Privacy
Privacy policy
Daintree is a local-first desktop app built by one person. Daintree has no backend that receives your code, your prompts, or your agent output — they stay on your machine unless you turn on an optional feature (voice input, the GitHub integration, or the MCP server) that talks to a third party with your own credentials. This page documents exactly what data the website and the app collect, the third parties involved, and the controls you have over each.
The short version
- Your source code, prompts, and agent output never reach a Daintree server. There is no Daintree server that receives them.
- App telemetry, voice input, the GitHub integration, and the MCP server are all off by default and opt-in. When telemetry is on, it scrubs file paths and credentials before sending, and every accepted error event is captured (there is no sampling).
- Voice input is optional and uses your own OpenAI API key — audio and transcription text go directly to OpenAI, never through Daintree.
- Credentials you enter (a GitHub token, an OpenAI key, an MCP key) are stored as plain-text JSON in a local config file with owner-only permissions — not in the OS keychain.
- The app is distributed through the Microsoft Store; Microsoft handles your Store account, download, and install data under its own privacy statement.
- The website uses Vercel Web Analytics, which is cookieless and does not track you across sites.
- The newsletter is optional, double opt-in, and only collects your email address. Unsubscribe at any time.
- The site sets no first-party tracking cookies. There are no logins or user accounts.
- Fonts are served from our own domain — no third-party font CDN.
- Daintree itself is free to download and Apache 2.0 licensed.
Who is responsible for your data
Daintree is a personal project, started in 2025 (originally under the name "Canopy"). The responsible party is Greg Priday, a sole developer based in South Africa, who is also the designated Information Officer for the purposes of POPIA Section 56.
For privacy questions, data requests, or anything in this policy, email greg@siteorigin.com. A dedicated @daintree.org address will replace this once it's set up; the address above will remain valid in the meantime. A postal address for formal correspondence is available on request via the same email.
This page is the canonical privacy policy submitted to Microsoft Store Partner Center for the Daintree desktop app listing. It describes the data the app and website collect. Personal data that Microsoft processes when you find, buy, download, or update the app through the Store — your Microsoft account, purchase and install records, ratings and reviews, and Store diagnostics — is handled by Microsoft as an independent controller under the Microsoft Privacy Statement. Daintree does not receive those identifiers.
The website (daintree.org)
The website is a marketing and documentation site. It has no logins, no user accounts, no comment system, and no contact forms. The only place you can submit personal data is the optional newsletter signup.
Analytics
We use Vercel Web Analytics to count page views and basic engagement. Vercel Analytics is cookieless and does not build advertising profiles. To distinguish unique visits within a single day, Vercel computes a hash from the request IP, user agent, and a per-project salt; that hash resets every 24 hours and the raw IP is not stored. The data we see is aggregate: pages visited, referrers, approximate country, OS family, browser family, and device type.
Newsletter signup (MailerLite)
If you choose to subscribe to the newsletter at /newsletter, your email address is sent to MailerLite, which manages the subscriber list and sends the emails. We collect only your email — no name, no phone number, no other fields. MailerLite stores subscriber data on Google Cloud infrastructure in the European Union.
Subscriptions use double opt-in: MailerLite sends a confirmation email, and your address is only added to the list if you click the link inside it. As part of that flow, MailerLite logs the IP address and timestamp of your signup and your confirmation; this is standard anti-abuse and consent-record practice and is governed by MailerLite's privacy policy. Newsletter emails include open and click tracking by default. Every email includes an unsubscribe link, and you can also email us to be removed.
Bot protection (Cloudflare Turnstile)
The newsletter form is protected by Cloudflare Turnstile to prevent automated abuse. Turnstile is loaded only when you visit /newsletter; it does not run on any other page. When loaded, the widget sets short-lived cookies on challenges.cloudflare.com (typically __cf_bm, valid for around 30 minutes, and cf_clearance if a challenge is solved) and inspects browser-level signals — TLS characteristics, user agent, and rendering details — to score the request as human or bot. Turnstile does not use this data for advertising or cross-site tracking, and Cloudflare retains the underlying signals only for as long as needed to operate the bot-protection service. We rely on legitimate interest in keeping the newsletter form free of automated abuse as the basis for processing here.
Site search
The site search is powered by SearchSocket with an Upstash Search backend. When you submit a query, the query text is sent to Upstash to retrieve matching pages. Queries may be logged for service operations and product improvement, but they are not associated with any user identifier — there is no account or session linking searches to a person.
Caching
We use Upstash Redis on the server to cache things like GitHub repository statistics and release metadata. No visitor data, no IP addresses, and no personal information is stored in the cache. Because we call Upstash exclusively from our server, Upstash never sees your IP address or any other visitor data.
