Privacy
This page covers exactly what data CommandLatch stores, where it lives, why it’s there, and how to delete it. Read it alongside the Security & trust model.
1. What’s stored in the backend
Section titled “1. What’s stored in the backend”CommandLatch’s backend runs on Supabase (a hosted Postgres database + authentication service). Everything below is scoped to your account and protected by Row-Level Security — no other user can read it (see the security model §4–5).
| Data | What it is | Why it’s stored | Retained until |
|---|---|---|---|
| Your email | The address you sign in with | Sign-in (a one-tap magic link — there is no password) and to own your devices | You delete your account |
| Devices | A name, platform, app version, last-seen time, and live status (e.g. keep-awake / pending-lock state) for each paired Mac | So you can see and target your machines | You remove the device or delete your account |
| Device token | The credential the menu-bar app and CLI use | To authorize that one Mac | Stored hashed, not in plaintext; removed when you unpair / remove the device |
| Command history | Each command you’ve sent: the action, what triggered it, its result, and the payload | Powers your activity log and lets the menu-bar app run and de-duplicate commands | You remove the device or delete your account (commands are tied to the device) |
| Shortcut & webhook tokens | Per-shortcut / per-webhook credentials, each scoped to one device + one action | So Siri shortcuts and webhooks can fire | You delete the shortcut / webhook |
| Pairing codes | Short-lived 6-digit codes during setup | To link a Mac to your account | They expire shortly after pairing |
A note on command payloads. Most actions carry no content — a “lock” command is just the action. The exception is notifications: if you send a notification, the title and body text you typed are stored in that command row, the same as any other command payload, so the menu-bar app can display it. Don’t put secrets in a notification you wouldn’t want stored.
2. What’s stored on your Mac
Section titled “2. What’s stored on your Mac”The menu-bar app keeps a small amount of local state, stored privately under
your user account in ~/Library/Application Support/com.commandlatch.desktop/
and ~/.commandlatch/ (the optional CLI config).
This includes the pairing record (how the app authenticates to the backend), a local activity log of recent actions, your preferences, and the CLI config if you installed the command-line tool. See the security model §5 for notes on how the device token is stored locally.
The diagnostics export (menu-bar Diagnostics) produces a file for attaching to a support request. It includes your app version, OS, system checks, and recent activity — but never your account credentials or keys. It’s created only when you ask for it and is never uploaded automatically.
3. Analytics, and what we don’t collect
Section titled “3. Analytics, and what we don’t collect”CommandLatch collects anonymous usage analytics to understand how the product is used and where to improve it, via PostHog on EU-hosted infrastructure.
- What’s measured. Coarse product and website usage — page views on the website and docs; sign-ins; pairing a device; the type and source of the commands you send (for example, a “lock” sent from the app versus Siri) and whether they ran — never their content; keep-awake sessions; the subscription and billing lifecycle (trial started, subscribed, canceled, payment failed); support submissions; and app launches — along with your app version, OS, and CPU type.
- Account vs. anonymous. When you’re signed in to the web dashboard or the iOS app — and for events our backend records, such as commands, billing, and support tickets — usage is associated with your account (your account id, and your email as a profile attribute). The macOS app’s own events are instead tied to a random per-install id generated on your Mac — never your account, email, device name, or any command content.
- You can turn it off. In the macOS app, open Settings → Privacy and switch off Share anonymous usage analytics; it then sends nothing. On the website and dashboard, we honor your browser’s Global Privacy Control and Do Not Track signals — turn either on and we send nothing.
- Never collected via analytics: your command content, notification text, tokens, keystrokes, screen, files, or location.
Beyond analytics, regardless of the setting above:
- No advertising and no data sales. Your data is never sold, rented, or shared with advertisers or other users.
- No location, contacts, browsing, keystrokes, screen, or file contents. CommandLatch can’t access these in the first place (see the security model §3).
- No background uploads of your content. The only things that leave your Mac are the command-polling traffic to the backend, the anonymous app analytics above, and any diagnostics bundle you choose to attach to a report.
4. Who can see your data
Section titled “4. Who can see your data”- You — through the dashboard and on your own Mac.
- The backend operator — like any hosted service, whoever operates the Supabase backend has database-level access for support and maintenance. Cross-user reads through the application are blocked by Row-Level Security; the operator is trusted at the infrastructure level.
- Not other users. Another CommandLatch account cannot read your devices, commands, or tokens, and cannot send commands to your Mac. This is enforced in the database and covered by an automated two-account isolation test.
5. Third-party services
Section titled “5. Third-party services”CommandLatch relies on a few infrastructure providers, each governed by its own privacy policy:
| Provider | Role | Data it handles |
|---|---|---|
| Supabase | Backend database + authentication | Everything in §1 |
| Vercel | Hosts the web dashboard and marketing site | Standard web request logs |
| PostHog (EU) | Product & website analytics | Anonymous usage events and page views; for signed-in / backend events, your account id and email, the type and source of commands you send (never their content), pairing, and billing lifecycle |
| Email delivery (via Supabase) | Sends your sign-in magic links | Your email address |
| Apple | Notarizes the macOS app for Gatekeeper | App binary only — no personal data |
CommandLatch does not send your data to any other third party.
6. Accessing and deleting your data
Section titled “6. Accessing and deleting your data”You are in control of all of it:
- See it — the dashboard shows your devices, command history, and tokens; the data on your Mac is in the folders listed in §2.
- Delete a credential — delete a shortcut or webhook, or remove a device, in the dashboard. Removing a device also removes its command history.
- Delete everything locally — follow Uninstall, which removes the app, the CLI, all local files, and revokes device access.
- Delete your account and all backend data — email
privacy@commandlatch.appto request account deletion. This removes your email, devices, commands, and tokens from our systems.
7. Children
Section titled “7. Children”CommandLatch is not directed at children under 13. We don’t knowingly collect data from children.
8. Changes to this policy
Section titled “8. Changes to this policy”If this policy changes materially, the updated version will be published here and noted in our changelog. The version published here at any time is the current policy.
9. Contact
Section titled “9. Contact”Questions about privacy or data deletion:
- Email
privacy@commandlatch.app
For security-specific reports, see the security model §8.
See also
Section titled “See also”- Security & trust model — what can and can’t run, how tokens work, how to disable remote control.
- Known limitations — what CommandLatch can and can’t do.
- Get started — install, pair, and use.