Open BurnBar
GitHub Download
Privacy & trust

By default, OpenBurnBar collects nothing.

All processing happens on your device. No telemetry, no analytics, no crash reports leave the device unless you explicitly opt in. Every opt-in is a separate switch and behaves like one.

Three trust zones

Where your data actually lives.

OpenBurnBar's data flow is a few concentric rings. Zone A is your Mac. Zone B is your Apple ID, on Apple's infrastructure. Zone C is OpenBurnBar's Firebase and Google Cloud, behind sign-in and App Check attestation.

OpenBurnBar privacy and data-flow architecture Three concentric trust zones: Zone A is your Mac with the local app, daemon, Keychain, SQLite, and editor extension — all data stays here by default. Zone B is opt-in Apple iCloud, your Apple ID, separate from OpenBurnBar's servers. Zone C is opt-in Firebase plus Google Cloud, operated by OpenBurnBar, requiring sign-in plus App Check attestation. Secrets never traverse default-tier arrows — only metadata, redacted labels, and ciphertext do. ZONE A · YOUR MAC Single-user. Canonical. Works offline. macOS App Menu bar · Dashboard Hermes panel Local Daemon launchd · UNIX socket JSON-RPC · gateway macOS Keychain Provider keys, SQLCipher key Local SQLite Usage · sessions · retrieval Cursor / VS Code Activity bar panel openburnbar CLI health · controller · missions On-disk agent logs (read-only) ~/.claude/projects/ · ~/.codex/sessions/ ~/.factory/sessions/ · ~/forge/.forge.db · ~/.aider/ ZONE B · iCLOUD Opt-in · your Apple ID iCloud session mirror iCloud.com.openburnbar.app Copies of selected session log files ZONE C · FIREBASE + GCP Opt-in · OpenBurnBar-operated · gated by Auth + App Check Firebase Auth Apple · Google Firestore Owner-scoped · App Check Cloud Run Hermes relay Secret Manager Hosted provider secrets Cloud Functions JWS verify · entitlements Cloud Run Quota runner opt-in session mirror metadata · ciphertext only AUTH · APP CHECK
Zone A · Your Mac

Canonical. Works offline.

  • Local SQLite at ~/Library/Application Support/OpenBurnBar/OpenBurnBar.sqlite
  • Local daemon over a UNIX socket, auth-token-gated
  • macOS Keychain for any provider keys you supply, scoped kSecAttrAccessibleWhenUnlockedThisDeviceOnly
  • Read-only agent logs in ~/.claude/, ~/.codex/, ~/.factory/ and more
  • Editor extension & CLI connect to the same socket

Disabling sync entirely does not affect local data. The full product keeps working.

Zone B · Apple iCloud

Opt-in · your Apple ID.

  • Session-log mirror copies selected local session files into iCloud.com.openburnbar.app
  • Mirrored files can contain prompts, assistant responses, file paths, and code snippets — they are copies of the originals
  • Uses your Apple ID, not OpenBurnBar's servers
  • Delete files from iCloud Drive to remove them
Zone C · Firebase & GCP

Opt-in · OpenBurnBar-operated.

  • Firebase Auth handles Apple / Google sign-in
  • Firestore stores usage rows, quota snapshots, chat thread metadata, sync watermarks. Owner-scoped rules. App Check enforced
  • Google Cloud Secret Manager holds hosted-quota provider secrets when used. Firestore only carries a redacted label
  • Cloud Functions verify Apple JWS against pinned root CAs and reconcile entitlements against the App Store Server API
  • Cloud Run · runtime-gated relay encryption routes frames between your own devices. We claim relay and hosted-gateway content sealing only for paired E2EE paths after the runtime-readiness gate is complete; routing metadata, public keys, coarse tool labels, thread ids, attachment ids, and delivery state remain visible to the service.
  • Owner-scoped, secret-field-name-denied — Firestore rules reject documents with field names like apiKey, token, cookie, credential
What we can & can't see

Every kind of data, sorted by who can read it.

A plain map of everything BurnBar keeps for you. It's built from the data-domain registry our apps consume, so the page and registry cannot quietly drift apart.

How the license and the seal back this up → the trust page

End-to-end

Only you can read these

Sealed on your device. Our servers never see the content or the key.

  • Conversations & Chat

    Assistant chats, CLI agent transcripts, mobile mission prompts/results, saved text snippets, rollback scope/diagnostics, approval rules, agent personas, subscription graph edges, and conversation recall metadata are sealed on-device before Firestore receives them.

  • Searchable Session Logs

    Full conversation bodies + the encrypted search index + project memory. Sealed on-device; the server holds only ciphertext, aggregate cockpit facets, and opaque search/integrity hashes.

    The keyword search index is deterministic — repeated and co-occurring search terms produce stable keyed digests, so the server can learn which terms recur and appear together across your logs (the search structure), and the integrity hashes can confirm a guessed body or chunk; every title, snippet, body, and path stays sealed and unreadable.

  • Pensieve Knowledge

    Your private semantic memory: repo docs, notes, and chat-derived memories your agents recall. Text is sealed on-device; hosted ANN recall is an explicit opt-in over cloaked vectors and opaque keyed hashes. Approved chat memories replicate only as sealed fact envelopes plus opaque source hashes and forget receipts. Those structures still reveal structural signals such as vector geometry, recurrence/co-occurrence patterns, counts, and access timing. Use local-only recall for sensitive memories when available.