Hosting and server logs
The site is hosted on Vercel. Like any web host, Vercel keeps standard request logs (timestamps, request paths, IP addresses, user agents) for short, platform-managed periods — on Vercel's free tier, runtime logs are retained for roughly an hour — to operate the platform and protect against abuse. Daintree's own application code does not write IP addresses or other user-identifying data into application logs.
Browser storage
The site writes a small amount of data to your browser's localStorage and sessionStorage:
- localStorage caches public GitHub repository stats so they don't need to be refetched on every page (auto-expires after 24 hours).
- sessionStorage remembers whether the homepage hero animation has already played in your current tab.
None of this data identifies you. Clearing your browser storage removes it.
Embedded media
Fonts are served from our own domain — there is no third-party font CDN in the page. Some blog and documentation pages embed YouTube videos. The YouTube player is loaded only when you press play; if you do, YouTube applies its own data practices to that traffic.
The desktop app (Daintree)
Daintree is an Electron desktop app that runs entirely on your machine. It is a workspace around AI coding CLIs you already have — Claude Code, Gemini CLI, Codex, OpenCode, and others. The app's design principle is that your code never leaves your machine because of Daintree itself: no Daintree backend ingests your files, prompts, or agent output. The optional features described below — voice input, the GitHub integration, and the MCP server — send specific data to third parties only when you turn them on, and only ever using your own credentials. Everything in this section is opt-in and disabled by default unless stated otherwise.
Distribution via the Microsoft Store
Daintree is distributed through the Microsoft Store (alongside direct downloads). When you install or update through the Store, Microsoft processes your Store account, download and install records, update delivery, ratings and reviews, and Store-level diagnostic data as an independent controller under the Microsoft Privacy Statement. Daintree does not receive your Microsoft account identifier or those Store records. The app's own update check (described under Auto-updates below) is a separate mechanism that talks to updates.daintree.org, independent of Store-managed updates.
AI agent traffic
Daintree launches AI coding tools as local subprocesses. The CLI talks to its provider (Anthropic, Google, OpenAI, etc.) directly using your credentials and your terms with that provider. Daintree is not in the network path. We never see your prompts, completions, model responses, or API keys. If you have privacy questions about what an agent sends to its provider, those answers belong to the provider, not Daintree.
GitHub integration (optional)
The GitHub integration is optional and inactive until you supply a GitHub personal access token in Settings. When configured, the app uses your token to query the GitHub API for repository statistics, issues, pull requests, vulnerability alerts, and pull-request review threads tied to the projects you work on. This traffic goes directly from your machine to GitHub under your token and your GitHub terms; Daintree has no server in between. The token is stored locally (see Local data on disk) and is never transmitted to Daintree. Remove the token at any time to disable the integration.
MCP server (optional, off by default)
Daintree includes a built-in MCP server that is disabled by default. When you enable it, it exposes app capabilities to external AI agents that connect to it, which changes the local security surface of your machine — only enable it if you understand and want that. The MCP server auto-generates a bearer API key on first start; that key is stored locally in the same config file as other credentials. The MCP server keeps a local audit log of activity (on by default when the server is configured, capped at 500 records by default and configurable in Settings); the audit log stays on your machine and is not transmitted to Daintree.
Telemetry — off by default
The app has three telemetry levels, set in Settings → Privacy & Data. The default is off, and nothing is sent until you explicitly choose otherwise:
off— no events are transmitted. This is the default.errors— scrubbed error events are sent to Sentry, with file paths and credential patterns removed first.full— adds a small set of named onboarding and activation events (for exampleonboarding_step_viewed,onboarding_completed,onboarding_abandoned,activation_first_agent_task_started,activation_first_agent_task_completed,activation_first_parallel_agents).
Before any event leaves the app:
- Home directory paths are replaced with
~in stack traces and breadcrumbs. - API keys, OAuth tokens, JWTs, and PEM blocks are matched against a scrubber pattern list (GitHub, Anthropic, OpenAI, AWS, Google, Stripe, Slack, npm, Azure, and generic Bearer tokens) and redacted.
- URL query strings are stripped of
access_token,refresh_token,client_secret, andcode. - Scrubbing walks each event up to ten levels deep; the event's tags, user, and extra-context fields are left untouched because Daintree never populates them with personal data (it makes no
setUser()calls).
There is no sampling: once telemetry is enabled, every event that passes the scrubber is sent (the Sentry SDK's default 100% capture rate). The scrubber runs first, so events it cannot safely process are dropped before transmission. Native crash dumps (minidumps) are never sent to Sentry — the minidump integration is filtered out and Electron's crash reporter runs with uploadToServer: false, so any crash dump is written locally only.
