OpenBurnBar
GitHub Download
Legal

Privacy policy

Last updated: May 8, 2026

This policy describes how Imagine That AI LLC handles your data when you use OpenBurnBar. For an annotated, plain-English version with diagrams, see the Privacy & trust page.

1. Summary

OpenBurnBar is local-first by default. With no account and no opt-ins, no telemetry, analytics, crash reports, or usage data are transmitted from your device. Optional features — Firebase cloud sync, iCloud session-log mirroring, hosted quota sync, Sentry diagnostics, Hermes Remote Relay — each require explicit activation.

2. Information we collect

By default: nothing leaves your device.

If you sign in and enable Firebase sync: usage row summaries (tokens, cost estimates, timestamps, provider names), provider account metadata and quota snapshots (redacted labels, IDs, refresh status, limits, remaining quota), in-app chat thread metadata (thread IDs, titles/previews when enabled, timestamps, counts), conversation/session metadata and sync watermarks, shared artifact metadata and revisions, and sync state metadata.

If you have an active Hosted Quota Sync subscription and enable the matching capability: chat message bodies, conversation metadata, session-log manifests and chunks, and Hermes relay traffic (encrypted end-to-end from OpenBurnBar's perspective).

If you enable iCloud session-log mirroring: copies of selected local session log files into the Apple iCloud Drive container iCloud.com.openburnbar.app. Mirrored files may contain prompts, assistant responses, file paths, and code snippets because they are copies of the originals. This uses your Apple ID; it is separate from our Firebase infrastructure.

If you add a hosted quota account: provider authentication material that you explicitly provide. Secret values are stored in Google Cloud Secret Manager; Firestore stores only a redacted label. Hosted quota refresh requires a valid subscription entitlement and may be rate-limited.

If you enable diagnostics: anonymized crash reports may be sent to Sentry.

3. Information we never collect

  • Your API keys or credentials for local-only usage tracking.
  • The content of your source code or agent conversations unless you explicitly enable chat backup, session-log backup, or iCloud mirroring.
  • Personal identifying information beyond what your Apple or Google account provides for sign-in.
  • Any data from other applications.
  • Payment card numbers. App Store subscriptions are handled entirely by Apple.

4. How information is used

Data you opt to sync is used to (a) deliver the feature you enabled (e.g. cross-device chat resume), (b) operate the OpenBurnBar service for you, and (c) detect abuse and protect the service. We do not sell personal data. We do not use your data to train models. We do not engage in cross-app or cross-site tracking.

5. Sub-processors

  • Google · Firebase / Google Cloud: authentication, Firestore, Cloud Functions, Cloud Run, Secret Manager, App Check.
  • Apple · iCloud Drive: the iCloud session mirror, when enabled.
  • Apple · App Store / StoreKit: subscription billing, JWS receipt issuance.
  • Sentry: opt-in crash reports.

6. Children

OpenBurnBar is a developer tool intended for adults. We do not knowingly collect data from children under 13.

7. Your rights and choices

You can, at any time:

  • Delete all local data by removing the app and its support files at ~/Library/Application Support/OpenBurnBar/.
  • Delete cloud data by signing out and selecting Delete my data in Settings → Account.
  • Disable any optional feature in Settings.
  • Remove hosted quota credentials by deleting the provider account.
  • Delete iCloud mirrored files in iCloud Drive.
  • Manage or cancel your subscription in Settings → Apple ID.

8. Security

Provider keys live in the macOS Keychain with device-local accessibility. Hosted credentials, when used, live in Google Cloud Secret Manager. Firestore is gated by Firebase Auth, owner-scoped rules, App Check, and a secret-field-name denylist. App Store receipts are JWS-verified against pinned Apple root CAs. See the security model page for the full threat model.

9. Changes

We may update this policy as the product evolves. Material changes will be noted in the project changelog and reflected in the "last updated" date above.

10. Contact

Privacy controller: Imagine That AI LLC.
Email: privacy@imagine-that.ai.
Repository: https://github.com/Imagine-That-Ai/BurnBar.