privacy policy

last updated — march 2026

01what we collect
  • App usage data — which apps you use, window titles, and session durations. Only collected by the macOS tracker when running.
  • Coding sessions — language, editor, project name, and duration from VS Code and Claude Code integrations.
  • Integration data — Spotify listening history, GitHub activity, HealthKit metrics (steps, energy, sleep, heart rate), and location check-ins. Only data from integrations you explicitly enable.
  • Device information — device name, OS version, and app version for debugging and multi-device support.
  • Account information — email address and authentication provider (Google or email/password).
02how we store it
  • All data is stored in Supabase PostgreSQL with row-level security (RLS). Only you can access your data — no other user, and no xeve employee, can query your rows.
  • Data is encrypted in transit (TLS 1.3) and at rest (AES-256).
  • Our database is hosted on Supabase infrastructure with SOC 2 Type II compliance.
03what we don't do
  • We never sell your data to anyone, for any reason.
  • We never share your data with third parties for their own purposes.
  • We never use your data for advertising or ad targeting.
  • We never train AI models on your personal data. The AI insights feature uses anonymized, aggregated summaries processed through OpenRouter, and no personal data is retained by the AI provider.
04data export
  • You can export all your data as CSV or JSON at any time from the Settings page in the web dashboard.
  • Exports include all tracked data: app sessions, coding sessions, Spotify history, GitHub activity, health samples, location logs, and daily summaries.
05data deletion
  • You can delete your account and all associated data at any time from the Settings page.
  • Deletion is permanent and immediate. We do not retain backups of deleted data.
  • If you uninstall the macOS or iOS app, local data is removed. Cloud data remains until you delete your account.
06third-party services
  • Google OAuth — used for authentication only. We receive your email and name.
  • Supabase — database, authentication, and file storage infrastructure.
  • Spotify API — if you connect Spotify, we sync your listening history. You can disconnect at any time.
  • GitHub API — if you connect GitHub, we sync commits, PRs, and reviews. You can disconnect at any time.
  • OpenRouter — processes anonymized daily summaries to generate AI insights. No personal data is stored by OpenRouter.
  • DigitalOcean — hosts the web dashboard application.
07cookies
  • Session cookies for authentication only. These are essential cookies required for the service to function.
  • No tracking cookies. No retargeting cookies. No third-party advertising cookies.
  • Google Analytics is used for anonymous, aggregate website usage statistics (page views, session duration). This data is not linked to your xeve account.
08contact
  • For privacy questions, concerns, or data requests, open an issue on our GitHub repository or contact us through the app.