Privacy Policy

Your Data, Your Control

AFK is built on a zero-knowledge architecture. We can't read your terminal data — not because we promise not to, but because it's mathematically impossible.

Effective date: April 1, 2026
Operated by: Thaker Innovations Pvt. Ltd.

What We Collect

Account Data

  • Email address — used for passwordless magic link authentication
  • User ID — a randomly generated UUID, not derived from personal information
  • Timestamps — when your account was created and when you last logged in

Session Metadata

When you start a terminal session, we store routing metadata so your mobile device can connect. This includes:

  • Machine hostname, shell command name, and working directory
  • Connection timestamps and heartbeats
  • Session title and activity state

This is metadata only. Your actual terminal input and output is end-to-end encrypted and never readable by our servers.

Device Information

  • Push notification tokens — so we can notify you when a session needs attention
  • Platform and app version — iOS or Android, which version you're running
  • OS version and device model — for analytics and crash diagnostics

Usage Metrics

We collect aggregate usage counts to monitor service health and enforce plan limits. These are numbers only — never content.

  • Bytes sent and received (counts, not content)
  • Number of commands executed (count only, not what was executed)
  • Connection latency, reconnection count, session duration
  • Voice command count

Subscription & Billing

If you subscribe to a paid plan, we store purchase tokens, order IDs, and product IDs from the app store (Apple or Google) to verify and manage your subscription. We do not process or store credit card numbers — all payment is handled by the app stores.

User-Submitted Content

If you choose to submit a bug report or app rating, we store what you provide: title, description, category, and rating. Bug reports may be used to create issues in our internal tracker.

What We Do NOT Collect

  • Terminal content — all input and output is end-to-end encrypted (X25519 + AES-256-GCM). Our servers relay encrypted bytes they cannot decrypt.
  • Passwords, SSH keys, or credentials — we never see them, even transiently.
  • IP addresses — used transiently for rate limiting, never stored in our database.
  • File contents — nothing from your filesystem is ever transmitted.

Third-Party Services

We use a small number of third-party services to operate AFK. Here's exactly what each one receives:

RS

Resend

Receives your email address to deliver magic link authentication emails. No other data is shared.

AM

Amplitude

Receives anonymous product analytics: a locally-generated device ID, event types (e.g. "app_opened"), platform, app version, OS version, and device model. Your user ID is sent as a SHA-256 hash, not in plaintext. Data is sent to Amplitude's EU endpoint.

AP

Apple Push Notification Service

Receives push notification tokens and notification content (title, subtitle, body) to deliver alerts to your iOS device.

FB

Firebase Crashlytics

Receives crash reports from the iOS and Android apps, including exception data and your user ID, to help us diagnose and fix bugs.

GF

Grafana Cloud

Receives infrastructure telemetry traces (service name, version, performance spans) for system monitoring. No personal data or terminal content is included.

GP

Google Play / App Store

Purchase tokens are exchanged with the app stores to verify and manage subscriptions. All payment processing is handled entirely by the stores.

Data Retention

Data Retention
Magic link tokens 15 minutes
Access tokens 1 hour
Analytics tokens 30 days
Terminal session data in Redis 1 hour (encrypted, auto-expires)
Account data Until you delete your account
Usage metrics Retained for service operation
Push notification tokens Until unregistered or invalidated

How Your Data Is Protected

End-to-End Encryption

All terminal content is encrypted on your device using X25519 key exchange and AES-256-GCM before it leaves your machine. Our servers act as a blind relay — they route encrypted bytes between your CLI and mobile app without the ability to decrypt them. Even if our servers were compromised, an attacker would only get encrypted data they cannot read.

Context Isolation

As a second layer, our backend encrypts session data in Redis with per-user keys (ChaCha20-Poly1305) to prevent cross-user data leakage from routing bugs. This means your sessions are cryptographically isolated from every other user.

Secure Local Storage

Authentication tokens are stored in your platform's secure storage — iOS Keychain and Android Keystore with AES-256-GCM encryption. They never touch plaintext disk storage.

Mobile App Permissions

AFK requests only the permissions it needs:

Camera

Used to scan QR codes for device pairing. Not used for any other purpose.

Microphone

Used for voice commands to interact with your terminal sessions. Audio is not recorded or stored.

Notifications

Used to alert you when a terminal session needs your attention (e.g. a prompt waiting for approval).

Your Rights

  • Access — request a copy of the data we hold about you
  • Correction — ask us to correct inaccurate data
  • Deletion — request that we delete your account and associated data
  • Portability — receive your data in a portable format

To exercise any of these rights, reach out via our support page.

Children's Privacy

AFK is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please reach out via our support page and we will delete it.

Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you via email or an in-app notice. The "effective date" at the top of this page will always reflect the latest revision.

Contact

Questions about this policy? Reach out via our support page.