Privacy

Your agent workstation should not watch you work.

Tokenburner treats terminal output, screenshots, file paths, project metadata, and cost data as sensitive local data.

PTY content stays local

Terminal output is used inside the app for rendering, error detection, and optional local diagnostics.

Screenshots stay local

Screenshot bytes remain on the machine unless the user deliberately shares or routes them.

Cost data stays local

Token and dollar estimates are local app data, not remote analytics. Cost history/export remain Pro-path work, not shipped public telemetry.

MCP is loopback only

The MCP server binds to localhost and every cross-pane action requires a grant.

No telemetry SDK

The desktop app has no analytics package or hidden phone-home path.

Opt-in crash reports only

Sentry is optional and configured to scrub paths, hostnames, and IP addresses.

License keys verify locally

The app can activate minisign-signed license keys without phoning home. Checkout and license delivery run through separate Cloudflare Worker routes.

Outbound network

Default installs do not include analytics.

The desktop app does not ship an analytics SDK. User-initiated downloads, source links, local license activation, checkout, opt-in updater checks, and opt-in crash reports are separate, visible actions.

Website visits are different from desktop telemetry. This static site should stay free of marketing trackers and runtime third-party scripts.