Privacy Policy

Product: curlyCue (macOS desktop application)
Website: https://curlycue.app
Last updated: May 14, 2026

This Privacy Policy explains how curlyCue (“curlyCue”, “we”, “us”, or “our”) collects, uses, discloses, and protects information when you use:

the curlyCue macOS desktop application, and
this website (collectively, the “Service”).

curlyCue is designed as a local desktop application. Most processing happens on your Mac. When you connect curlyCue to Google, the app uses Google APIs only with your consent.

1. Who we are

Controller / Owner: Joyce Ciesil
Contact email: support@curlycue.app

2. What this policy covers (and what it does not)

This policy covers information processed:

in the curlyCue macOS app;
in connection with Google services you choose to connect (Google Sheets / Google Drive) via curlyCue; and
when you visit https://curlycue.app.

This policy does not cover:

QLab (a product of Figure 53, LLC) or any third-party tools you use alongside curlyCue;
Google’s own products and privacy practices (see Google’s policies for those).

3. Definitions

For clarity:

“Personal data” means information that identifies or can reasonably be linked to an identifiable person (such as an email address).
“Google data” means information received from Google APIs that you authorize curlyCue to access (for example, Google Sheets cell values and Google Drive file metadata).
“Device data” means information stored locally on your Mac (for example settings files, logs, and backups).

4. High-level summary (for convenience)

curlyCue is primarily a local desktop app.
If you connect a Google account, curlyCue uses Google OAuth and requests limited scopes to:
- list spreadsheet metadata in the “Browse Sheets” picker, and
- read and write data in the spreadsheet(s) you select for syncing.
OAuth tokens are stored locally in the macOS Keychain.
We do not sell personal data and do not use Google data for advertising.
If you purchase a license, a licensing server may store your email address and license status.

5. Information we collect / process

5.1 Information you provide directly (within the app)

Depending on how you use curlyCue, you may provide or create:

Configuration and preferences, such as mapping choices, cue formatting preferences, start row/column settings, and project settings.
Identifiers and references needed to operate the app, such as spreadsheet IDs, selected worksheet/tab names, QLab workspace IDs, and local file paths for CSV exports/backups.

We use this information only to provide the Service.

5.2 Information from Google (when you connect a Google account)

With your explicit consent via the Google OAuth consent screen, curlyCue may access:

Google identity information (email and basic profile) so the app can show which account is currently signed in.
Google Drive file metadata for Google Sheets files so you can browse and select a spreadsheet.
Google Sheets content for the specific spreadsheet(s) you select, to read and write cue-related data.

Details on scopes and usage are in Section 8.

5.3 Local application data and logs

curlyCue may generate local data on your device, such as:

settings and project files;
cached values to improve performance;
logs containing operational details (for example, spreadsheet IDs, tab names, error messages, and diagnostic context).

These files are stored on your Mac and are not automatically sent to us.

5.4 Website data (when you visit curlycue.app)

If you visit the website, the site host may collect standard web server logs, which can include:

IP address,
browser type,
device/OS information,
referring page,
timestamps,
and requested pages.

We do not intentionally deploy behavioral advertising trackers at this time. Your hosting provider may still log basic access information.

5.5 Licensing and purchase records (if you purchase a license)

If you purchase a license for curlyCue, we process limited information to manage entitlement, deliver license emails, and prevent fraud/abuse.

Licensing backend (“curlyCueSERVER”)

The licensing backend is implemented as a Cloudflare Worker and uses:

Cloudflare D1 (SQLite) to store license/customer records;
Cloudflare Queues to send transactional emails asynchronously;
a Paddle webhook endpoint to receive billing/subscription lifecycle events and issue/update/revoke licenses.

Depending on your actions (purchase, activation, resend, deactivation), the licensing backend may receive/process:

Email address (for example for license delivery and account recovery). The database stores email encrypted and also stores a deterministic lookup value (HMAC) so we can find a customer record without storing the email in plaintext.
Name (optional, if received from the billing provider); stored encrypted when present.
License key (provided by you in the app). The server stores a peppered hash of the license key for lookups and stores an encrypted copy for email sending/admin support. A short hint (such as the last characters) may be stored for support usability.
Install identifier (installId) and app version (provided by the app when activating). The server stores only a hash of the install identifier for seat counting and does not store the plaintext install identifier.
Billing identifiers from Paddle (such as customer/subscription/transaction IDs, price ID, and subscription period end timestamps), as provided in Paddle webhooks.
IP address / request metadata may be used for rate limiting and may appear in administrative audit logs where available.

We do not store payment card numbers or bank details. Payment processing is handled by third-party providers.

5.6 Support communications

If you contact us for support (for example by emailing support@curlycue.app), we will receive the information you choose to include in your message (such as your email address, the content of your request, and any attachments like logs or screenshots).

6. How we use information

We use information to:

6.1 Provide and operate the Service

allow you to sign in to Google (if you choose);
let you browse/select spreadsheets;
read cue data from your chosen data source (CSV or Google Sheet);
synchronize cue data with QLab;
write updates back to the spreadsheet(s) you select when you choose to push/update.

6.2 Maintain, troubleshoot, and improve

debug issues (for example by reviewing error messages you share);
improve performance and reliability;
maintain compatibility with macOS/QLab/Google APIs.

6.3 Communicate with you

respond to support requests;
send important notices (for example licensing or policy updates), if applicable.

We do not use Google data for advertising and do not sell personal data.

7. How we share information

7.1 We do not sell personal data

We do not sell your personal data.

7.2 Sharing of Google data

curlyCue does not share your Google Sheets contents with third parties for advertising or marketing.