    A connected repo stores only an opaque keyed match token plus a sealed repo name — the cleartext repo name is observed transiently server-side only to route an inbound GitHub push webhook, never stored.

    How the cloak works

  • Device Trust & Vault Keys

    Which devices are trusted to decrypt your data, and the wrapped vault keys that make end-to-end encryption possible. The crux of the whole E2EE model.

Zero-access

Locked — we keep only the sealed copy

Sealed envelopes. Our servers hold ciphertext, not content — the key stays under your device trust.

  • Agent Control & Escrow

    Computer-use (Agent Control) sessions and their tamper-evident escrow audit trail.

  • Media

    Files, screen, and video relayed between your Mac and phones (Floo media).

    An attachment manifest records only an opaque content hash, mime type, byte size, an opaque per-peer device-id hash, direction, and timestamps — the human-readable file name is sealed on-device (sealedFilename) and never readable by the server.

Server-readable

We can read these

Operational metadata, stored as readable text — our servers can read this.

  • Usage & Spend

    Per-session token counts, cost estimates, and provider/model/device telemetry. Project names and budget labels are sealed on-device; the server groups spend only by opaque per-project hashes.

  • Provider Accounts

    Connected AI provider accounts. Labels + status only — the actual credentials live in Google Cloud Secret Manager, never in your data tree.

  • Connected Devices & Pairings

    Your paired Macs, phones, and relays and which can talk to your account.

    Paired relay and hosted-gateway frame contents are only claimed as sealed after paired E2EE is enabled and the runtime-readiness gate is complete; relay routing metadata, public keys, coarse tool labels, thread ids, attachment ids, and delivery state remain visible. The per-agent subscription graph is cloaked behind opaque keyed doc ids.

  • External Agent Access (MCP)

    Coding agents you've granted hosted-MCP access to, the scopes they hold, and their access audit trail.

  • Plan & Billing

    Your subscription entitlements (Cloud Pro, Ultra) and their change history.

  • Access Audit Timeline

    A unified, tamper-evident log of who/what accessed your data, when — across every device, agent, and grant.

The hard part, in plain words

How the Pensieve cloak works.

Your notes are sealed on your own devices. To find the right one for your agent, our server works with a scrambled version of each note's “shape” — never the words.

What it hides

  • The words. Your notes stay sealed. The server only ever touches scrambled math, not text.
  • The exact copy. The same note looks different on every account, so we can't match it across people by an exact copy.

What it can still tell

  • The shape. It can see which of your notes are alike — clusters and near-duplicates — but never what any of them say.
  • A rough match. Across accounts, a near-identical note still scores about 0.77 similar — so we could guess two people saved something alike, never what it was.

We treat that as a known, written-down trade-off. Your content stays private; only the shape can leak — and we say so out loud.

Read the full analysis
What's never collected

The promises in plain English.

  • No telemetry by default. No analytics. No crash reports unless you turn on Sentry diagnostics.
  • No API keys read for local-only usage tracking. Local tracking reads usage logs, not credentials.
  • No conversation content uploaded unless you enable chat backup. The default Firestore sync is metadata only — usage row summaries, thread IDs, sync watermarks.
  • No payment data on our servers. The App Store handles billing; we never see card numbers.
  • No data from other apps, ever — explicitly not collected.
  • No PII beyond Apple/Google sign-in attributes. Even those are only used to scope your private Firestore tree.
Every opt-in

Toggle anything. Cancel anything.

  • Firebase sync

    Off by default. Enable in Settings → Account. Even when on, only metadata syncs unless you separately enable Chat backup, Conversation metadata backup, or Session-log sync.

  • iCloud session-log mirror

    Off by default. Uses your Apple ID and iCloud Drive; deletions in iCloud Drive remove the data. Conflict copies are possible — iCloud owns sync semantics.

  • Hosted provider credentials

    Off by default. When used, the secret value is encrypted and stored in Google Cloud Secret Manager; Firestore stores only the redacted label. Remove the account in OpenBurnBar to delete it.

  • Hermes Remote Relay (paid)

    Off by default; paid entitlement required to activate. Content sealing is claimed only for paired E2EE paths after the runtime-readiness gate is complete. In that mode the relay/gateway routes encrypted content, while routing metadata, public keys, coarse tool labels, thread ids, attachment ids, and delivery state remain visible.

  • Sentry diagnostics

    Off by default. When on, anonymized crash reports are sent to Sentry. User identifier is a SHA seed derived from bundle id and full user name — not direct PII.

Delete it all

Several ways out, all of them yours.

  • Local data — delete the app and ~/Library/Application Support/OpenBurnBar/.
  • Cloud data — sign out and choose Delete my data in Settings → Account.
  • Hosted credentials — remove the provider account from OpenBurnBar.
  • iCloud mirrored files — delete from iCloud.com.openburnbar.app in iCloud Drive.
  • Subscription — managed by Apple in Settings → Apple ID.

Privacy controller: Imagine That AI LLC.
For privacy questions, write to privacy@imagine-that.ai.

Read it in code, not just in copy.

Every promise on this page points at a file you can read — the threat model, the Firestore rules, the JWS verifier.

See every data domain docs/PRIVACY.md docs/THREAT_MODEL.md firestore.rules