Control Center
GitHub Download
Legal

Privacy policy

Last updated: 12 June 2026

Control Center is a local-first desktop application. Your workspaces, agents, code, conversations, and notes live on your own device — not on a server we run. This policy explains exactly what stays local, what is sent to the services you connect, and the one diagnostic service that reports crashes.

Summary

The short version, in plain language:

  • There is no Control Center server. We do not operate a backend that collects, stores, or syncs your data. The app keeps your data on your device.
  • Your data is stored locally. Workspaces, agents, conversations, tickets, memory, code indexes, and meeting notes are kept in a local database and files on your machine.
  • Some features talk to services you connect. When you link GitHub, Linear, Google Calendar, or an AI coding agent, the relevant data is sent to those providers to make the feature work. They process it under their own privacy policies.
  • Your code can be sent to an AI provider. If you run an agent with the Claude Code adapter, your prompts and the code, diffs, tickets, and context the agent reads are sent to Anthropic for processing under your own Claude Code subscription.
  • Crash reports are sent in production — and you can turn them off. Released builds send crash, error, performance, and session-replay diagnostics to Sentry; you can disable this during onboarding or in Settings → Privacy. See Diagnostics and crash reporting for exactly what this includes.

Who this covers

This policy describes how the Control Center desktop application (the "app") handles information. In this document, "we", "us", and "Control Center" refer to the maintainers of Control Center, and "you" refers to the person using the app.

This policy covers the app itself and this documentation website. It does not cover the third-party services you choose to connect (such as GitHub, Linear, Google, or Anthropic) — each of those is governed by its own privacy policy and terms, which you should review.

Data stored on your device

Almost everything the app works with is stored locally on your computer — typically under your operating system's application-support directory. This includes:

  • Workspaces, agents, and skills — workspace configuration, agent definitions (including personas and instructions), and skill definitions.
  • Conversations and messages — channel and direct messages between you and your agents, including searchable embeddings generated from them.
  • Memory and knowledge — memory facts, domain knowledge, and workspace policies, with vector embeddings used for semantic search.
  • Code indexes and repositories — a code graph (symbols, relationships, and file metadata) built from repositories you index, and isolated copy-on-write working copies of your repositories created for each conversation or task.
  • Agent run logs — execution traces of agent runs, including reasoning, commands, and outputs.
  • Tickets, pull requests, and reviews — work items, pull-request metadata mirrored from GitHub for offline use, and your draft review comments.
  • Pipelines — pipeline templates, run state, trigger events, and error traces.
  • Meeting notes — transcripts, summaries, decisions, action items, and (optionally) raw audio. See Meeting capture and transcription.
  • Calendar data — calendar account metadata and cached event details from connected Google accounts.
  • Newsfeed — your RSS/Atom subscriptions and cached article content.
  • Activity and analytics — a local activity log and in-app analytics such as agent performance, streaks, and achievements. These are computed and stored on your device and are not uploaded.
  • Preferences — non-sensitive settings such as theme, notification, sandbox, and log-level preferences.

A note on encryption at rest. Credentials (see Connected services) are stored in your operating system's secure keychain. The remainder of the local data above — the database, run logs, agent and skill files, meeting audio, and indexed repository copies — is stored unencrypted on disk. It is protected by your operating system's user account and file permissions, not by application-level encryption. Anyone with access to your device or disk could read it, so we recommend full-disk encryption (such as FileVault or BitLocker) on the machine where you run Control Center.

What we don't collect

Because Control Center is local-first, several things you might expect from a typical cloud product simply do not happen:

  • We do not run a server that receives or stores your workspaces, code, conversations, or notes.
  • There is no account to create with us, and no automatic cloud sync, backup, or export of your data to us.
  • We do not use product-analytics or marketing-tracking SDKs (such as Google Analytics, Mixpanel, Amplitude, Segment, or PostHog) in the app.
  • The app does not capture your screen, record video, or access your contacts or address book.
  • The app does not scan your filesystem broadly — its file access is scoped to its own application directories and the repositories you explicitly add.

The exceptions to "stays local" are the connected services, AI processing, and crash diagnostics described in the sections below. Those are the only paths by which data leaves your device.

Connected services

The app only contacts a third-party service when a feature you use requires it. You authenticate with each service using your own credentials, which are stored in your operating system's secure keychain (macOS Keychain, Windows Credential Manager, or the Linux secret service) — never on a server of ours. What is shared with each service:

GitHub

Used for pull-request and repository features. The app sends repository names, pull-request numbers, file diffs, commit and review data, and requests for user-profile details (including contribution history). Authentication uses a personal access token or a token from the gh CLI, sent to GitHub's API.

Google Calendar

Used for the calendar feature. With your consent through Google's OAuth flow, the app reads your calendar list and event details (titles, times, attendees, recurrence) and can write your RSVP responses. It requests the calendar.readonly and calendar.events scopes plus your account email and profile to identify the account. Access is per-workspace and can be revoked at any time from your Google account settings.

