Privacy Statement
How Peak State Apps products handle data — in plain terms, and in detail.
Operator
All products covered by this statement are built and operated by Peak State Apps (Adrian Scheibelhut, Germany — see Imprint). Contact for any privacy question: peakstate.apps@gmail.com.
Summary
Across every Peak State Apps product:
- No third-party advertising or marketing trackers. No SDK that beacons home.
- No analytics on your usage of the apps themselves. We don't know which features you use, when, or how often.
- No account creation required. Where licensing is involved (Pro tier on NetGlobe), only the license key, your email (for delivery), and a per-install identifier are stored.
- We don't sell your data.
The rest of this statement is per-product detail.
NetGlobe (Chrome extension)
Summary
NetGlobe is built to show you who your browser talks to. It would be inconsistent if the tool itself silently shipped data anywhere. So:
- No analytics, telemetry, or crash reporting. The extension never phones home for diagnostic purposes.
- One outbound call per uncached destination IP: a geolocation lookup that takes only the destination server's IP and returns a country/city/coords. Never URLs, cookies, headers, or page content.
- One additional outbound call per week if you activate Pro: a license re-validation against our Cloudflare Worker, which forwards to Lemonsqueezy.
- No persistence of request data beyond the browser session. Two opt-in exceptions are documented in §3.
1. Data NetGlobe processes
1.1 Server IPs
For each request your browser makes, the extension reads the destination IP that chrome.webRequest.onCompleted exposes. That IP is sent to the geolocation backend (see §4.1) so we can place the destination on the map. The IP is cached locally per browser session; the same IP is not looked up twice. Private/internal IPs (RFC1918, loopback, link-local, ULA) are filtered out before any lookup.
1.2 Request URLs and metadata
URLs of outgoing requests are read locally by the service worker to extract the hostname and path/query string for the log, search, parameter table, and optional watchlist matching. They never leave your browser. Request bodies, response bodies, cookies, and headers other than Content-Length are not read.
Known secret-bearing query parameters (OAuth codes, access tokens, signed-URL signatures, password reset tokens, session IDs) are replaced with the literal string «redacted» before being stored locally, so a screenshot of the panel during an OAuth flow won't expose credentials.
1.3 Tab and window identifiers
Chrome's tab and window IDs are read locally to make the four-mode scope selector ("Current page", "Entire tab", "This window", "All windows") work. They have meaning only inside your Chrome instance and never leave it.
1.4 UI preferences
Mute state per category, the chosen scope, the log group/sort selection, and feature toggles (lifetime heatmap, hide-arrows) are persisted so the panel remembers them across reloads.
1.5 Optional watchlist values (Pro)
If you use the Pro Email / data watchlist, the value you enter is normalized locally and converted into matching forms (plain, URL-encoded, Base64, MD5, SHA-1, SHA-256). Those forms are stored in chrome.storage.session so the panel can compare them against outgoing URLs. They are never transmitted and disappear when Chrome closes.
1.6 Pro license (only if activated)
If you activate a Pro license, the following are stored in chrome.storage.local:
- The license key you pasted (16 characters, in the format
XXXX-XXXX-XXXX-XXXX). - A randomly-generated UUID identifying this browser install, so re-activating in the same browser doesn't consume a fresh activation slot at our payment provider.
- Activation timestamp, last successful re-validation timestamp, expiry date (for monthly subscriptions only — null for lifetime licenses), and a counter for consecutive validation failures.
Approximately once per week, the extension's background service worker calls our Cloudflare Worker (which forwards to Lemonsqueezy) with the license key and the per-install UUID, to confirm the license is still valid. This is the only outbound call beyond the geo lookup. If two consecutive checks return "revoked", "expired", or "unknown", the local Pro state is cleared automatically.
2. Data NetGlobe does NOT collect
- Request bodies (POST payloads).
- Response bodies, response headers other than
Content-Length. - Cookies, authentication tokens, session IDs.
- Page content or form input, except when a website itself places that value into an outgoing request URL that NetGlobe records as request metadata.
- Browser fingerprinting data, device identifiers, hardware information.
- Personally identifiable information, unless you explicitly enter a value into the optional local watchlist described in §1.5.
- Crash reports, performance metrics, A/B-testing buckets, feature-usage counters.
3. Storage locations
| Surface | What's stored | Lifetime |
|---|---|---|
chrome.storage.session |
IP → geo cache (geo_<ip>), per-tab request buffer (tabbuf_<tabId>), per-tab navigation generation (tabGen_<tabId>), origin location, UI preferences, optional watchlist matching forms, and optional per-session leak history. |
Cleared when Chrome closes. |
chrome.storage.local |
Two opt-in keys: (1) the Lifetime heatmap counter — lifetimeEnabled (boolean) and lifetimeStats (alpha-2 country code → integer count). No domains, no URLs, no IPs. (2) The Pro license object (key, per-install UUID, timestamps, status). No other use. |
Persists across browser restarts. Lifetime heatmap is cleared by the in-panel reset button or by uninstalling the extension. Pro license is cleared by the in-drawer "Remove license" button or by uninstalling the extension. |
| In-memory (service worker) | Volatile working state: in-flight request IDs, the geo-lookup queue, rate-limit timestamps. | Cleared whenever Chrome suspends the service worker (~30 s idle). |
4. Third parties
4.1 Geolocation backend
To place destination IPs on the map, NetGlobe calls a geolocation endpoint. The extension uses a Cloudflare Worker HTTPS proxy operated by Peak State Apps that forwards the lookup to ip-api.com. The browser sends only the destination server IP to the proxy; request URLs, cookies, headers, and page content are not sent.
