llms.txt — structured site index for AI agents

Privacy Policy

Effective Date: April 21, 2026

Overview

Crufti is a macOS application published by Another Mad World, an unincorporated studio based in Washington State, USA (“Another Mad World,” “we,” “our,” or “us”). The application scans for and removes leftover files when you delete apps. Crufti is software, not a managed service: it runs entirely on your Mac, we operate no backend that ingests your data, and our business model does not depend on collecting, profiling, or monetizing user information.

This policy describes, in plain English, how the application and our marketing website at crufti.app handle information. Use of the application and website is also governed by our Terms of Service, which contain our dispute resolution terms, including binding arbitration and a class-action waiver for US users, as well as disclaimers and limitations of liability.

What we don’t collect

We do not collect, receive, or store any of the following from the Crufti application:

  • Telemetry or product analytics
  • Usage statistics or behavioral data
  • Crash reports or diagnostic logs
  • Contents of any file scanned, matched, or deleted
  • File paths, filenames, or directory listings
  • Bundle identifiers, application names, or metadata for the apps you clean
  • Personal information such as your name, postal address, or phone number (beyond what you choose to include in an email to us)
  • Device identifiers, hardware serials, or location data
  • Keystrokes, clipboard contents, or screen contents

Your IP address is handled only as described in “Network activity” below: it is processed by our content delivery network on our behalf to deliver the marketing website, but we do not log, retain, or analyze it ourselves.

Network activity

The Crufti Mac App Store application makes no outbound network requests. It contains no analytics, no telemetry, no crash reporting, and no update-checking network code. Everything the application does happens locally on your Mac, and it has no mechanism to send your data anywhere.

Separately, macOS itself may contact Apple servers (for example for App Store receipt validation, Gatekeeper, and OCSP) when a signed App Store application is launched. That traffic is operating-system behavior, governed by Apple’s privacy practices, and is not something Crufti controls or originates.

File access

Crufti runs inside the macOS App Sandbox. It uses the user-selected file access entitlement (com.apple.security.files.user-selected.read-write) to read application bundles you drop onto it, and an app-scoped security-scoped bookmark (com.apple.security.files.bookmarks.app-scope) to remember the Library folder you grant it access to. It reads nothing outside the locations you select.

Library access

Because Crufti is sandboxed, it cannot read your ~/Library folder until you allow it. The first time you scan, the application asks you to grant read access to ~/Library through the standard macOS file picker, and stores a security-scoped bookmark so it need not ask again. This grant is between you and macOS; we have no visibility into what the application reads, and nothing it reads is transmitted off your Mac. You can revoke it by removing the saved access or reinstalling the application.

Local data storage

The application writes records to your Mac that remain on the local device and are never transmitted to us or to any third party. These include, but are not limited to, deletion manifests and local cleaning history:

  • Cleaning history — a record of past cleaning sessions, stored through SwiftData inside the application’s own container.
  • Deletion manifests — JSON audit files created before each cleaning operation and stored inside the application’s sandbox container.

You control retention of this local data. Cleaning history can be cleared from within the application, manifest files can be deleted at any time, and all local data is removed when you uninstall the application. Because none of this data reaches our servers, we have nothing to produce in response to data-access, deletion, or portability requests concerning it.

Marketing website

The crufti.app website is a static site hosted on Cloudflare Pages. It sets no first-party cookies, serves no analytics scripts or tracking pixels, and loads no advertising or third-party measurement tools. As the host and CDN, Cloudflare processes standard server-level request metadata (such as IP address, user-agent, and requested path) on our behalf in order to deliver pages and provide security services; this processing is governed by the Cloudflare Privacy Policy. We do not access those logs for marketing or profiling, and we do not combine them with any other data we hold.

Email correspondence

If you email us at [email protected], the contents of your message, your email address, and any information you choose to include become personal information we process for the purpose of responding to you. Our mail is delivered through Apple’s iCloud Custom Email Domain service, which means Apple acts as a sub-processor for email-in-transit and mailbox storage. You can request a copy or deletion of that correspondence at any time. We retain email correspondence for up to three (3) years after our last exchange with you unless a longer period is required by law.

Third-party services

The third-party components involved in delivering the application, this website, and support correspondence are:

  • Cloudflare — hosts the marketing website, acting as CDN and security layer. Cloudflare processes network metadata (IP address, user-agent, request path, timestamp) on our behalf.
  • Apple — distributes the application through the Mac App Store and is the merchant of record for purchases. Apple also provides iCloud Custom Email Domain, which delivers and stores mail sent to our support address. Separately, macOS itself communicates with Apple servers as part of running signed App Store applications (receipt validation, Gatekeeper, OCSP); that is Apple’s OS behavior, not something Crufti initiates.

We do not use third-party analytics vendors, crash-reporting services, advertising networks, tag managers, or session-replay tools.