The Sentry SDK does not transmit your IP address or any user identifier with events; no device identifier, install ID, or anonymous user ID is generated by Daintree for telemetry. Sentry's servers receive the connection's network IP at HTTP transport time (this is unavoidable for any internet request), and the Daintree project in Sentry is configured to discard IP addresses at the storage layer. Sentry retains accepted events for 30 days on the free tier we use. Settings → Privacy & Data also includes a preview view that shows you what would be sent without actually sending it.
Auto-updates
Daintree checks updates.daintree.org at startup and roughly every four hours to see if a new version is available. The check is an HTTP request for a release manifest; the only data sent is what's in standard request headers (your IP address, the app version, your operating system family, and a user agent). No personal information is transmitted. You can switch between stable and nightly channels in Settings.
Voice input (completely optional)
Voice input is a completely optional feature. It is disabled by default, requires you to bring your own OpenAI account and API key, and is never loaded or activated unless you explicitly enable it in Settings.
When enabled, the app streams microphone audio directly from your machine to OpenAI's realtime transcription endpoint (wss://api.openai.com/v1/realtime) using your own API key. Voice correction is a separate toggle, also disabled by default: when you turn it on, the raw transcription text is sent to OpenAI's responses endpoint (https://api.openai.com/v1/responses) to clean up the transcript. Both flows use your own OpenAI credentials and connect directly to OpenAI — Daintree does not proxy, see, or store the audio or the text. What OpenAI does with that data is governed entirely by your account-level agreement with OpenAI. In the language of POPIA and GDPR, OpenAI acts as a processor for you (the controller) in this flow, and Daintree is not in the data path at all.
Local data on disk
The app stores its configuration in a local JSON file (config.json) inside its user-data directory — ~/Library/Application Support/Daintree/ on macOS, ~/.config/Daintree/ on Linux, or %APPDATA%\Daintree\ on Windows. This includes app settings, recent projects, worktree and panel layouts, keybinding overrides, per-project workspace configuration, and — if you choose to provide them — your GitHub personal access token, OpenAI API key, MCP server API key, and any forge credentials (credentials for Code Forge providers such as GitLab, Bitbucket, or Gitea). None of this is ever transmitted to Daintree.
These credentials are stored as plain-text JSON, not encrypted and not in the operating-system keychain. This is a deliberate choice — it's the same security model as a ~/.gitconfig or a CLI's own config file, and Daintree explicitly opts out of the OS keychain (it runs Chromium with --use-mock-keychain) so it never silently holds your secrets in a system credential store. On macOS and Linux the config file's permissions are tightened to 0o600 (readable and writable only by your user account). Protect this file the way you'd protect any local config that holds tokens.
The app keeps local logs in its user-data directory. Log retention is configurable in Settings → Privacy & Data — 7, 30, or 90 days, or kept indefinitely — and defaults to 30 days. The MCP server's audit log (when the server is enabled) is stored separately and capped at 500 records by default. Daintree's built-in crash reporter runs with uploadToServer: false, so any native crash dumps are written locally and never uploaded. You can clear the app's HTTP cache, reset all stored data, or uninstall the app at any time.
For the deeper technical reference, see Security & Privacy in the docs and the Trust & Security page.
Your controls in the desktop app
Daintree is built so that every data-relevant feature is off by default. Here is the complete list of settings that affect what data the app collects, transmits, or keeps on disk, and where to change each one.
For voice input, voice correction, the GitHub integration, and the MCP server, you also retain account-level controls at the respective provider (OpenAI, GitHub) over how that provider handles the data it receives.
Third-party services we rely on
Daintree depends on a small number of third-party services. Each one has its own privacy policy, linked below.
This is the complete set of third parties that Daintree itself sends data to. There is no advertising network, no data broker, and no analytics vendor beyond what's listed here. Separately, the AI coding CLIs you launch through Daintree communicate directly with their own providers (Anthropic, Google, OpenAI, and so on) under your credentials and those providers' terms — Daintree is not in that data path.
What we don't do
A short, deliberate list of things you might reasonably expect a website privacy policy to mention — and which simply don't apply here:
- No advertising network, retargeting pixel, or marketing analytics vendor.
- No behavioural profiling, fingerprinting, or building of visitor profiles. (Cloudflare Turnstile inspects browser-level signals on the newsletter page only, strictly to score bot vs. human.)
- No selling or sharing of personal data with third parties beyond the providers listed above.
- No cross-site tracking. The site sets no first-party tracking cookies, and Vercel Analytics resets its identifier hash daily.
- No user accounts, no logins, and no authentication flow on the website.
- Daintree itself does not read, upload, or transmit your code, prompts, agent output, or local files to any Daintree server. Opt-in features — voice input, the GitHub integration, and the AI CLI tools you run — send specific data to their respective providers under your own credentials and those providers' terms, never through Daintree.
