Privacy Policy
Effective: April 17, 2026 · Last updated: April 17, 2026
claude-view is a local-first tool for monitoring AI coding agents. Most of what you do in claude-view never leaves your machine. This page explains the narrow cases where data does move, what we collect, and how to control or delete it.
Quick summary
- Local tool (desktop/CLI): reads your Claude Code session files locally — your conversations, code, prompts and session content are never uploaded.
- Anonymous usage analytics: official builds (
npx claude-view/ install.sh) send anonymous feature-usage counts (which screens/actions, never content) to guide development. One-command opt-out (CLAUDE_VIEW_TELEMETRY=0); builds from source send nothing. - Waitlist: we store your email to notify you at launch.
- Mobile app: requires an account for pairing and relay. We collect the minimum needed to make it work.
- Share viewer: opt-in only. You control what gets shared and can delete it any time.
- No advertising. No data brokering. No sale of data.
1. Local-first data — never uploaded
The desktop CLI (npx claude-view) and web app read your Claude Code session logs
(~/.claude/projects/**/*.jsonl), project metadata, and prompt history entirely
on your local disk. This data is indexed locally in SQLite and Tantivy under
~/.claude-view/. Your session content is never transmitted to any server.
We have no access to your conversations, code, prompts, or session content. Official builds additionally send anonymous, content-free feature-usage analytics — covered in section 7, and opt-out in one command.
2. Data we do collect
The table below covers all data that leaves your device.
| Data type | Purpose | Retention | Linked to identity? | Third party |
|---|---|---|---|---|
| Waitlist email + optional name | Notify you at launch; one-time referral tracking | Until you unsubscribe, or 12 months after launch — whichever comes first | Yes | Supabase |
| Account email or Google OAuth identity | Authenticate mobile app users; authorize pairing | Until account is deleted | Yes | Supabase, Google |
| Device pairing record (device name, platform, public key) | Link your phone to your desktop for real-time monitoring | Until revoked by user, or 30 days after last activity (automatic GC) | Yes | Supabase, Fly.io |
| Push notification token (external user ID only) | Deliver agent status alerts to your phone | Until you disable notifications or delete the app | Yes | OneSignal, Apple APNs |
| Shared conversation blob (opt-in, encrypted) | Let you share a single session via a link you control | Until you revoke the share link; max 90 days | No (stored under opaque ID) | Cloudflare R2/D1 |
| Anonymized page-view counts (landing site only) | Understand which docs and features people use | Rolling 90-day aggregate; no raw event log | No | Cloudflare Web Analytics |
| Anonymous app usage analytics — feature/screen counts, app version, OS, install source, random install UUID (official builds only; never code, prompts, paths or session content) | See which features are used so development is guided by real usage | Aggregate event counts; opt out anytime with CLAUDE_VIEW_TELEMETRY=0 | No (random per-install UUID, not tied to any account) | PostHog |
3. Apple privacy nutrition label categories
For the iOS App Store, the data types we collect map as follows:
- Contact Info — Email Address: collected for account creation and waitlist. Linked to identity.
- Identifiers — User ID: Supabase auth UID used to tie devices to an account. Linked to identity.
- Identifiers — Device ID: pairing record stores device name and platform. Linked to identity.
- Other Data — Push tokens: OneSignal external user ID, not a raw device token. Linked to identity.
- Usage Data — Product Interaction: anonymous feature/screen counts from official desktop builds (PostHog), keyed to a random per-install UUID. Not linked to identity, not used for tracking, opt-out via
CLAUDE_VIEW_TELEMETRY=0. - No browsing history, location, financial info, health, sensitive info, contacts, messages, or photos are collected. No diagnostics/crash data is collected.
- None of the data above is used for tracking or advertising.
4. Third-party service providers
We share data only with processors necessary to operate the product:
- Supabase (supabase.com) — authentication, database, and edge functions. Data stored in US-East-1 (AWS). Privacy policy.
- Cloudflare (cloudflare.com) — CDN, Pages hosting, Workers, R2 object storage, D1 database, and cookieless Web Analytics on the landing site. Data processed globally. Privacy policy.
- Fly.io (fly.io) — WebSocket relay server for mobile-to-desktop pairing. Data in transit only; no persistence. Privacy policy.
- OneSignal (onesignal.com) — push notification delivery for iOS/Android. We pass an external user ID; OneSignal handles APNs/FCM tokens on our behalf. Privacy policy.
