Privacy Policy

Your Data, Your Control

AFK encrypts terminal input and output between your computer and mobile app. Our relay handles routing metadata, but it does not receive terminal plaintext.

Effective date: April 1, 2026
Operated by: Thaker Innovations Pvt. Ltd.

What We Collect

Account Data

  • Email address — used for passwordless magic link authentication
  • User ID — a randomly generated UUID, not derived from personal information
  • Timestamps — when your account was created and when you last logged in

Session Metadata

When you start a terminal session, we store routing metadata so your mobile device can connect. This includes:

  • Machine hostname, shell command name, and working directory
  • Connection timestamps and heartbeats
  • Session title and activity state

This is routing metadata. Your terminal input and output are end-to-end encrypted and not readable by the AFK relay in plaintext.

Device Information

  • Push notification tokens — so we can notify you when a session needs attention
  • Platform and app version — iOS or Android, which version you're running
  • OS version and device model — for analytics and crash diagnostics

Usage Metrics

We collect aggregate usage counts to monitor service health and enforce plan limits. These are numbers only — never content.

  • Bytes sent and received (counts, not content)
  • Number of commands executed (count only, not what was executed)
  • Connection latency, reconnection count, session duration
  • Voice command count

Subscription & Billing

If you subscribe to a paid plan, we store purchase tokens, order IDs, and product IDs from the app store (Apple or Google) to verify and manage your subscription. We do not process or store credit card numbers — all payment is handled by the app stores.

User-Submitted Content

If you choose to submit a bug report or app rating, we store what you provide: title, description, category, and rating. Bug reports may be used to create issues in our internal tracker.

What We Do NOT Collect

  • Terminal content — terminal input and output are end-to-end encrypted (X25519 + AES-256-GCM). The AFK relay routes encrypted bytes without receiving terminal plaintext.
  • Passwords, SSH keys, or credentials — AFK does not ask for these directly. If you type sensitive data into the terminal, it is part of the E2EE terminal stream and is not readable by the AFK relay in plaintext.
  • IP addresses as account data — network infrastructure may process IP addresses to deliver the service and prevent abuse, but we do not treat IP addresses as terminal content or store them with your terminal sessions.
  • Direct file uploads — AFK does not separately upload files from your filesystem. If a command prints file contents to the terminal, that output is part of the E2EE terminal stream.

Third-Party Services

We use a small number of third-party services to operate AFK. Here's exactly what each one receives:

RS

Resend

Receives your email address to deliver magic link authentication emails. No other data is shared.

AM

Amplitude

Receives anonymous product analytics: a locally-generated device ID, event types (e.g. "app_opened"), platform, app version, OS version, and device model. Your user ID is sent as a SHA-256 hash, not in plaintext. Data is sent to Amplitude's EU endpoint.

AP

Apple Push Notification Service

Receives push notification tokens and notification content (title, subtitle, body) to deliver alerts to your iOS device.

FB

Firebase Crashlytics

Receives crash reports from the iOS and Android apps, including exception data and your user ID, to help us diagnose and fix bugs.

GF

Grafana Cloud

Receives infrastructure telemetry traces (service name, version, performance spans) for system monitoring. No personal data or terminal content is included.

GP

Google Play / App Store

Purchase tokens are exchanged with the app stores to verify and manage subscriptions. All payment processing is handled entirely by the stores.

Data Retention

Data Retention
Magic link tokens 15 minutes
Access tokens 1 hour
Analytics tokens 30 days
Terminal session data in Redis 1 hour (encrypted, auto-expires)
Account data Until you delete your account
Usage metrics Retained for service operation
Push notification tokens Until unregistered or invalidated

How Your Data Is Protected

End-to-End Encryption

Terminal input and output are encrypted on your device using X25519 key exchange and AES-256-GCM before being sent through the AFK relay. The relay routes encrypted bytes between your CLI and mobile app without receiving terminal plaintext.

Context Isolation

As a second layer, our backend encrypts session data in Redis with per-user keys (ChaCha20-Poly1305) to prevent cross-user data leakage from routing bugs. This means your sessions are cryptographically isolated from every other user.

Secure Local Storage

Authentication tokens are stored in your platform's secure storage — iOS Keychain and Android Keystore with AES-256-GCM encryption. They never touch plaintext disk storage.

Mobile App Permissions

AFK requests only the permissions it needs:

Camera

Used to scan QR codes for device pairing. Not used for any other purpose.

Microphone

Used for voice commands to interact with your terminal sessions. Audio is not recorded or stored.

Notifications

Used to alert you when a terminal session needs your attention (e.g. a prompt waiting for approval).

Your Rights

  • Access — request a copy of the data we hold about you
  • Correction — ask us to correct inaccurate data
  • Deletion — request that we delete your account and associated data
  • Portability — receive your data in a portable format

To exercise any of these rights, reach out via our support page.

Children's Privacy

AFK is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please reach out via our support page and we will delete it.

Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you via email or an in-app notice. The "effective date" at the top of this page will always reflect the latest revision.

Contact

Questions about this policy? Reach out via our support page.