AlfredStar
← Back

Privacy Policy

Effective May 5, 2026

1. What we collect

Account data

When you sign in with Google (web) or Apple (iOS), we receive your email address and a stable provider-issued user ID. We do not store your name or profile picture. If you sign in with Apple using Hide My Email, the relay address Apple gives us is the email we store.

If the same email signs in via both Google and Apple, both identities are linked to one account.

Anthropic API key

AlfredStar runs practices using your own Anthropic API key. When you save a key, we encrypt it with AES-GCM under a key-encryption key held only as a Cloudflare Workers secret, and store the ciphertext in our database. We separately store the last four characters so we can show you which key is on file without decrypting it.

We never log the key, and we do not store it in plaintext anywhere. It is decrypted only at practice-dispatch time and held in process memory on the worker that runs your practice, for the lifetime of that practice.

Practice data

Instructions you write, battle-table rows, practice configurations, practice event logs (agent directives and enemy sightings), and the per-practice Anthropic spend total are stored and associated with your account.

Mobile device data

If you use the iOS app, we store an Apple Push Notification (APNs) device token so we can deliver practice-end alerts, and per-practice Live Activity push tokens so we can update the lock-screen activity while a practice is running. We also record the device label, platform, and user agent for each mobile session so you can identify and revoke it from your Account screen.

Usage data

Standard request logs (IP address, timestamps, user agent) are collected as part of normal service operation.

2. What we do not collect

  • No payment data. AlfredStar does not charge for the service and does not process payments.
  • No tracking cookies or third-party analytics beyond infrastructure providers
  • No personal data is sold or shared with third parties for advertising
  • No copy of your Anthropic API key in plaintext, in logs, or in backups

3. How we use your data

  • Account data — to authenticate you and associate practices with your account
  • Anthropic API key — decrypted at practice-dispatch time and used only to call Anthropic for inference on your behalf during practices you start
  • Practice data — to run your practices, store results, let you review history, and populate your personal battle-table layer
  • Mobile device data — to deliver practice-end notifications and Live Activity updates via Apple's Push Notification service
  • Usage data — to operate, monitor, and debug the service

4. Where your data is stored and processed

Cloudflare — account, instructions, battle table, practices, practice events, sessions, and your encrypted Anthropic key live in Cloudflare D1, R2, and Workers infrastructure.

Google Cloud Platform — practice compute runs as short-lived GKE jobs. Your decrypted Anthropic key is held only in the job's process memory for the duration of the practice and is not persisted to disk or external storage.

Anthropic — prompts and responses sent during your practices are processed by Anthropic under your API key. Anthropic's privacy policy governs that traffic.

Apple Push Notification service — short notification payloads (practice status text) are delivered to your iOS device through Apple's APNs.

Google and Apple identity providers — receive standard OAuth / Sign in with Apple traffic when you authenticate.

5. Data retention

  • Account, instructions, battle table, and practice records — retained while your account is active
  • Encrypted Anthropic key — retained until you delete it from the Account screen or delete your account
  • Mobile sessions and APNs device tokens — retained until you revoke them from the Account screen or sign out on the device
  • Live Activity push tokens — deleted automatically when the activity ends
  • Practice artifacts on cloud storage (replays, tool logs, per-run metadata) — automatically deleted 30 days after they're created, regardless of account state
  • Request logs — rotated within 90 days

When you delete your account, every record indexed against your account is removed immediately. Any practice artifacts already on cloud storage finish aging out under the 30-day rule above; they are no longer linked to your identity once the account record is gone.

6. Your rights

You can:

  • Request a copy of your data
  • Request correction of inaccurate data
  • Delete your account and associated data at any time from the Account screen
  • Delete your stored Anthropic key at any time from the Account screen
  • Revoke any device session at any time from the Account screen

If you are in the EU, you have additional rights under the GDPR, including data portability and the right to object to processing. If you are in Canada, your rights under PIPEDA apply.

To exercise any of these rights, contact alfred@alfredstar.com.

7. Children

This service is not intended for anyone under 13 years of age. We do not knowingly collect data from children under 13. If you believe a child under 13 has created an account, please contact us and we will remove it.

8. Changes to this policy

We may update this policy. Material changes will be communicated via email with 30 days notice.

Contact

Questions about this policy: alfred@alfredstar.com

Privacy · Terms

StarCraft® II is a trademark of Blizzard Entertainment, Inc. AlfredStar is not affiliated with or endorsed by Blizzard Entertainment.