Caveman/privacy/cloud← back
Caveman Cloud · privacy policy

Cloud Privacy Policy

Draft · version 2026-07

Draft — not yet in effect

This document is under legal review and is published here for transparency only. It does not yet bind you or us. We'll set an effective date once review is complete.

This policy covers Caveman Cloud — the hosted gateway, the connected cave CLI, and the operator dashboard. The browser extension is covered separately by the extension privacy policy.

Who controls what

There are two kinds of data, with two different roles:

  • Your traffic — the prompts, responses, and telemetry you route through the gateway. You are the controller; Caveman is a processor acting on your instructions (your plan and your governance settings).
  • Product analytics — how you use the dashboard and this website. Here Caveman is the controller. This analytics is cookieless and never includes prompt or response content.

What we process, by plan

What we retain and whether it is used to improve our models depends on your plan. The full per-plan breakdown is in the data-use summary. In short:

  • Free / Indie— usage metadata plus request and response payloads may be retained and used to improve Caveman's models. This is a condition of the plan.
  • Team — the same sharing is on by default and can be turned off any time in Data governance; turning it off applies immediately.
  • Enterprise — traffic is never used for training or product improvement, and product analytics is off.

Training and product improvement

Where your plan permits it, retained payloads and telemetry may be used to train and evaluate Caveman's own models (for example routing and compression models). We never use enterprise traffic for this, and we never sell your data or expose one tenant's data to another.

Product analytics and this website

We use PostHog (EU region) for cookieless product analytics — structured events like page views and feature usage, never prompt or response content, file paths, or free-text you typed. It is disabled for enterprise organizations.

For transparency: this website previously used Vercel Analytics, which collected aggregate, cookieless visit metrics. It has been removed in favor of the PostHog setup described above.

Sub-processors

We rely on a small set of sub-processors:

  • Scaleway (EU) — hosting, databases, and encrypted object storage.
  • Vercel — hosting for this website (and, previously, its analytics).
  • PostHog (EU) — cookieless product analytics.
  • Stripe — billing and payments.
  • Supabase — the marketing waitlist.

Where your data lives

Data we process on your behalf is stored in the European Union (Scaleway). We do not move your traffic data out of the EU.

Retention

Metadata is retained on the windows shown in Data governance. Where raw payloads are stored (on sharing plans), they are retained for a bounded window — up to 30 days by default — and then purged. You can shorten or disable payload storage from Data governance on plans that allow it.

Your rights and deletion (DSAR)

You can request access to, correction of, or deletion of your organization's data. Deletion is org-keyed: we purge the data associated with your organization, including any stored payloads. We commit to completing verified deletion requests within 30 days. Use the in-product deletion control in Data governance, or contact us.

Changes

This policy is versioned (2026-07). Material changes are posted here with a new version and effective date.

Contact

Privacy questions and data requests: contact@caveman.so