Privacy & Security
Privacy & Security
Section titled “Privacy & Security”Clipboard Recast is designed with privacy and security as top priorities. This guide explains how your data is handled and secured.
Data Storage
Section titled “Data Storage”Local Storage Only
Section titled “Local Storage Only”- All data stays on your Mac
- Settings stored in macOS UserDefaults
- No cloud sync or external storage
- No remote databases or servers
What’s Stored Locally
Section titled “What’s Stored Locally”-
Settings:
- AI provider selection
- API keys (encrypted by macOS)
- Model preferences
- Project ID (Vertex AI only)
-
Workflows:
- Workflow configurations
- Custom prompts
- Trigger conditions
- Auto-trigger preferences
-
Clipboard History (if available):
- Recent clipboard items
- Screenshot thumbnails
- Limited to last 50 items
- Automatically pruned
macOS UserDefaults Security
Section titled “macOS UserDefaults Security”- UserDefaults is encrypted by macOS at the system level
- Protected by FileVault if enabled
- Accessible only to the Clipboard Recast app
- Not synced via iCloud
API Key Security
Section titled “API Key Security”How Keys Are Protected
Section titled “How Keys Are Protected”- Stored in macOS UserDefaults (encrypted)
- Never transmitted except to your chosen AI provider
- Not logged or written to files
- Not accessible to other applications
Best Practices
Section titled “Best Practices”- Never share your API key with anyone
- Use separate keys for different applications
- Rotate keys regularly if concerned about exposure
- Set spending limits on your AI provider account
- Monitor usage in your provider’s dashboard
If Your Key Is Compromised
Section titled “If Your Key Is Compromised”- Immediately revoke the key in provider’s dashboard
- Generate a new key
- Update Clipboard Recast settings
- Review billing for unauthorized usage
Data Transmission
Section titled “Data Transmission”When Data Is Sent
Section titled “When Data Is Sent”Data leaves your Mac only when:
- You manually trigger a transformation (
Cmd+Shift+A) - Auto-trigger workflow matches clipboard content
- You explicitly request AI processing
What’s Sent
Section titled “What’s Sent”When processing:
- Clipboard content (text, code, error, or screenshot)
- Your API key (for authentication)
- Selected model name (if customized)
What’s NOT Sent
Section titled “What’s NOT Sent”- Your Mac’s file system contents
- Other clipboard history items
- User preferences or settings
- System information
- Any telemetry or analytics
Where It’s Sent
Section titled “Where It’s Sent”Data is sent directly to your chosen AI provider:
- Claude: api.anthropic.com
- OpenAI: api.openai.com
- Gemini: generativelanguage.googleapis.com
- Other providers: their respective endpoints
No intermediary servers - direct connection only.
Privacy Features
Section titled “Privacy Features”No Analytics or Telemetry
Section titled “No Analytics or Telemetry”Clipboard Recast does NOT collect:
- Usage statistics
- Feature usage data
- Error reports
- Performance metrics
- Any user behavior data
No Account Required
Section titled “No Account Required”- No Clipboard Recast account needed
- No email registration
- No user tracking
- No profile creation
No Network Activity When Idle
Section titled “No Network Activity When Idle”- App only connects to internet when processing
- No background syncing
- No update checks (manual only)
- No phone-home functionality
AI Provider Privacy
Section titled “AI Provider Privacy”What AI Providers See
Section titled “What AI Providers See”When you use Clipboard Recast, your chosen provider receives:
- The content you’re transforming
- Your API key (for billing/auth)
- Timestamp of the request
Provider Privacy Policies
Section titled “Provider Privacy Policies”Each provider has different data policies:
Claude (Anthropic):
- Claims not to train on API data
- 30-day data retention for abuse monitoring
- See: anthropic.com/privacy
OpenAI:
- Does not train on API data (by default)
- 30-day retention policy
- See: openai.com/privacy
Google (Gemini/Vertex):
- Data practices vary by service
- See: cloud.google.com/terms
Others:
- Review each provider’s privacy policy
- Understand their data retention
- Know your rights regarding your data
Opting Out of Training
Section titled “Opting Out of Training”Most providers allow opting out of data training:
- Check your API provider’s dashboard
- Look for data retention/training settings
- Enterprise plans often have stronger guarantees
Sensitive Data Handling
Section titled “Sensitive Data Handling”What NOT to Process
Section titled “What NOT to Process”Never copy and process:
- Passwords or authentication tokens
- Credit card numbers
- Social security numbers
- Private keys or certificates
- Medical records
- Personal identification documents
- Confidential business data
Auto-Trigger Caution
Section titled “Auto-Trigger Caution”Be extra careful with auto-trigger workflows:
- They send data automatically
- No confirmation before sending
- Consider disabling for sensitive work
- Use manual trigger for control
Screenshot Privacy
Section titled “Screenshot Privacy”Screenshots may contain:
- Private information visible on screen
- Notifications with personal data
- Browser tabs with sensitive sites
- Terminal commands with credentials
Recommendation: Disable screenshot auto-trigger if you handle sensitive data.
Permissions
Section titled “Permissions”Required Permissions
Section titled “Required Permissions”Accessibility:
- Purpose: Global hotkey (
Cmd+Shift+A) - Access: Keyboard event monitoring
- Scope: Only for hotkey detection
Clipboard Access:
- Purpose: Reading clipboard content
- Access: Clipboard data when triggered
- Scope: Only when actively monitoring
Optional Permissions
Section titled “Optional Permissions”Full Disk Access:
- Not required
- Not requested
- Not used
Camera/Microphone:
- Not required
- Not requested
- Not used
Security Best Practices
Section titled “Security Best Practices”For Users
Section titled “For Users”- Use strong API keys from providers
- Monitor API usage for anomalies
- Keep macOS updated for security patches
- Enable FileVault to encrypt disk
- Review permissions periodically
- Don’t share screenshots of settings with API keys visible
Compliance
Section titled “Compliance”Data Residency
Section titled “Data Residency”- All processing happens on your Mac or AI provider
- No third-party data processors
- You control geographic routing through provider choice
GDPR Considerations
Section titled “GDPR Considerations”- No personal data collected by app
- Data sent to AI provider (your choice)
- Review provider’s GDPR compliance
- You control data through API key
Enterprise Use
Section titled “Enterprise Use”For enterprise deployments:
- Use Vertex AI for Google Cloud integration
- Set up organizational API keys
- Review provider’s enterprise agreements
- Consider data residency requirements
Reporting Security Issues
Section titled “Reporting Security Issues”If you discover a security vulnerability:
- Do not open a public issue
- Email security concerns privately
- Provide details and reproduction steps
- Allow time for fix before disclosure
Next Steps
Section titled “Next Steps”- Common Issues: Troubleshooting help
- Settings: Configure securely
- AI Providers: Understand provider practices