cleanerupdated 2026-06-29

Privacy policy

cleaner is a desktop app + Chrome extension that automates blackjack sessions on supported online casinos. This page covers what data we collect, how we use it, and what we don’t do with it. It applies to the cleaner desktop app, the cleaner Chrome extension, and cleaner.bet.

What we collect

We collect the minimum needed to make multi-device pairing, credential transport, and cross-device session history work:

  • Account info. Email and password hash (handled by Supabase Auth).
  • Device identity.A client-generated UUID per install, plus a user-editable device label (e.g. “Brody’s MBP”), the OS family, and the cleaner app version. Used to route credentials to the right device.
  • Public keys. An ECDH P-256 public key per device, used for end-to-end encryption. The matching private key never leaves the device.
  • Last-seen timestamps. Updated periodically while a device is online so the /account page can show which devices are reachable.
  • Pairing pointer. The device_id of the cleaner desktop install this Chrome extension routes credentials to. Set by the user.
  • Session summary records (signed-in users only). When you sign in, cleaner mirrors per-session summaries to Supabase so the /account page can aggregate your activity across devices. Each row stores: casino, category (blackjack or grinding), start/end timestamps, rounds, wager total, won total, P/L, RTP, hands-per-minute, start and end balance, app version. No card-by-card detail and no casino credentials. Signed-out users keep all session history on the local install only.

What we don't collect

  • Casino credentials.The Chrome extension captures session tokens from casino sites, encrypts them immediately for the user’s paired desktop, and discards them. They are never persisted on extension storage and are never sent to cleaner servers in plaintext.
  • Browsing history. The webRequest permission is used in observe-only mode on a strict allowlist of casino API hosts. We do not read or log requests to other sites.
  • Per-hand gameplay detail.Card-by-card outcomes, dealer hands, the moment-by-moment trail, and individual hand events stay on the cleaner desktop install’s local storage. Only the per-session summary (above) is uploaded, and only when you’re signed in.
  • Analytics. No third-party analytics, advertising SDKs, or fingerprinting libraries ship in the extension or desktop app.

The universal speed hack

The extension includes an opt-in feature that can speed up HTML5 games in any tab you enable it on. Because it can run on any URL you point it at, the extension declares<all_urls>in its manifest. Important:

  • The speed hack only activates on a tab when you explicitly toggle it on for that tab. It does not run by default.
  • Even when active, the speed hack only adjusts in-page timers. It does not read page contents, form input, or network responses, and it does not send anything to cleaner or Supabase.
  • The credential-capture sniffers are scoped to a strict allowlist of casino API hosts. They do not run on arbitrary pages even when <all_urls> is declared.

How credentials flow

When the user starts a blackjack session in cleaner desktop:

  1. The desktop publishes a credential-request event on the paired Chrome extension’s private Supabase Realtime channel.
  2. The extension opens the relevant casino site in a background tab.
  3. The extension’s sniffer reads the URL or Authorization header of the credential-carrying request, encrypts the value with AES-256-GCM under a key derived via ECDH from the desktop’s public key, and publishes the ciphertext back over Supabase Realtime.
  4. The desktop decrypts the envelope and uses the credential locally to start the session. The extension does not persist the captured value: it is held in memory only for the duration of the request and discarded once the ciphertext leaves the device.

Plaintext credentials are never visible to cleaner servers, Supabase, or any other party.

Third parties

  • Supabase — authentication, account storage, Realtime broadcast transport, public-key registry. Supabase processes the data described above as a sub-processor.
  • Vercel — hosts cleaner.bet. Standard edge logs may include IP addresses of visitors to public pages.

Your controls

  • Remove a device. Visit cleaner.bet/account and click “Remove” on any device row. The device’s public key is wiped server-side and the local install can no longer decrypt traffic addressed to it.
  • Unpair the extension.Open the cleaner extension popup and click “Unpair.”
  • Delete your account. Email hello@cleaner.bet — accounts and all associated data are deleted within 30 days.

Contact

Questions or requests: hello@cleaner.bet.