Privacy Policy
Last updated: 2026-06-10
This policy describes what data Vestige opti ("we", "the software") collects, why, and how long it's kept. Vestige opti is a single-developer product. We don't sell data, we don't run ad networks, we don't have an analytics SDK embedded in the app.
TL;DR. The desktop app stores everything locally. The licensing server sees your license key, a hashed hardware ID, and the IP you connect from — only enough to know your seat is real. We never see what tweaks you apply, which games you play, or any file on your disk.
1. What the desktop app collects
Nothing leaves your PC except license-validation traffic (described below).
All tweak state, presets, snapshots, and logs are written to disk under
%AppData%\VestigeOpti and stay there.
- Local-only: applied tweaks, snapshots, custom presets, activity logs, analysis results, detected installed games, OBS process priority history. None of this is transmitted.
- Hardware fingerprint: a SHA-256 hash of CPU id, motherboard serial, MAC address, and Windows MachineGuid — used locally to detect hardware changes that should re-verify the license, and sent in hashed form to the licensing server during activation and periodic checks (see §2).
2. What the licensing server collects
The Vestige licensing server (api.vestigeopti.com) receives the
minimum required to validate that your license seat is legitimate.
- Your license key — stored only as a SHA-256 hash, plus the first and last four characters of the plaintext for support display (e.g. "AB12-…-WXYZ"). The plaintext is never stored on our servers.
- Hardware ID hash — SHA-256 of your composite fingerprint. Used to
count distinct devices against your
max_devicescap. - IP address — captured per request for rate limiting and abuse investigation. Kept in audit-log rows for 90 days, then automatically truncated. Never sold, never shared.
- User-Agent and product build version — used to count how many users are on each release so we know when older builds can be EOL'd.
- Timestamps — when the license was first activated, last validated, and last heartbeat-checked. Used to detect abandoned seats.
For paid customers we additionally store the billing email you provided to the payment processor and a reference to the payment-processor transaction ID (no card numbers — we never see those).
3. What we do not collect
- No telemetry of which tweaks you apply, when, or in what order.
- No game library scan results.
- No filesystem listing, no Defender / Smart App Control exclusions you set.
- No browsing history, no clipboard, no keystrokes.
- No screen capture, no webcam, no microphone — the app has no permission to access them and doesn't request any.
- No third-party advertising or analytics SDKs are embedded in the build.
4. Cookies and the website
The marketing site (this domain) uses no cookies and runs no analytics.
Cloudflare, our DNS and CDN provider, may set a single __cf_bm
bot-management cookie that expires in 30 minutes; that's their bot mitigation,
not us tracking you.
5. Payment processing
When payment integration is enabled, we use a merchant-of-record (currently planning Lemon Squeezy) that handles your card data, tax jurisdiction, and invoicing. They send us:
- The email you bought with
- An anonymized transaction reference
- The product SKU you bought
We do not see card numbers, expiry, or CVV. The merchant of record's privacy policy governs how they handle your payment data.
6. Sub-processors
The licensing service runs on infrastructure provided by:
- DigitalOcean (US datacenters) — the VPS hosting our API and Postgres database
- Cloudflare — DNS, email forwarding for
support@vestigeopti.com - Let's Encrypt — free TLS certificates
Each of those parties may see network metadata (IP, request path) during transit, governed by their respective privacy policies. We use no other third-party data processors.
7. Data retention
- Active licenses: kept as long as the license is valid + 1 year, then archived.
- Audit logs: 90 days at full fidelity, then IP fields are truncated.
- Nonces / challenge tokens: 10 minutes, then deleted.
- Activity log entries (per-user): 12 months.
- Refunded purchases: license deactivated immediately; record kept for tax compliance per the merchant-of-record's retention schedule.
8. Your rights
You can email support@vestigeopti.com at any time to:
- Export everything we hold associated with your license key
- Have your record deleted (this will deactivate the license)
- Correct the email on file
- Move the license to a new PC (we'll unbind the old HWID hash)
GDPR / UK GDPR data-subject requests are handled the same way; we'll respond within 30 days. CCPA requests likewise.
9. Children
Vestige opti is not directed at children under 13 (or 16 in the EU). We don't knowingly collect data from minors. If you believe a minor has been issued a license, email us and we'll remove the record.
10. Changes to this policy
If we change this policy materially we'll update the "Last updated" date above. Significant changes will be highlighted in the app's update notes.
11. Contact
Email support@vestigeopti.com for anything — privacy questions, data requests, or just to say hi.