// privacy

Privacy Policy

ccmux runs on your own hardware, talks to your own daemon over your own Tailnet, and stores everything locally on your device. We don't operate a backend, we don't have an account system, and we don't collect telemetry. This page explains the details.

Last updated: 2026-05-26

// the short version

No accounts, no servers. The ccmux mobile app connects directly to a ccmux daemon running on your own machine, over your own Tailscale network. We never see your data because there is no “we” in the network path.
No analytics, no crash reporters, no ads. The app ships with no third-party telemetry SDK.
Everything sensitive stays on-device. Pairing secrets and SSH keys live in the Android Keystore, gated by your device unlock or biometric.
QR pairing is on-device. Camera frames are scanned locally by Google ML Kit's on-device barcode model; no images leave the phone.

// what data the app handles

Paired host info Hostname, daemon base URL (a Tailnet address), and a per-host pairing secret you accepted during QR pairing. Stored locally; used to authenticate every request to your daemon. SSH key material If you generate or import an SSH key for daemon authentication, the private key is stored in the Android Keystore (hardware-backed where available) and never leaves the device. We don't have any mechanism to read it. Session state Names, projects, and statuses of your Claude/Codex sessions are fetched live from your daemon. They are rendered in the UI but never persisted off-device by the app. Camera frames Used only while the QR pairing screen is open. Frames are processed in-memory by ML Kit's on-device barcode scanner and discarded; nothing is recorded, saved, or transmitted. Notifications When a session needs input, the app posts an Android notification locally. The trigger is your own daemon pushing the event to the app over your Tailnet.

// permissions and why

INTERNET
ACCESS_NETWORK_STATE HTTP and WebSocket connections to your ccmux daemon over Tailscale. The app does not make outbound requests to any other host. CAMERA Scan the QR code your daemon prints during pairing. Camera access is requested at runtime and only while the pairing screen is open. POST_NOTIFICATIONS Deliver alerts when a Claude or Codex session you own enters a needs_input state. Requested at runtime; you can revoke at any time from system settings. FOREGROUND_SERVICE
FOREGROUND_SERVICE_DATA_SYNC Keep the connection to your daemon alive in the background so notifications arrive in real time. The service is opt-out from in-app Settings and shows a persistent “ccmux is watching your sessions” status notification while running. USE_BIOMETRIC Unlock the SSH private key stored in the Android Keystore before signing daemon requests. The biometric check is handled by the Android system; the app never sees fingerprint or face data.

// where your data goes

Out of the device: only to the ccmux daemon you paired with, at the Tailnet IP address you entered or scanned. Tailscale's WireGuard tunnel handles transport security. The app does not send data to ccmux.ai, to skz.dev, to any analytics endpoint, or to any third party.

Off the device, otherwise: nowhere.

// third-party components

The app statically links a small set of Google libraries. None of them transmit your data to Google or anyone else under ccmux's configuration:

Google ML Kit (barcode) On-device barcode scanning for QR pairing. The on-device model runs entirely locally; no images or scan results are sent to Google. AndroidX CameraX Google's camera abstraction layer. Frames stay in-process. Google Play Services Base Required transitively by ML Kit. No telemetry is initialized by ccmux.

If a future ccmux release adds Firebase Cloud Messaging (for push delivery of needs_input alerts), this policy will be updated before the feature ships, and the data sent (an opaque device token, an event payload describing which of your sessions changed state) will be enumerated here.

// children

ccmux is a developer tool. It is not directed at children under 13 and does not knowingly collect data from them. If you believe a child has somehow ended up using the app, there is no account to delete — uninstalling the app removes all stored data.

// removing your data

Uninstall the app. Because ccmux stores everything in the app's private data directory and the Android Keystore, uninstalling removes paired hosts, SSH keys, and any cached session metadata. To revoke the daemon's trust in a previously-paired device, remove the device from ~/.config/ccmux/pairings on the host (see the daemon docs).

// changes

Material changes to this policy will be announced on github.com/skzv/ccmux in release notes. The “last updated” date at the top of this page reflects the most recent revision.

// contact

Questions, concerns, or vulnerability reports: me@skz.dev.