on a fresh install.
Anti-Cheat Data
To maintain fair leaderboards, we monitor XP earning rates, session timing, and statistics consistency. Sessions are signed with HMAC to verify integrity. This data is used solely for detecting anomalies and is not shared with other users.
Automatically Collected Data
Our application does not log IP addresses, device fingerprints, or usage analytics. However, our hosting infrastructure (Vercel) may temporarily retain standard connection metadata (such as IP addresses) in their own server logs as part of normal operations. This is governed by Vercel's privacy policy and is outside our control. We do not access or use this infrastructure-level data.
What We Do NOT Collect
- Plaintext email addresses (only one-way hashes are stored)
- IP addresses (not logged by the application)
- Content of your media files (images, videos, sounds stay local)
- Browsing history or screen content
- System information beyond what's needed for the app
- Patreon billing name — used transiently during login for verification but NOT stored on the server
- Sensitive personal information (race, religion, health data, biometrics, etc.)
Why We Collect It
| Purpose | Data Used |
|---|---|
| Account sync across devices | Discord/Patreon ID, display name, email hash |
| Leaderboards | Display name, level, XP, statistics |
| Anti-cheat | XP rate, session timing, statistics consistency |
| Patreon tier verification | Patreon ID, subscription status |
| Settings backup/restore | Application preferences |
| AI companion chat | Messages sent to OpenRouter for AI responses (not stored on our server) |
Legal Bases for Processing
We only process your personal data when we have a valid legal reason to do so. Depending on your location, the following legal bases apply:
If You Are in the EU, EEA, or UK (GDPR / UK GDPR)
- Consent: Cloud features are entirely opt-in. By creating an account and enabling cloud sync, you consent to the processing described in this policy. You can withdraw consent at any time (see Withdrawing Consent below).
- Legitimate Interests: We process anti-cheat data to maintain fair leaderboards and protect the integrity of the service. We believe this interest does not override your rights, as the data is minimal and not shared externally.
- Legal Obligations: We may process or retain data if required by applicable law (e.g., responding to a lawful request from authorities).
If You Are in Canada
We process your information based on your express consent when you create an account and enable cloud features. You may withdraw consent at any time. In limited circumstances, we may process data without consent as permitted by Canadian law (e.g., fraud prevention, legal compliance).
If You Are in Switzerland
Processing is based on your consent and our legitimate interests as described above. You may contact the Federal Data Protection and Information Commissioner if you believe your data is being processed unlawfully.
Withdrawing Consent
You can withdraw your consent to data processing at any time by:
- Deleting your account using the Delete Account button in Settings — this removes all server-side data immediately
- Disabling cloud sync to stop ongoing data transmission while keeping your account
- Contacting us at privacy@codebambi.com to request data deletion or processing restrictions
Withdrawing consent does not affect the lawfulness of processing that occurred before withdrawal. The application will continue to work fully offline after consent is withdrawn.
How Data Is Stored
Server-Side
Cloud data is stored in Upstash Redis, a managed database service. The server runs on Vercel (serverless functions). Data is transmitted over HTTPS.
Client-Side
- Settings and progress are stored as JSON files in
%APPDATA%/ConditioningControlPanel/ - OAuth tokens (Discord/Patreon) are encrypted locally using Windows DPAPI (Data Protection API), tied to your Windows user account
- Auth tokens for the sync server are stored in application settings and validated via SHA-256 hashing
International Data Transfers
Our servers and infrastructure are located in the United States. If you are accessing our services from outside the United States — including from the European Economic Area (EEA), United Kingdom (UK), Switzerland, or Canada — your data will be transferred to, stored, and processed in the United States.
The United States may not have data protection laws as comprehensive as those in your country. However, we take the following measures to protect your data:
- All data is transmitted over HTTPS (TLS encryption in transit)
- Email addresses are hashed before storage (not stored in plaintext)
- Auth tokens are stored as SHA-256 hashes (not plaintext)
- OAuth tokens are encrypted locally with Windows DPAPI
- Our source code is open source, allowing public verification of data handling practices
Our third-party infrastructure providers (Vercel and Upstash) maintain their own data protection practices and compliance measures. Please refer to their respective privacy policies linked in the Third-Party Services section.
If you are located in the EEA or UK and believe your data is being processed unlawfully, you have the right to lodge a complaint with your local data protection authority.
Third-Party Services
| Service | Purpose | Data Shared |
|---|---|---|
| Patreon | OAuth login, subscription verification | OAuth tokens (via their API) |
| Discord | OAuth login, account linking | OAuth tokens (via their API) |
| OpenRouter | AI companion chat (if enabled) | Chat messages you send to the companion |
| Vercel | Server hosting | API requests are processed through Vercel |
| Upstash | Database hosting (Redis) | All server-side user data is stored here |
| GitHub | Auto-updates, source code hosting | Update check requests |
Business Transfers
If this project is transferred to a new maintainer or organization, your data may be transferred as part of that transition. In such an event, the new data controller will be bound by this privacy policy or will notify you of any changes before they take effect. You will always retain the right to delete your account and data.