Children’s privacy

The application and website are not directed to children. We do not knowingly collect personal information from children under 13 in the United States, consistent with the Children’s Online Privacy Protection Act. For users in the EU and the UK, we do not knowingly process data of anyone under 16. For California users subject to CCPA/CPRA rules on the sale or sharing of personal information, we do not knowingly process data of anyone under 16 for sale or sharing purposes. If you believe a child has provided us with personal information, contact us at the address below and we will take reasonable steps to address the matter.

International users and data transfers

Another Mad World is based in the United States. If you access the application or website from outside the United States, you acknowledge that the limited network metadata described above may be processed in the United States and in other jurisdictions through which Cloudflare routes traffic. Cloudflare operates under the EU–US Data Privacy Framework and relies on Standard Contractual Clauses for transfers of personal data out of the EEA, the UK, and Switzerland; that framework provides the legal basis for the incidental transfer of your network metadata when you visit the website.

GDPR, UK GDPR, and Swiss FADP

Where the GDPR, UK GDPR, or Swiss FADP applies, Another Mad World is the controller of the limited personal data described in this policy. Our legal basis for processing the network metadata involved in website hosting is our legitimate interest (Art. 6(1)(f) GDPR) in securely operating the site. Our legal basis for processing email correspondence is our legitimate interest in responding to your inquiry, or, where applicable, the performance of a contract with you.

You have the rights of access, rectification, erasure, restriction, objection, and portability in respect of any personal data we hold about you (in practice, typically limited to email correspondence). To exercise these rights, contact us at the address below. You also have the right to lodge a complaint with your local supervisory authority.

California notice at collection (CCPA/CPRA)

This section is provided to California residents under the California Consumer Privacy Act, as amended by the CPRA.

Categories of personal information collected in the preceding 12 months. Internet or other electronic network activity information (IP address, user-agent string, request path, timestamp) processed by our CDN when you visit the website; identifiers and correspondence content (your email address and the contents of your email) if you contact us.

Sources. Directly from your device and browser (network metadata); directly from you (email correspondence).

Business purposes. Operating and securing the marketing website, responding to support and privacy inquiries, and complying with law.

Categories disclosed to service providers (CCPA) / processors (GDPR). Network-activity metadata is disclosed to Cloudflare (CDN and security). Email content and identifiers are disclosed to Apple in its role as mailbox host via iCloud Custom Email Domain, and Apple acts as the App Store distributor and merchant of record for purchases.

Sale or sharing. We do not sell or share personal information as those terms are defined by the CCPA/CPRA, and we have not done so in the preceding 12 months. We do not use or disclose sensitive personal information for any purpose that would trigger a right to limit its use.

Retention. We retain email correspondence for up to three (3) years after our last exchange with you unless a longer period is required by law. We do not retain CDN-level request logs ourselves; Cloudflare’s retention is governed by its own policy.

California rights. You have the rights to know, to access, to correct, to delete, to limit use of sensitive personal information, to opt out of sale or sharing (none occurs), and to non-discrimination for exercising your rights. To exercise these rights, contact us at the address below. We do not require a California-specific authorized-agent form; a clear written request is sufficient.

Other US state privacy laws

We extend the substantive rights described above to residents of other US states with comprehensive consumer-privacy laws, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and Montana (MCDPA). Residents of those states may exercise their applicable rights of access, correction, deletion, portability, and opt-out of targeted advertising or profiling by contacting us at the address below. We do not engage in targeted advertising or in profiling that produces legal or similarly significant effects.

For Washington State residents under the My Health My Data Act (MHMDA): we do not collect, sell, or share consumer health data, and none of the information described in this policy falls within the MHMDA definition of consumer health data.

Do Not Track and Global Privacy Control

Because we do not track users across sites or over time, we take no specific action in response to Do Not Track or Global Privacy Control signals. There is no tracking behavior to disable.

Security and breach notification

We apply commercially reasonable technical and organizational measures appropriate to the limited nature of the information involved in delivering the application. No software, storage medium, or network transmission is, however, ever perfectly secure.

In the event of a data breach affecting personal information we control, we will provide notice to affected individuals as required by applicable law, including RCW 19.255 (Washington) and other state breach-notification statutes, and, where applicable, Articles 33 and 34 of the GDPR.

Changes to this policy

We may update this policy from time to time. The “Effective Date” at the top of the page will reflect the most recent revision. For material changes that affect how we handle personal information, we will provide at least thirty (30) days’ advance notice — through the application, on this website, or by email where we have an existing correspondence thread with you. Non-material edits (such as clarifications or address updates) may take effect upon posting.

Relationship to our Terms of Service

These practices are also subject to our Terms of Service, which contain our dispute resolution terms, including binding arbitration and a class-action waiver for US users, as well as disclaimers, warranties, and limitations of liability that apply to your use of the application and the website.

Contact

For privacy questions, contact Another Mad World (the publisher) at [email protected]. Another Mad World is an unincorporated studio based in Washington State, USA; more information about the publisher is available at anothermadworld.com.