Privacy
Last updated 2026-04-28. Plain-English summary first.
Short version
- Your code never leaves your laptop. Compression runs locally. No prompts, source, or traces are uploaded.
- The binary makes four small HTTP calls: install pixel, first-run beacon, session heartbeat, idle heartbeat. None carry prompt content.
- We see aggregate numbers (tokens saved, session count), not what was in the session.
- No third-party ad trackers. The public website uses Google Analytics for aggregate page and interaction analytics, without source, prompts, license IDs, form contents, or email addresses.
What we collect, and why
1. Install pixel
Fired by install.sh after install. Opt out: TETRIS_NO_PIXEL=1.
| Field | Example | Why |
|---|---|---|
triple | aarch64-apple-darwin | binary demand |
version | v0.1.2 | adoption curve |
build_id | hash | artifact integrity |
2. First-run beacon
Once per install.
| Field | Example | Why |
|---|---|---|
install_id | UUID v4 | de-dupe installs |
machine_id_hash | HMAC(salt, host-id) | per-plan device count |
platform | darwin/arm64 | release QA |
binary_version | v0.1.2 | adoption |
machine_id_hash is a one-way HMAC with a per-install random salt. Not reversible to your hostname or MAC.
3. Session heartbeat
After each compression session.
| Field | Example |
|---|---|
install_id | UUID |
jti | license token ID |
tokens_before / tokens_after | 41822 / 5119 |
strategy_chain | [safety_mask, ast_pack, rome_prune, …] |
model_id | claude-opus-4-7 |
latency_ms | 142 |
We do not receive prompts, responses, file paths, project names, tool args, tool results, or node contents. Only the numeric counters + strategy chain.
4. Idle heartbeat
Once per day. Updates last_seen_at. Returns license freshness + CRL status.
What we do not collect
- Prompts, chats, file contents.
- File paths (absolute or relative).
- Repository names, git remotes, branches.
- Tool args or tool results.
- IP: used for TLS + rate limiting, not stored past 24 hours.
- Any third-party advertising trackers.
What runs in the browser
The public site loads Google Analytics through Google tag to count page views and aggregate interactions such as install clicks, copy-command clicks, outbound links, form-submit intent, scroll depth, and section views. We do not send prompt content, source code, file paths, license IDs, install IDs, form contents, email addresses, account identifiers, or device identifiers to Google Analytics.
The site also fetches aggregate community stats from our own endpoint. That counter returns public totals only and does not identify a browser.
Retention
- Install + heartbeat rows: 24 months, then aggregated + deleted.
- Session rows (numeric only): 24 months.
- Raw HTTP logs: 7 days.
- Your local
~/.tetris/savings.logis yours. Never uploaded.
Opt-outs
- Install pixel:
TETRIS_NO_PIXEL=1. - Telemetry:
tetris config set telemetry.enabled false. - Enterprise air-gap builds ship with telemetry compiled out.
Your rights
GDPR / CCPA: email privacy@tetris.codes with your
install_id (tetris config show install_id). We export or delete within 30 days.
Sub-processors
We use audited infrastructure providers for hosting, authentication, transactional email, and payments. We do not publish an architecture map in this public policy. Customers who need a vendor list for security review can request it from privacy@tetris.codes.