Data Retention
- Active accounts: Data is retained as long as your account is active and you continue using the application.
- Inactive accounts: There is currently no automatic deletion of inactive accounts. Your data persists until you request deletion.
- Deleted accounts: When you delete your account, all associated data (user record, index entries, leaderboard entries, legacy keys) is removed immediately and permanently.
- IP addresses: The application does not log IP addresses. Standard Vercel infrastructure logs may briefly retain connection metadata per their own policy.
- AI chat messages: Messages sent to the AI companion are forwarded to OpenRouter in real-time and are not stored on our server. Refer to OpenRouter's privacy policy for their retention practices.
Age Requirement
You must be at least 18 years of age to use this application. By using Conditioning Control Panel, you represent and warrant that you are 18 years of age or older.
We do not knowingly collect personal information from anyone under 18. If we become aware that a user is under 18, we will:
- Deactivate the account immediately
- Delete all associated data from our servers
- Remove all leaderboard entries and index records
If you believe that we have inadvertently collected data from someone under 18, please contact us immediately at privacy@codebambi.com so we can take appropriate action.
Your Rights
Depending on your location, you may have some or all of the following rights regarding your personal data:
Access & Export Your Data
You can export a full copy of your data at any time using the Export Data button in the app's Settings tab (under Account). This calls the /v2/user/export-data endpoint and returns all stored data associated with your account.
Rectification
You can update your display name through the application. If other data is incorrect, contact us and we will correct it.
Delete Your Account
You can permanently delete your account and all associated data using the Delete Account button in the app's Settings tab. This removes:
- Your user record and all progression data
- All index entries (email hash, display name, Discord ID, Patreon ID)
- All leaderboard entries across all seasons
- Settings backups
- Legacy data from previous versions
Deletion Is Permanent
Account deletion cannot be undone. All data is removed immediately from the server.
Restrict or Object to Processing
If you are in the EEA, UK, or Switzerland, you may request that we restrict or stop processing your personal data. Contact us at privacy@codebambi.com to make such a request.
Data Portability
The Export Data feature provides your data in a structured, machine-readable JSON format that you can take to another service.
Withdraw Consent
See Withdrawing Consent in the Legal Bases section above.
Offline Use
You are not required to create an account or use any cloud features. The application works fully offline — cloud sync, leaderboards, and account features are entirely optional.
Lodge a Complaint
If you are in the EEA, UK, or Switzerland and believe we are processing your data unlawfully, you have the right to lodge a complaint with your local data protection authority.
California Privacy Rights (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) grants you specific rights regarding your personal information.
Categories of Personal Information Collected
| Category | Collected? | Examples |
|---|---|---|
| A. Identifiers | YES (limited) | Display name, hashed email, Discord/Patreon IDs |
| B. Personal info (CA Customer Records) | NO | — |
| C. Protected classifications | NO | — |
| D. Commercial information | NO | — |
| E. Biometric information | NO | — |
| F. Internet/network activity | NO | — |
| G. Geolocation data | NO | — |
| H. Audio/visual information | NO | — |
| I. Professional/employment info | NO | — |
| J. Education information | NO | — |
| K. Inferences | NO | — |
| L. Sensitive personal information | NO | — |
Your California Rights
- Right to Know: You can request what personal information we have collected about you. Use the Export Data button in the app for immediate access.
- Right to Delete: You can request deletion of your personal information. Use the Delete Account button in the app for immediate deletion.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
- Right to Opt Out of Sale: We do not sell or share your personal information with third parties for monetary or other valuable consideration. There is nothing to opt out of.
To exercise any of these rights, you can use the self-service tools in the app or contact us at privacy@codebambi.com.
Do-Not-Track
We do not track users across websites or applications. Because we do not use cookies, analytics, or tracking technologies of any kind, Do-Not-Track (DNT) browser signals are not applicable to our service. We respect your privacy regardless of your DNT settings.
Changes to This Policy
We may update this privacy policy from time to time. When we do:
- The "Last updated" date at the bottom of this page will be revised
- Material changes (e.g., new data collection, new third-party sharing) will be communicated via an in-app notification or announcement in our Discord server
- The previous version of this policy will remain accessible in our public git history
We encourage you to review this policy periodically. Your continued use of the application after changes are posted constitutes acceptance of the updated policy.
Contact
If you have questions about your data, want to exercise your privacy rights, or have concerns about this policy:
- Privacy email: privacy@codebambi.com
- GitHub Issues: Open an issue
- Discord: Join the Discord server
We will respond to privacy-related requests within 30 days.
Last updated: February 28, 2026