- No automated decision-making or scoring that produces legal or similarly significant effects.
Lawful basis for processing
For each processing activity described above, this is the lawful basis we rely on under POPIA Section 11 and GDPR Article 6. Providing personal information to Daintree is always voluntary; the only consequence of declining is that the relevant feature does not work for you (you don't receive the newsletter, telemetry stays off, voice input doesn't activate).
- Newsletter signup — your consent (POPIA s11(1)(a) / GDPR Art 6(1)(a)).
- App telemetry, when you enable it — your consent. Off by default; you can withdraw at any time in Settings.
- Voice input, when you enable it — your consent, plus your direct contractual relationship with OpenAI.
- GitHub integration, when you enable it — your consent, plus your direct contractual relationship with GitHub.
- MCP server, when you enable it — your consent. Off by default; enabling it is an explicit, reversible choice in Settings.
- Microsoft Store distribution — Microsoft acts as an independent controller under its own privacy statement for Store account, download, and install data; our basis for distributing through the Store is our legitimate interest in delivering the app.
- Vercel Web Analytics — our legitimate interest in understanding aggregate site usage (POPIA s11(1)(f) / GDPR Art 6(1)(f)). The processing is cookieless and uses no cross-site identifiers, which we believe makes the impact on your privacy minimal.
- Cloudflare Turnstile bot protection — our legitimate interest in keeping the newsletter form free of automated abuse.
- Server-side caching, hosting, and standard request logs — our legitimate interest in operating and securing the website.
- Auto-update checks and crash telemetry transport — our legitimate interest in delivering a working, secure desktop app.
Your rights
Daintree is operated from South Africa and is therefore subject to the Protection of Personal Information Act (POPIA). If you are in the European Union, the United Kingdom, or another jurisdiction with similar data-protection rules, those rules apply to your data as well.
You have the right to:
- Access the personal information we hold about you (in practice this is essentially your newsletter email address, if you've subscribed).
- Correct any information that is inaccurate.
- Delete your information — for the newsletter, you can do this yourself via the unsubscribe link or by emailing us.
- Object to processing or withdraw consent at any time. Withdrawing consent does not affect the lawfulness of past processing.
- Lodge a complaint with the South African Information Regulator or your local data-protection authority.
To exercise any of these rights, email greg@siteorigin.com. We aim to respond within 30 days.
The South African Information Regulator can be contacted directly at:
- Email (general enquiries): enquiries@inforegulator.org.za
- Email (POPIA complaints): POPIAComplaints@inforegulator.org.za
- Postal: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
- Web: inforegulator.org.za
Children
Daintree is a tool for software developers. It is not directed at children, and we do not knowingly collect personal information from anyone under 13 (or under 16 in the EU/UK). If you believe a child has provided personal information through the website, please contact us and we'll delete it.
International data transfers
The third-party services we use are operated from a small set of jurisdictions, primarily the United States and the European Union. Where personal information is transferred to one of those providers, we rely on the corresponding mechanism that the provider itself maintains:
- US-based providers (Vercel, Cloudflare, Sentry, Upstash, OpenAI, GitHub, Microsoft) — rely on the transfer mechanism each provider maintains: participation in the EU-U.S. Data Privacy Framework and its UK Extension where applicable, and/or Standard Contractual Clauses through their published Data Processing Agreements.
- EU-based providers (MailerLite stores subscriber data on Google Cloud in the EU) — operate under GDPR directly.
OpenAI and GitHub receive data only when you explicitly enable voice input or the GitHub integration, and in those flows they receive it directly from your machine under your own credentials. For purposes of POPIA Section 72, we rely on the published privacy commitments and DPAs of these providers, all of which afford a level of protection that is substantially similar to POPIA's principles. Because the data Daintree itself hands off is minimal (an email address for the newsletter, an anonymous search query, an opt-in scrubbed error report) the practical risk surface of these transfers is small.
Security
The Daintree desktop app's security model — Electron sandboxing, IPC validation, code signing, telemetry scrubbing, and so on — is documented in detail on the Trust & Security page and in the security reference. Locally stored credentials live in a config file with owner-only permissions (0o600 on macOS and Linux) and are not placed in the OS keychain; native crash dumps are written locally and never uploaded. The website itself is a static SvelteKit deployment with HTTPS enforced; the only secret it handles is a server-side MailerLite API key, kept in environment variables and never exposed to the browser.
Changes to this policy
If this policy changes, the effective date at the top of the page will be updated. For substantive changes — new third parties, new categories of data collected — we'll also note the change in a release announcement or in the newsletter, where applicable.
Contact
Privacy questions, data requests, or general feedback: greg@siteorigin.com.