The app necessarily communicates with Google APIs and QLab (locally) to provide the Service. If you contact support, you may choose to share logs or screenshots that could include identifiers (such as spreadsheet IDs).

7.3 Service providers

We may rely on service providers for limited functions (for example, web hosting for curlycue.app and licensing infrastructure). Those providers may process limited data as needed to deliver their services.

Depending on your use of the Service, our service providers may include:

Cloudflare (website hosting and licensing backend infrastructure, including Workers, D1, and Queues).
Paddle (billing provider / Merchant of Record; provides us purchase/subscription events via webhooks).
Resend (transactional email delivery for license emails).

8. Google API data access and use (Scopes)

curlyCue uses Google OAuth 2.0. When you sign in, you can review requested permissions on the Google consent screen. With your consent, curlyCue requests the following scopes:

Google Sheets: https://www.googleapis.com/auth/spreadsheets
Google Drive (metadata-only): https://www.googleapis.com/auth/drive.metadata.readonly
Basic identity: openid, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile

8.1 How curlyCue uses Google Drive (metadata-only)

The Drive scope is used only to list Google Sheets files you can access and display them in the “Browse Sheets” picker.

curlyCue uses Drive metadata fields such as:

file name,
file ID,
last modified time,
owner email address,
file type (so we can filter for Google Sheets).

curlyCue does not:

modify, delete, or move files in your Google Drive;
download, export, or read file contents via the Drive API.

8.2 How curlyCue uses Google Sheets (read/write)

The Sheets scope allows curlyCue to read and write data in the spreadsheet(s) you select.

curlyCue may:

read cue-related cell values (for example cue numbers, labels, notes, and other columns you map);
write updated cue information back to the same spreadsheet(s) when you choose to Push/Update;
insert, update, or delete rows/cells as part of synchronization, depending on your chosen workflow.

8.3 How curlyCue uses Google identity information

Identity scopes are used to:

determine which Google account is connected;
display the signed-in email address in the app;
support switching accounts.

We do not use identity information for advertising.

9. Google API Services User Data Policy (Limited Use)

curlyCue’s use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

In practice, this means (among other things):

We use Google data only to provide user-facing features in curlyCue.
We do not use Google data for serving advertisements.
We do not use Google data to develop, improve, or train generalized AI and/or machine learning models.
We do not allow humans to review Google user data unless:
- you explicitly share it with us for support, or
- it is required for security purposes (for example abuse investigation), or
- it is required to comply with applicable law.

10. Storage, security, and where data lives

10.1 OAuth tokens and credentials

curlyCue stores OAuth tokens locally in the macOS Keychain using system keychain facilities (via the system keyring). Tokens are stored on your device and are not intentionally transmitted to our servers.

10.2 Spreadsheet contents

Spreadsheet contents are processed on your device to display and synchronize cues. curlyCue does not upload spreadsheet contents to a remote server as part of normal operation.

10.3 Backups, exports, and logs

If you enable backups or export CSV files, those files are created locally on your device. Logs remain on your device unless you choose to share them with support.

10.4 Security practices

No software can guarantee absolute security, but we take reasonable measures appropriate to a small desktop application, including:

relying on macOS Keychain for credential storage,
limiting requested Google scopes,
minimizing server-side storage.

10.5 Licensing backend security measures

For licensing data specifically, we use measures appropriate to a small transactional backend, including:

HTTPS transport (provided by Cloudflare);
webhook signature verification for billing events (Paddle);
application-layer encryption at rest for certain fields (e.g., email, name, license key, and in some cases stored webhook payloads) using authenticated encryption (AES-GCM);
deterministic lookup values (HMAC) for email search without storing plaintext email;
hashed identifiers (peppered hashing for license key lookup; hashing for install identifiers);
admin endpoints protected by Cloudflare Access authentication (and optional JWT verification) with audit logging of admin actions;
rate limiting on sensitive endpoints (activation/resend/admin) primarily based on IP.

11. Data retention

Because curlyCue is primarily local, most retention is under your control.

11.1 Google credentials

Google OAuth tokens stored in Keychain remain until:

you sign out within the app (if provided), and/or
you revoke access in your Google account settings, and/or
you remove them from Keychain or uninstall the app.

11.2 Local configuration, backups, and logs

Local files remain on your device until you delete them.

11.3 Licensing server data (if applicable)

If you have a paid license, we may retain licensing-related data (such as your encrypted email record, license status, activation hashes, and billing linkage identifiers) for as long as needed to provide license validation, customer support, and fraud prevention, and for a reasonable period afterward or as required by law.

The licensing system also retains operational records such as webhook event processing metadata and administrative audit logs for security and troubleshooting purposes. The current implementation does not define a strict automated deletion schedule; records persist until deleted.

To request deletion of server-side data we control (if any), contact support@curlycue.app.

11.4 Support email retention

If you email support, we may retain your message and our replies for as long as necessary to address your request, maintain records of support provided, and comply with legal obligations.

12. Your choices and rights

Depending on where you live, you may have rights to access, correct, or delete certain personal data.

12.1 Revoke Google access

You can revoke curlyCue’s access to your Google account at any time here:

https://myaccount.google.com/permissions

After revocation, curlyCue will not be able to list or update Google Sheets until you authorize again.

12.2 Manage local data

You can delete local logs/backups/exports, uninstall the app, and remove curlyCue items from macOS Keychain.

13. Children’s privacy

curlyCue is not intended for children under the age of 13 (or a higher age as required by local law), and we do not knowingly collect personal data from children.

14. International users

curlyCue runs locally on your device. If we operate limited server infrastructure (for example licensing), it may be hosted in the United States or other locations depending on service providers.

15. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top.

16. Contact us

If you have questions about this Privacy Policy or how we handle data, contact:

support@curlycue.app

Back