~/landing.sh ~/security.md ~/terms.md ~/privacy.md
zsh · 132×48

$ cat privacy.md # pre-launch draft

Contextpipe — Privacy Policy

0. About this document

Contextpipe is a macOS menu-bar daemon and MCP server that pipes your live local context — terminal output, editor state, browser tabs — into the AI coding tools you already use (Cursor, Claude Code, Codex CLI). The whole point of the product is that your context stays on your machine. This policy explains the narrow set of cases where any data touches us at all.

It pairs with two adjacent documents:

  • Security Model — the technical detail: the three (and only three) data-egress paths.
  • Terms of Service — the commercial terms.

If this policy conflicts with the Security Model on a technical-fact question, the Security Model controls.

Effective date: 2026-05-28.


1. What we collect

We are deliberately stingy. Here is the complete list.

CategoryWhat it isWhere it livesDo we see it?
On-device contextTerminal output, editor/IDE state, browser tabs the daemon is configured to readYour Mac only (SQLite + FTS5 index, 14-day TTL)No. Default is zero upload.
Waitlist emailThe email you type into the launch waitlist form, if you choose toCloudflare KV (edge key-value store)Yes — used only to notify you at launch.
Payment dataCard number, billing address, tax infoHeld by our Merchant of Record (the payment provider named on your receipt)No. We never receive or store card numbers.
Sync ciphertextOpaque encrypted blobs, only if you opt into E2EE syncCloudflare R2We store it but cannot decrypt it (see §3).

On the marketing site (this website): no analytics, no tracking cookies, no third-party trackers. We do not run Google Analytics, Plausible, Mixpanel, Facebook Pixel, or any equivalent. We are not “privacy-friendly analytics” — we simply have none. Web fonts are served from a GDPR-safe Google Fonts mirror (bunny.net) so even font requests don’t leak to a tracker.

The waitlist email is the only piece of personal data we actively collect.


2. What we don’t do

Stated plainly, because the negatives matter more than the positives here:

  • We do not sell your data. Not to advertisers, not to data brokers, not to anyone. We have no such business model.
  • We are not a data broker and do not enrich, aggregate, or resell behavioral profiles.
  • We do not touch third-party personal data. Contextpipe reads your local context for your AI tools; we are not in the business of processing other people’s PII.
  • We do not screen-record, keylog, or take screenshots. The daemon reads structured context (terminal scrollback, editor buffers, tab URLs) through documented OS APIs, never a screen capture.
  • We do not proxy your LLM calls. With BYOK (bring-your-own-key), your IDE talks directly to your chosen provider (OpenAI, Anthropic, Ollama, …). We never see your prompts, responses, or API keys.

3. End-to-end encrypted sync (opt-in, off by default)

Cross-device sync is a paid, opt-in feature and is off unless you turn it on. When enabled:

  • Your context is encrypted on your Mac before anything leaves it.
  • The master key never leaves your device — it lives in your Apple Keychain. We never receive it.
  • Our sync server stores only opaque ciphertext blobs. We cannot decrypt them, and neither can anyone we’d be compelled to hand them to.
  • Disabling sync returns you to the same zero-upload state as the free, local-only mode.

For the cryptographic specifics — and what we’d do if served a subpoena — see the Security Model.


4. Your rights

We honor data-subject rights in the spirit of applicable data-protection laws regardless of where you live, and aim to respond to any request within 30 days.

  • Access — Ask what we hold for you (realistically: a waitlist email and/or undecryptable sync blobs). Email [email protected].
  • Deletion —
    • Local context: run ctxpipe nuke to wipe everything on your Mac immediately.
    • Cloud sync blobs: run ctxpipe sync disable --delete-cloud to delete your blobs from our storage, or email us.
    • Waitlist email: email [email protected] and we’ll remove it.
  • Export / portability — Your local data is already yours, in a plain SQLite file on your machine. We’ll help you export anything else on request.
  • Objection / withdrawal of consent — Disable sync, leave the waitlist, or stop using the daemon at any time. There’s nothing to “opt out” of on the marketing site because there’s no tracking to begin with.

5. Sub-processors

The short list of third parties that may handle data on our behalf:

Sub-processorPurposeData involved
CloudflareSite hosting (Pages), object storage (R2), edge key-value (KV)Marketing site delivery, waitlist email, opaque sync ciphertext
Our Merchant of Record (the payment provider named on your receipt)Payment processingCard and billing data — handled entirely by the provider; we never store card numbers
Apple iCloud / CloudKitOptional device-to-device sync transport (only if you enable it)Opaque encrypted blobs — Apple cannot decrypt them either

We will update this list before adding any new sub-processor that handles personal data.


6. Data retention

  • Local context — purged from your Mac on a rolling 14-day TTL; you can clear it instantly with ctxpipe nuke.
  • Cloud sync blobs — retained only while you keep sync enabled; you control them and can delete them via ctxpipe sync disable --delete-cloud.
  • Sync server operational logs (timestamps, blob sizes, IPs, device IDs — never contents) — retained 30 days for abuse and incident response, then deleted.
  • Waitlist email — kept only until launch notifications go out, then purged from Cloudflare KV.

7. International data transfers

Data controller. The controller responsible for your personal data is Beijing Bidi Technology Corp. LTD. (“the Company”). Its registered office and postal address are available on request at [email protected].

Where your data is processed. Contextpipe is local-first: in the default mode your context never leaves your Mac. The limited data that does reach us — your waitlist email, billing data handled by our Merchant of Record, and opaque end-to-end-encrypted sync blobs — is processed on the infrastructure of the sub-processors listed in §5, primarily Cloudflare’s global network. Your data may therefore be transferred to and processed in countries other than your own. Where personal data crosses borders, we rely on appropriate safeguards together with the technical measures in the Security Model — notably end-to-end encryption of all sync data, which keeps sync contents unreadable to us in any country.

We process personal data in line with applicable data-protection laws. You may exercise your rights, or raise any concern, at [email protected], and you always have the right to lodge a complaint with your local data-protection authority.


8. Contact

Privacy questions, data-subject requests, and deletion requests: [email protected].

For the technical security model see /security; for commercial terms (refunds, licensing, taxes) see /terms and the Refund Policy.

$ cat .footer

# Product
./download (coming soon) ./pricing ./changelog (coming soon) ./roadmap (coming soon)
# Resources
./security ./terms ./api (coming soon) ./mcp (coming soon)
# Company
./about (coming soon) ./discord (coming soon) ./x (coming soon) ./github (coming soon) ./contact
# Legal
./security ./terms ./privacy ./refund AGPL-3.0 daemon MIT SDK
$ # Made with Contextpipe · Built by founder · Coming soon
$