Privacy policy
What we touch. What stays yours.
Architectural, not a promise. The agent runs on your machine; we are not on the network path.
0Customer code on our infra
0AI prompts on our infra
0Telemetry by default
1Sub-processor (Cloudflare delivery)
What we touch
The very short list.
License checks
Bearer token + device fingerprint. No prompts, no code.
Update manifest
Periodic signed-manifest fetch. Blockable in air-gap.
Sync ciphertext
Pro+ opt-in. We see ciphertext + license id only.
Crash reports
Teams+ opt-in. PII-redacted. Off by default.
What we don't
By architecture, not by promise.
Source code
Local-only. AI calls go direct to your provider.
Prompts
Same. Direct provider call. We can't see them.
API keys
0600 file. Never keychain. Never logged. Never synced.
Audit log
Local. Pro+ exports on demand — never auto-syncs.
Files read
Read locally. Secret-screen blocks .env/.ssh/credentials.
Telemetry
Off by default. Even when on, no prompt content sent.