- Google — OAuth provider for sign-in. Governs Google account data per Google's privacy policy.
- PostHog (posthog.com, US Cloud) — anonymous product analytics for official
desktop builds. Receives content-free feature/screen counts keyed to a random per-install
UUID; no IP/geo, no session recording, no autocapture. Disabled entirely with
CLAUDE_VIEW_TELEMETRY=0and absent from source builds. Privacy policy.
We do not sell data to any of these parties or anyone else. They process data only as needed to provide their services to us.
5. Mobile app — pairing and relay
The mobile app connects to your desktop claude-view instance using a short-lived pairing code shown as a QR code. Pairing creates a device record in Supabase that ties your phone to your desktop instance. Live session data is streamed over an encrypted WebSocket relay hosted on Fly.io.
Your session content (conversations, code, prompts) is never stored on our relay or in Supabase. The relay is a dumb pipe that forwards real-time events; nothing is persisted server-side.
To revoke a device: open the mobile app, go to Settings → Paired Devices, and tap Revoke. You can also revoke all devices at once. Device records are automatically garbage-collected 30 days after last activity.
6. Share viewer (opt-in)
You can optionally share a single conversation by generating a share link from the desktop app. This uploads an encrypted copy of that conversation to Cloudflare R2 under an opaque random ID. The link you receive is the only way to access it.
Shares are not linked to your identity and are not indexed or searchable. They expire after 90 days or when you explicitly revoke them — whichever comes first. Revoking deletes the blob immediately.
7. Analytics
The landing site at claudeview.ai uses Cloudflare Web Analytics. This is cookieless, uses no JavaScript tracking beacon, and does not identify individual visitors or build cross-site profiles. We receive aggregate page view counts and referrer summaries only.
Desktop app (official builds only). The prebuilt binary distributed via
npx claude-view and the install script sends anonymous usage
analytics to PostHog so development is guided by which features people actually
use. We collect: which feature/screen was opened, high-intent action counts, app version,
OS/platform, install source, and a random per-install UUID. We never
collect code, prompts, file paths, project names, session content, or any identifier tied
to you — this is enforced by a closed event schema, not just policy. IP/geo, session
recording and autocapture are all disabled.
This is on by default in official builds (a one-time notice is printed on
first run). Turn it off permanently with the CLAUDE_VIEW_TELEMETRY=0
environment variable or the toggle in Settings. Builds from source contain no
analytics key and send nothing — there is no code path that can. The mobile app
and share viewer have no analytics instrumentation.
8. Children's privacy
claude-view is a developer tool not directed at children under 13 (or under 16 in the EU). We do not knowingly collect personal information from minors. If you believe a child has provided us with personal data, contact us at [email protected] and we will delete it promptly.
9. International data transfers
Our service providers (Supabase, Cloudflare, Fly.io, OneSignal) are primarily US-based and process data in the United States and other regions. If you are in the EU or UK, your data may be transferred to countries that do not have the same data protection laws. Where required, we rely on Standard Contractual Clauses or the provider's own transfer mechanisms.
10. Your rights
Depending on where you live, you may have the right to:
- Access — request a copy of the data we hold about you.
- Delete — ask us to delete your account and associated data.
- Export — receive your data in a portable format.
- Correct — update inaccurate information.
- Opt out — unsubscribe from the waitlist at any time via the link in any email we send.
To exercise any of these rights, email [email protected]. We will respond within 30 days. For account deletion, you can also delete your account directly from the mobile app under Settings → Account → Delete Account.
Local data (session logs, local index) is always under your control — just
delete ~/.claude-view/ on your machine.
11. Security
All data in transit is encrypted with TLS. Supabase stores passwords using bcrypt. Shared blobs are encrypted client-side before upload. Device pairing uses JWT-authenticated connections. We follow responsible disclosure; if you find a vulnerability, please report it to [email protected].
12. Changes to this policy
If we make material changes, we will update the "last updated" date above and notify registered users by email at least 14 days before changes take effect. Continued use of the service after that date constitutes acceptance of the revised policy.
13. Contact
Questions, requests, or concerns: [email protected]
claude-view is operated by [OPERATOR LEGAL NAME]. This policy applies to the claude-view product including the desktop CLI, web app, mobile app (iOS and Android), and the landing site at claudeview.ai.