If you ship a developer tool, you have a problem: most of your users never tell you what they actually use. You can guess from GitHub stars, npm downloads, the occasional issue. None of those are honest signals. They’re vanity metrics with no causal link to whether the feature you spent two weeks on is helping anyone.

So this release adds something we resisted for a long time: anonymous usage analytics, on by default. We want to be straight about what we’re doing and why.

What we collect (and what we don’t)

We count which screens you open, which features you click, app version, OS, install source, and a random per-install UUID. That’s it.

We never collect: your code. Your prompts. Your file paths. Your conversation content. Your project names. Your Claude session IDs. There is no event in the schema that carries any of that. This isn’t policy — it’s enforced by a closed event taxonomy in the source. The compiler rejects new events that try to carry content fields.

Turn it off permanently with one command:

export CLAUDE_VIEW_TELEMETRY=0

A one-time notice prints on first run telling you exactly this. Builds from source send nothing — the API key is baked in at build time only for the official npm package and install script.

App Store privacy nutrition labels

The full privacy policy is now live with Apple App Store privacy nutrition labels (we’re working toward an iOS app). Third-party processors are listed by name. Retention is stated explicitly. Your rights are spelled out — including: ask us to delete everything we have on you, at any time.

If your company needs to clear a vendor review before installing claude-view, the privacy page is structured so legal can do it in fifteen minutes. We wrote it as plain English first and lawyer English second.

The bug we accidentally shipped for months

This release also fixes something embarrassing. The old code that figured out how you installed claude-view (shell script, npx, or Claude Code plugin) checked whether the binary’s path contained .cache/claude-view. Earlier in the year we moved all app data from ~/.cache/claude-view/ to ~/.claude-view/ — and that detection silently broke. Every install via the shell script for the last few months was being labelled npx in our (then-internal) analytics.

The fix is structural: install.sh now writes an explicit marker file at ~/.claude-view/install-source, and the server resolves it relative to the running binary. It survives CLAUDE_VIEW_INSTALL_DIR overrides. It’s testable without a real install (pure path arithmetic + injected exe path). And it can’t drift from the install script again because the install script writes the marker the server reads, in the same commit.

We caught this only because we instrumented the data pipeline end-to-end before shipping the analytics — and found the breakdown of install sources looked impossible. If we’d shipped the metric without that verification, the install-source numbers would have been useless for the first month, and we wouldn’t have known.

There’s a lesson here that’s bigger than telemetry. Path contracts spanning multiple components (a shell script writes a file, a binary reads it) drift silently if you only fix one side. The new structure puts both sides under the same MANDATORY rule in the project’s path-contract drift sweep: find one site, grep the cluster, fix all of them, prove zero.

Plan-mode badge — confidence-gated by design

A session card now shows a small Plan badge when the session is in Claude Code plan mode. The implementation is uninteresting; the design constraint is.

We could have shown the current permission mode for every session, all the time. We didn’t. Instead the badge appears only when the most recent hook explicitly reported plan. Every other mode — and the absence of any reported mode — renders nothing. No “Unknown” pill. No “Default” badge. Just silence, until we have a strong signal.

This follows a principle the project tries to apply everywhere: better to show nothing than show something wrong. Wrong information destroys trust permanently. Once you’ve seen a tool tell you the wrong thing, you’ll never fully believe its next claim. Silence costs less.

The sub-agent reordering on cards (#62) follows the same idea from a different angle: don’t sort agents arbitrarily and let the user wonder; sort them by what’s most useful (running + newest first) and let the “+N more” overflow hide the oldest, not the working ones.

What’s next

Now that this release ships, we can finally measure whether the features people think are useful are the ones they actually use. The next few weeks will be guided by that data — not vibes, not loud GitHub issues, not what we feel like building.

If you don’t want to be part of that, the opt-out is one command. If you do, you don’t have to do anything — just upgrade.

npx claude-view@latest
# or
curl -fsSL https://get.claudeview.ai/install.sh | sh