OpenBurnBar
GitHub Download
Privacy & trust

By default, OpenBurnBar collects nothing.

All processing happens on your device. No telemetry, no analytics, no crash reports leave the device unless you explicitly opt in. Every opt-in is a separate switch and behaves like one.

Three trust zones

Where your data actually lives.

OpenBurnBar's data flow is a few concentric rings. Zone A is your Mac. Zone B is your Apple ID, on Apple's infrastructure. Zone C is OpenBurnBar's Firebase and Google Cloud, behind sign-in and App Check attestation.

OpenBurnBar privacy and data-flow architecture Three concentric trust zones: Zone A is your Mac with the local app, daemon, Keychain, SQLite, and editor extension — all data stays here by default. Zone B is opt-in Apple iCloud, your Apple ID, separate from OpenBurnBar's servers. Zone C is opt-in Firebase plus Google Cloud, operated by OpenBurnBar, requiring sign-in plus App Check attestation. Secrets never traverse default-tier arrows — only metadata, redacted labels, and ciphertext do. ZONE A · YOUR MAC Single-user. Canonical. Works offline. macOS App Menu bar · Dashboard Hermes panel Local Daemon launchd · UNIX socket JSON-RPC · gateway macOS Keychain Provider keys, SQLCipher key Local SQLite Usage · sessions · retrieval Cursor / VS Code Activity bar panel openburnbar CLI health · controller · missions On-disk agent logs (read-only) ~/.claude/projects/ · ~/.codex/sessions/ ~/.factory/sessions/ · ~/forge/.forge.db · ~/.aider/ ZONE B · iCLOUD Opt-in · your Apple ID iCloud session mirror iCloud.com.openburnbar.app Copies of selected session log files ZONE C · FIREBASE + GCP Opt-in · OpenBurnBar-operated · gated by Auth + App Check Firebase Auth Apple · Google Firestore Owner-scoped · App Check Cloud Run Hermes relay Secret Manager Hosted provider secrets Cloud Functions JWS verify · entitlements Cloud Run Quota runner opt-in session mirror metadata · ciphertext only AUTH · APP CHECK
Zone A · Your Mac

Canonical. Works offline.

  • Local SQLite at ~/Library/Application Support/OpenBurnBar/OpenBurnBar.sqlite
  • Local daemon over a UNIX socket, auth-token-gated
  • macOS Keychain for any provider keys you supply, scoped kSecAttrAccessibleWhenUnlockedThisDeviceOnly
  • Read-only agent logs in ~/.claude/, ~/.codex/, ~/.factory/ and more
  • Editor extension & CLI connect to the same socket

Disabling sync entirely does not affect local data. The full product keeps working.

Zone B · Apple iCloud

Opt-in · your Apple ID.

  • Session-log mirror copies selected local session files into iCloud.com.openburnbar.app
  • Mirrored files can contain prompts, assistant responses, file paths, and code snippets — they are copies of the originals
  • Uses your Apple ID, not OpenBurnBar's servers
  • Delete files from iCloud Drive to remove them
Zone C · Firebase & GCP

Opt-in · OpenBurnBar-operated.

  • Firebase Auth handles Apple / Google sign-in
  • Firestore stores usage rows, quota snapshots, chat thread metadata, sync watermarks. Owner-scoped rules. App Check enforced
  • Google Cloud Secret Manager holds hosted-quota provider secrets when used. Firestore only carries a redacted label
  • Cloud Functions verify Apple JWS against pinned root CAs and reconcile entitlements against the App Store Server API
  • Cloud Run · Hermes relay routes encrypted frames; never sees plaintext request or response bodies
  • Owner-scoped, secret-field-name-denied — Firestore rules reject documents with field names like apiKey, token, cookie, credential
What's never collected

The promises in plain English.

  • No telemetry by default. No analytics. No crash reports unless you turn on Sentry diagnostics.
  • No API keys read for local-only usage tracking. Local tracking reads usage logs, not credentials.
  • No conversation content uploaded unless you enable chat backup. The default Firestore sync is metadata only — usage row summaries, thread IDs, sync watermarks.
  • No payment data on our servers. The App Store handles billing; we never see card numbers.
  • No data from other apps, ever — explicitly not collected.
  • No PII beyond Apple/Google sign-in attributes. Even those are only used to scope your private Firestore tree.
Every opt-in

Toggle anything. Cancel anything.

  • Firebase sync

    Off by default. Enable in Settings → Account. Even when on, only metadata syncs unless you separately enable Chat backup, Conversation metadata backup, or Session-log sync.

  • iCloud session-log mirror

    Off by default. Uses your Apple ID and iCloud Drive; deletions in iCloud Drive remove the data. Conflict copies are possible — iCloud owns sync semantics.

  • Hosted provider credentials

    Off by default. When used, the secret value is encrypted and stored in Google Cloud Secret Manager; Firestore stores only the redacted label. Remove the account in OpenBurnBar to delete it.

  • Hermes Remote Relay (paid)

    Off by default; paid entitlement required to activate. Frames are end-to-end encrypted from OpenBurnBar's perspective — the relay never receives plaintext.

  • Sentry diagnostics

    Off by default. When on, anonymized crash reports are sent to Sentry. User identifier is a SHA seed derived from bundle id and full user name — not direct PII.

Delete it all

Several ways out, all of them yours.

  • Local data — delete the app and ~/Library/Application Support/OpenBurnBar/.
  • Cloud data — sign out and choose Delete my data in Settings → Account.
  • Hosted credentials — remove the provider account from OpenBurnBar.
  • iCloud mirrored files — delete from iCloud.com.openburnbar.app in iCloud Drive.
  • Subscription — managed by Apple in Settings → Apple ID.

Privacy controller: Imagine That AI LLC.
For privacy questions, write to privacy@imagine-that.ai.

Read it in code, not just in copy.

Every promise on this page points at a file you can read — the threat model, the Firestore rules, the JWS verifier.

docs/PRIVACY.md docs/THREAT_MODEL.md firestore.rules