The upstream geo provider receives only the destination IP. Cloudflare, as the proxy host, necessarily sees normal connection metadata for the HTTPS request, but NetGlobe does not send it URLs, cookies, headers from the browsed page, or page content.
4.2 License validation (Pro only)
For users who activate a Pro license, the same Cloudflare Worker exposes a license-validation endpoint that forwards to Lemonsqueezy. The browser sends only the license key and the per-install UUID. Lemonsqueezy is the system of record for license state. They process this data as Peak State Apps' payment / licensing processor; their privacy policy is at lemonsqueezy.com/privacy.
4.3 Payment processing
When you purchase a Pro license, payment is processed by Lemonsqueezy, who use Stripe as their underlying payment processor. Peak State Apps receives your email address (for license delivery and customer support) and the country reported by Lemonsqueezy for VAT purposes. We never see your payment card details.
4.4 No other third parties
NetGlobe does not include analytics SDKs, ad scripts, A/B-testing libraries, or session-replay tools. Vendored dependencies (D3.js, TopoJSON) are bundled offline and load from the extension package — they never make a network call themselves.
5. Permissions — what each one is used for
| Permission | Purpose |
|---|---|
webRequest |
Read-only observation of outgoing request metadata (URL, IP, size, status). No blocking, no modification, no body access. |
sidePanel |
Render the UI in the browser's side panel. |
storage |
Persist the geo cache, per-tab buffers, UI preferences, and (if you opt in) the lifetime heatmap counter and your Pro license. |
tabs |
Resolve the active tab and its window for the scope selector. |
webNavigation |
Track top-level navigation and SPA history.pushState events so the per-page scope can isolate them. |
alarms |
Schedule the weekly Pro license re-validation. Only invoked if you have an active Pro license. |
<all_urls> (host permission) |
Required because trackers live on every domain. A narrower whitelist would specifically hide the unexpected third parties NetGlobe is built to surface. |
https://netglobe-geo-proxy.cardgate.workers.dev/* (host permission) |
The Cloudflare Worker proxy used for geo lookups (§4.1) and Pro license validation (§4.2). |
CardGate (Android & iOS)
Summary
CardGate intercepts launches of distraction apps and gates them behind flashcard quizzes. The app contacts no remote server for its core functionality; all flashcard data, quiz history, and settings are stored on the device.
- No account, no registration. Nothing to sign up for.
- No analytics, telemetry, or crash reporting. The app does not phone home for diagnostics or usage tracking.
- All flashcard data, quiz history, app block lists, earned-time pools, statistics, and settings stay on the device. Nothing is synced to a remote server.
- Optional AI card generation (premium feature): when used, sends only the prompt you write — either to the AI provider you've configured (your account) or, with the in-app credit-pack option, to our partner provider on your behalf. No data beyond the prompt is transmitted.
Permissions and how the gate works
Android
- Accessibility Service — used solely to detect which app is in the foreground, so the gate can trigger when you launch a blocked app. It does not read screen content, user input, or any other accessibility events from any app's UI.
- Usage Stats (optional) — only requested if you enable the "Earn App Time" mode, used to deduct from your earned pool while you use designated apps.
- Standard permissions for local storage (importing .apkg / CSV / TSV files), media playback (cards with images and audio), and notifications.
iOS
- Apple Shortcuts integration — the gate triggers via user-configured personal automations rather than a system-level interception. CardGate provides Shortcuts actions; you configure the automation that runs them.
Storage and data flow
All flashcard data, quiz history (per card and per blocked app), app block lists, earned-time pools, statistics, and settings are stored in the device's app-private storage (Android) or the app sandbox (iOS). Removing the app erases this data. There is no cloud-sync of study material or usage history.
Third parties
- Anki ecosystem (optional, on import). CardGate can read
.apkgfiles from local storage and query the AnkiDroid app's sync API on Android. No cloud round-trip; everything happens on the device. - AI card generation (optional, premium). If you use this feature, the prompt you write is sent to the AI provider — either the one configured in your own account, or our partner provider when using credit packs. Only the prompt is sent; quiz history and other app data are not.
- No advertising SDKs. No analytics SDKs. No third-party tracking.
Full per-platform privacy policies
The privacy policies submitted to Google Play and Apple App Store are the canonical references for store-listing compliance:
- Android (Google Play): CardGate Android privacy policy
- iOS (Apple App Store): CardGate iOS privacy policy
The section above is a plain-language summary; in case of conflict between this summary and the platform-specific policies linked above, the platform policies are authoritative for their respective platform.
Cross-product topics
6. Your rights under GDPR
If you're in the EU/EEA, the GDPR gives you the right to access, rectify, and delete the personal data we hold about you, to restrict or object to its processing, and to data portability. Email peakstate.apps@gmail.com with any such request and we'll respond within 30 days.
For NetGlobe specifically, very little personal data is held server-side: the only persistent record is your license key linked to your purchase email at Lemonsqueezy, and the per-install UUID associated with each activation. To exercise your right of erasure for these, deactivating the license from within the extension is the fastest path; we can also delete the underlying Lemonsqueezy customer record on request.
7. Children
Peak State Apps products have no age gate. They do not knowingly collect data from anyone, regardless of age. Because no personal data beyond what's described above is collected, there is no children-specific processing to disclose under Art. 8 GDPR or COPPA.
8. Changes to this statement
Material changes will be reflected in the version number below. Cosmetic edits (typos, link updates) do not bump the version. Removed processing operations are documented as well — if a data-processing surface ever becomes smaller, you will be able to track that.
9. Contact
Privacy questions, GDPR requests, or anything else: peakstate.apps@gmail.com. For NetGlobe-specific bug reports, the GitHub Issues tracker is preferred.