Privacy Policy

Summary

1. What We Collect

This matches the App Privacy declarations on the App Store:

• Identifiers — an anonymous device ID and an anonymous user ID (a non-PII identifier generated by RevenueCat). Not linked to your name, email, or any personal info, and not used to track you across other apps or websites.
• Usage data — product interaction (taps, screens viewed, paywall events) and milestones (onboarding progress, A/B test assignments). Used to fix bugs and improve the app.
• Diagnostics — performance data and crash reports (device model, OS version, app version, stack trace).
• Purchases — subscription status and product identifiers from Apple StoreKit (iOS) or Paddle (macOS DMG).

2. What We Do NOT Collect

• Clipboard content (text, images, files) — never leaves your device, except via your own LAN sync between paired devices (encrypted).
• Email, name, phone number, or address.
• Photos, contacts, microphone, location, or calendar.
• Health, financial, or biometric data.
• Browsing history outside of CopySafe.

We do not track you across other apps or websites. CopySafe does not show the App Tracking Transparency (ATT) prompt because we do not perform any tracking that would require it.

3. How Your Clips Are Stored & Synced

• Local-only storage: all clips live in an SQLite database inside the app's sandboxed container (iOS) or App Group container (macOS).
• LAN sync via Bonjour: devices on the same Wi-Fi sync clips directly. Data travels device-to-device — never to our servers.
  • Encrypted with AES-256-GCM
  • Devices paired via SPAKE2 or iCloud Keychain auto-trust
  • Per-message sequence counters prevent replay attacks
• No cloud clip storage. Apple CloudKit is used only for settings sync (see section 7), never for clip content.

4. Sensitive Clips

CopySafe automatically detects sensitive content (OTP codes, API keys, credit card numbers, passwords). Sensitive clips:

• Are marked with a visual indicator
• Auto-expire after a configurable time (default: 5 minutes)
• Are excluded from LAN sync by default
• Are automatically excluded from password manager clipboard entries (1Password, Bitwarden, KeePassXC, Dashlane, LastPass)

5. Third-Party Processors

We use the services below. None of them ever receive your clipboard content.

Amplitude

• Vendor: Amplitude, Inc. (San Francisco, USA)
• Purpose: product analytics and A/B testing of in-app experiences
• Data shared: anonymous device ID, anonymous user ID (non-PII identifier from RevenueCat), event names, and event properties (e.g. clip category, paywall placement name, onboarding step). No clip content. No email or names.
• Not used for cross-app advertising tracking.
• Privacy policy: amplitude.com/privacy

Superwall

• Vendor: Superwall Inc. (San Francisco, USA)
• Purpose: remote configuration and rendering of in-app paywalls, A/B testing of paywall designs
• Data shared: anonymous device/user identifiers, paywall view and interaction events, product identifiers, transaction outcomes (purchase / cancel / trial)
• Not used for cross-app advertising tracking.
• Privacy policy: superwall.com/privacy

Sentry

• Purpose: crash and performance reporting
• Data shared: device model, OS version, app version, stack traces, breadcrumbs (UI events without text content). No clipboard content or personal data.
• Privacy policy: sentry.io/privacy

RevenueCat

• Purpose: subscription and entitlement management across iOS and macOS
• Data shared: anonymous app user ID, subscription receipts, transaction events. No personal info.
• Privacy policy: revenuecat.com/privacy

Paddle (macOS DMG only)

• Purpose: Merchant of Record for the macOS direct-purchase version
• Data shared: billing details you enter at checkout (name, email, country, payment method) — handled directly by Paddle, not by us
• Privacy policy: paddle.com/legal/privacy

Apple Services

• App Store / StoreKit: iOS purchases are processed by Apple under their privacy policy
• CloudKit Key-Value Store: used only for settings sync — see section 7

6. Analytics Opt-Out

You can disable all analytics and crash reporting at any time:

Settings → Privacy → Analytics

This stops both Amplitude (usage analytics) and Sentry (crash reports) from sending any data. Superwall continues to render paywalls when you open them but stops sending interaction events. Purchase processing (RevenueCat / StoreKit / Paddle) cannot be disabled — it is required to validate your subscription.

7. iCloud Settings Sync

CopySafe uses Apple's iCloud Key-Value Store (capped at ~1 MB, on Apple's infrastructure) to sync:

• App settings (theme, hotkeys, preferences)
• Your RevenueCat anonymous user ID, so a Pro subscription bought on iPhone unlocks Pro on Mac automatically

Clip content is never synced to iCloud. Clip-to-clip sync only happens over your local network.

8. MCP Server

The MCP Server (Pro feature) runs locally on your Mac and is accessible only via localhost. It requires Bearer token authentication. No data leaves your machine through the MCP Server unless you explicitly configure external access.

9. Your Rights (GDPR / CCPA)

If you are in the EU, UK, California, or another jurisdiction with similar laws, you have the right to:

• Access the data we hold about you
• Delete your data
• Opt out of analytics (see section 6) and the "sale" or "sharing" of personal information — we do not sell or share your data, but you can opt out anyway
• Port your data to another service

Email support@copysafe.app with your anonymous user ID (visible in Settings → About) and we will respond within 30 days.

10. Children's Privacy

CopySafe is rated 4+ on the App Store. We do not knowingly collect personal information from children, and we do not direct any analytics or marketing at children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be highlighted in-app via an announcement. The "Last updated" date at the top reflects the most recent change.

12. Contact

Questions about this policy? Email support@copysafe.app.