Contextpipe — Privacy Policy
0. About this document
Contextpipe is a macOS menu-bar daemon and MCP server that pipes your live local context — terminal output, editor state, browser tabs — into the AI coding tools you already use (Cursor, Claude Code, Codex CLI). The whole point of the product is that your context stays on your machine. This policy explains the narrow set of cases where any data touches us at all.
It pairs with two adjacent documents:
- Security Model — the technical detail: the three (and only three) data-egress paths.
- Terms of Service — the commercial terms.
If this policy conflicts with the Security Model on a technical-fact question, the Security Model controls.
Effective date: 2026-05-28.
1. What we collect
We are deliberately stingy. Here is the complete list.
| Category | What it is | Where it lives | Do we see it? |
|---|---|---|---|
| On-device context | Terminal output, editor/IDE state, browser tabs the daemon is configured to read | Your Mac only (SQLite + FTS5 index, 14-day TTL) | No. Default is zero upload. |
| Waitlist email | The email you type into the launch waitlist form, if you choose to | Cloudflare KV (edge key-value store) | Yes — used only to notify you at launch. |
| Payment data | Card number, billing address, tax info | Held by our Merchant of Record (the payment provider named on your receipt) | No. We never receive or store card numbers. |
| Sync ciphertext | Opaque encrypted blobs, only if you opt into E2EE sync | Cloudflare R2 | We store it but cannot decrypt it (see §3). |
On the marketing site (this website): no analytics, no tracking cookies, no third-party trackers. We do not run Google Analytics, Plausible, Mixpanel, Facebook Pixel, or any equivalent. We are not “privacy-friendly analytics” — we simply have none. Web fonts are served from a GDPR-safe Google Fonts mirror (bunny.net) so even font requests don’t leak to a tracker.
The waitlist email is the only piece of personal data we actively collect.
2. What we don’t do
Stated plainly, because the negatives matter more than the positives here:
- We do not sell your data. Not to advertisers, not to data brokers, not to anyone. We have no such business model.
- We are not a data broker and do not enrich, aggregate, or resell behavioral profiles.
- We do not touch third-party personal data. Contextpipe reads your local context for your AI tools; we are not in the business of processing other people’s PII.
- We do not screen-record, keylog, or take screenshots. The daemon reads structured context (terminal scrollback, editor buffers, tab URLs) through documented OS APIs, never a screen capture.
- We do not proxy your LLM calls. With BYOK (bring-your-own-key), your IDE talks directly to your chosen provider (OpenAI, Anthropic, Ollama, …). We never see your prompts, responses, or API keys.
3. End-to-end encrypted sync (opt-in, off by default)
Cross-device sync is a paid, opt-in feature and is off unless you turn it on. When enabled:
- Your context is encrypted on your Mac before anything leaves it.
- The master key never leaves your device — it lives in your Apple Keychain. We never receive it.
- Our sync server stores only opaque ciphertext blobs. We cannot decrypt them, and neither can anyone we’d be compelled to hand them to.
- Disabling sync returns you to the same zero-upload state as the free, local-only mode.
For the cryptographic specifics — and what we’d do if served a subpoena — see the Security Model.
4. Your rights
We honor data-subject rights in the spirit of applicable data-protection laws regardless of where you live, and aim to respond to any request within 30 days.
- Access — Ask what we hold for you (realistically: a waitlist email and/or undecryptable sync blobs). Email [email protected].
- Deletion —
- Local context: run
ctxpipe nuketo wipe everything on your Mac immediately. - Cloud sync blobs: run
ctxpipe sync disable --delete-cloudto delete your blobs from our storage, or email us. - Waitlist email: email [email protected] and we’ll remove it.
- Local context: run
- Export / portability — Your local data is already yours, in a plain SQLite file on your machine. We’ll help you export anything else on request.
- Objection / withdrawal of consent — Disable sync, leave the waitlist, or stop using the daemon at any time. There’s nothing to “opt out” of on the marketing site because there’s no tracking to begin with.
5. Sub-processors
The short list of third parties that may handle data on our behalf:
| Sub-processor | Purpose | Data involved |
|---|---|---|
| Cloudflare | Site hosting (Pages), object storage (R2), edge key-value (KV) | Marketing site delivery, waitlist email, opaque sync ciphertext |
| Our Merchant of Record (the payment provider named on your receipt) | Payment processing | Card and billing data — handled entirely by the provider; we never store card numbers |
| Apple iCloud / CloudKit | Optional device-to-device sync transport (only if you enable it) | Opaque encrypted blobs — Apple cannot decrypt them either |
We will update this list before adding any new sub-processor that handles personal data.
6. Data retention
- Local context — purged from your Mac on a rolling 14-day TTL; you can clear it instantly with
ctxpipe nuke. - Cloud sync blobs — retained only while you keep sync enabled; you control them and can delete them via
ctxpipe sync disable --delete-cloud. - Sync server operational logs (timestamps, blob sizes, IPs, device IDs — never contents) — retained 30 days for abuse and incident response, then deleted.
- Waitlist email — kept only until launch notifications go out, then purged from Cloudflare KV.
7. International data transfers
Data controller. The controller responsible for your personal data is Beijing Bidi Technology Corp. LTD. (“the Company”). Its registered office and postal address are available on request at [email protected].
Where your data is processed. Contextpipe is local-first: in the default mode your context never leaves your Mac. The limited data that does reach us — your waitlist email, billing data handled by our Merchant of Record, and opaque end-to-end-encrypted sync blobs — is processed on the infrastructure of the sub-processors listed in §5, primarily Cloudflare’s global network. Your data may therefore be transferred to and processed in countries other than your own. Where personal data crosses borders, we rely on appropriate safeguards together with the technical measures in the Security Model — notably end-to-end encryption of all sync data, which keeps sync contents unreadable to us in any country.
We process personal data in line with applicable data-protection laws. You may exercise your rights, or raise any concern, at [email protected], and you always have the right to lodge a complaint with your local data-protection authority.
8. Contact
Privacy questions, data-subject requests, and deletion requests: [email protected].
For the technical security model see /security; for commercial terms (refunds, licensing, taxes) see /terms and the Refund Policy.