Data Handling

CLI Pulse — Last Updated: April 28, 2026

This page lists every data category CLI Pulse touches and tells you whether it stays on your device, is synced to your CLI Pulse account, or is never collected at all. The authoritative privacy policy is on privacy.html; this page is a quick lookup.

Data category table

Category	Disposition	Where it lives
Provider API keys (OpenAI, Anthropic, Google, OpenRouter, etc.)	Stored locally / not uploaded	macOS Keychain on Mac; iOS Keychain on iPhone / iPad / Apple Watch; AndroidX EncryptedSharedPreferences on Android. Used directly against the provider's API over TLS.
Provider session cookies (manual cookie headers)	Stored locally / not uploaded	Device Keychain. Used locally as a `Cookie` header to the provider.
Bridged provider OAuth tokens (read from `~/.codex/auth.json`, `~/.claude/.credentials.json`, `~/.gemini/oauth_creds.json`)	Stored locally / not uploaded	macOS Keychain (app-group shared between the sandboxed main app and the local helper). Used locally only.
Local session logs — raw contents of `~/.codex/sessions/` and `~/.claude/projects/` JSONL files	Scanned locally / raw contents not uploaded	Read on-device via security-scoped bookmarks the user explicitly grants. The scanner computes token counts and other metrics locally.
Aggregated usage metrics (per-day token counts, request counts, model name, provider name, date)	Synced to your CLI Pulse account	Supabase, linked to your account, so iPhone, Apple Watch, and Android show the same history as your Mac.
Cost estimates (derived from per-day token counts and the provider's published pricing)	Synced to your CLI Pulse account	Supabase. Computed locally, then synced as numbers.
Provider quota / remaining / reset summaries	Synced to your CLI Pulse account	Supabase, so mobile clients can show current quota state without re-running the local scanner.
Session display metadata (session name, status, project identifier)	Synced to your CLI Pulse account	Supabase. Project identifiers are minimized or hashed in transit. Raw JSONL contents are not synced.
Device heartbeat / status (device name, OS version, helper version)	Synced to your CLI Pulse account	Supabase. Shows which Macs / iPhones / Watches are reporting.
Alerts you keep	Synced to your CLI Pulse account	Supabase. Alerts you resolve locally are stored in device `UserDefaults` and not synced.
CLI Pulse account email	Synced (required to authenticate)	Supabase Auth.
Apple / Google sign-in tokens	Used at sign-in only, not persisted by us	Exchanged once with Supabase for a session, then dropped.
Supabase session access / refresh token	Received and stored locally, not re-uploaded	Device Keychain. Keeps you signed in.
Git activity (Yield Score) — commit hash, HMAC of project path, commit timestamp, merge-commit flag	Synced only when the toggle is ON	Supabase. Off by default. Toggle is in Settings → Privacy.
Git commit messages, diffs, file paths, author identity	Never collected	Explicitly excluded even when Yield Score is on.
Crash reports	Synced when a crash or error occurs	Sentry. A local `beforeSend` hook scrubs API keys, tokens, JWTs, Bearer headers, `/Users/<name>` paths, and known sensitive field names before the event leaves the device. Performance tracing is disabled.

User controls

Disable helper / background sync: Settings → General on macOS, or Settings → Sync on the mobile clients. With sync off, the local scanner still works for the local UI; nothing is sent to your account.
Revoke folder access: Settings → CLI Tool Access → pick a directory → remove the security-scoped bookmark. The scanner will no longer read that location.
Disable Yield Score / git tracking: Settings → Privacy → "Track git activity" toggle. Off by default; turning it off stops uploads immediately.
Delete API keys: Settings → Providers → remove a provider. The Keychain entry is deleted.
Delete your account / data: Settings → Account → Delete Account. Cascading deletes remove all associated rows within 30 days.
Export your own data: "Export Report" in the Overview tab produces a PDF or CSV of your account's data.

Retention

Local Keychain entries persist until you delete the provider or the app.
Account-active metrics on Supabase are retained for up to 18 months of rolling history. A nightly job prunes rows older than that.
If you set a shorter data_retention in Settings → Privacy, that value applies to your sessions, alerts, and device snapshots.
Account deletion removes all associated rows within 30 days.

What we do not do

We do not upload your provider API keys, session cookies, or bridged provider OAuth tokens.
We do not upload the raw contents of your local session-log files.
We do not ship third-party product-analytics SDKs (no Google Analytics, Firebase Analytics, Amplitude, Mixpanel, or similar). Sentry is used for crash reports only and runs through a local scrubber.
We do not sell your data to anyone.

Contact

General support: clipulse.support@gmail.com
Security disclosures: yyyyy.yeyuhe@gmail.com with subject [CLI Pulse Security]