Privacy & Permissions
Maekon is built on the principle that your activity stream is yours. This page documents what's captured, where it lives, what crosses the network, and how to revoke any of it.
What's captured locally
| Source | Stored where | Retention |
|---|---|---|
| Active window title + bundle ID | SQLite (events table) | 30 days, 500 MB cap |
| Screen frames | Local file storage (frames/) | 30 days, 500 MB cap |
| System metrics (CPU/memory/network) | SQLite | 30 days, 500 MB cap |
| Mouse/keyboard patterns (not keystrokes) | SQLite | 30 days |
| OCR text | SQLite (FTS5 indexed) | 30 days |
| Generated suggestions + your feedback | SQLite | indefinite (until cleared) |
Retention is enforced by maekon-storage's daily cleanup loop. Manual purge: maekon data purge --older-than 7d.
What leaves the device by default
By default, Maekon sends:
- Authentication — JWT token to
api_urlfor login/refresh - Suggestion subscriptions — gRPC stream listening for server pushes (your context stays local; only feedback flows back)
- Telemetry — only if enabled (see below)
Maekon does not send by default:
- ❌ Raw screen frames or OCR content
- ❌ Window titles or app names
- ❌ Keystrokes or input patterns
- ❌ File paths or filesystem listings
- ❌ Network traffic metadata
If you opt into the server-backed knowledge graph (Settings → Sync → Server-side context), the redacted activity timeline is uploaded with the same PII filter applied.
Telemetry
Telemetry is off by default and gated by explicit consent (privacy.consent_record, GDPR Article 17/20 compliant). When enabled it sends:
- Crash dumps (if
error_report.crash_captureis on) - App version + OS + commit SHA (anonymous build identifier — no machine fingerprint)
- Aggregate feature-usage counters (which UI panels you opened, not what's in them)
Disable: Settings → Privacy → Telemetry → Off. The ConsentManager revokes immediately and no further events leave the device.
Permissions Maekon requests
| Permission | Required for | Revocable |
|---|---|---|
| Screen Recording (macOS) | Screen capture | System Preferences → Privacy & Security |
| Accessibility (macOS) | Active window detection, AX tree | System Preferences → Privacy & Security |
| Input Monitoring (macOS) | Mouse/keyboard pattern tracking | Optional — features degrade if denied |
| UI Automation (Windows) | Active window + UIA element tree | Default-granted; no system UI |
| X11 / Wayland (Linux) | Window detection | Always on; Wayland falls back to XWayland |
| Notifications | Tray + desktop alerts | OS-level toggles |
Revoking any permission does not break Maekon — the corresponding feature simply degrades. E.g., revoking Screen Recording disables capture but timeline / system metrics keep working.
Sandboxing
All automation actions execute in maekon-sandbox-worker — a separate process with platform-level isolation:
- Windows — Job Object with
JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE - Linux — seccomp filter + Landlock LSM (denies syscalls outside the profile)
- macOS — App Sandbox profile
If the worker crashes or violates the profile, the parent process is unaffected.
Right-to-deletion
GDPR Article 17 ("right to erasure") is implemented end-to-end:
# Erase all local data
maekon data wipe --confirm
# Delete server-side state (if you're using a server)
maekon account delete --confirm
Both commands trigger an audit event (compliance.data_erasure_requested) before deletion so the record is preserved for legal hold purposes.
See also
- Security Policy (
SECURITY.md) — vulnerability disclosure - Maekon Privacy Policy (
maekon.dev/privacy) — legal-grade summary