Linear

Used for the ticketing integration. The app sends issue data — title, description, team, priority, assignee, labels, and state changes — to Linear's API, authenticated with a Linear API key you provide.

Newsfeed and other requests

The newsfeed fetches the RSS/Atom feed URLs you subscribe to (only the feed URL is contacted; no personal data is sent) and downloads public ad-blocking filter lists used to strip trackers from feed content. The GIF picker used in pull-request reactions sends your search terms to a third-party GIF service using a shared application key that is not tied to your identity.

AI agents and your code

Control Center dispatches AI coding agents. What leaves your device depends entirely on which agent adapter you choose:

  • Local adapter (default). The default agent adapter runs as a sandboxed process on your own machine and does not send your data to any external AI provider.
  • Claude Code adapter. If you select the Claude Code adapter, the agent communicates with Anthropic's API (api.anthropic.com). The app routes this traffic through a local loopback relay and authenticates using your own Claude Code subscription — the app does not store or manage an Anthropic API key on your behalf.

When the Claude Code adapter is used, the data sent to Anthropic for processing can include: your prompts; the agent's composed context (its identity, system prompt, persona, skills, and the active workspace policies and memory notes); recent conversation history and summaries; and the source code, pull-request diffs, ticket text, and other content the agent reads. The agent retrieves code, diffs, and tickets on demand through its tools rather than sending your whole repository, but you should assume that any code or content an agent works on may be transmitted to the provider. Anthropic processes this data under its own terms and privacy policy.

Diff-sharing control. The app includes a privacy preference that, when turned off, excludes raw pull-request diff content from review prompts so that only structured metadata is sent to the model. This setting affects review-mode prompts; it does not disable other transmissions described in this policy.

We do not integrate any other AI model provider, such as OpenAI or Google Gemini.

Meeting capture and transcription

The optional meeting-notes feature records and transcribes meetings. Because this involves audio, we describe it in detail:

  • Audio capture. When you start a recording, the app captures your microphone and, where supported, the system/loopback audio of remote participants. This requires the relevant operating-system permissions (for example, microphone and audio-capture permission on macOS), which you grant explicitly.
  • On-device transcription. Speech-to-text transcription runs entirely on your device using a bundled local model. Raw audio is never sent to any server.
  • Raw audio retention is opt-in. Raw audio is only saved to disk if you install the optional speaker-diarization models; otherwise it is processed in memory and not retained. Any retained audio is stored unencrypted in the app's directory.
  • Transcript text and summaries. The transcript text, summaries, decisions, and action items are stored locally. If you use an AI agent (such as the Claude Code adapter) to summarize or enhance a meeting, the transcript text — the words spoken — is sent to that AI provider for processing, even though the raw audio is not.

You are responsible for obtaining any consent required by the people you record under the laws that apply to you.

Diagnostics and crash reporting

To find and fix crashes and errors, released (production) builds of the app send diagnostic data to Sentry, an error-monitoring service, at a data center in Germany. This is the only telemetry the app sends. Please read this section carefully:

  • When it runs. Diagnostics are sent only in released production builds. Local development and debug builds send nothing.
  • You can turn it off. Diagnostics are on by default, but you can disable them during onboarding or at any time in Settings → Privacy. Turning them off stops further reporting (a restart fully applies the change). The diff-sharing preference described above is a separate control and does not affect diagnostics.
  • What is sent. Crash and error reports; application logs and activity breadcrumbs (a trail of the recent actions in the app leading up to an event); your IP address and HTTP request metadata (such as your platform and user-agent); performance traces and profiles, captured for 100% of sessions; and session-replay recordings that capture interface interactions and on-screen content for 10% of all sessions and 100% of sessions in which an error occurs.

Sentry processes this data on our behalf to provide error monitoring. Because session replay and logs can incidentally capture content visible in the app, we keep this data only as long as needed for debugging, and we recommend disabling diagnostics if you routinely work with sensitive material. If you have questions or want a diagnostic record removed, contact us.

How your data is protected

  • Credentials in the keychain. API tokens and OAuth credentials are stored in your operating system's keychain (macOS login keychain, Windows Credential Manager, or the Linux secret service) — the only data the app encrypts at rest. On macOS this is the login keychain, which is accessible while you are signed in to your account; we recommend full-disk encryption to protect it against physical access to your device.
  • Local-only servers. The built-in agent-tooling server and the AI relay bind to your loopback interface (127.0.0.1) and are not exposed to the internet.
  • Sandboxed agents. Agents run in operating-system sandboxes, with credentials passed through scoped environment variables rather than embedded in prompts.
  • Workspace isolation. Data is partitioned by workspace as a hard design boundary, so one workspace's data does not surface in another.
  • OAuth best practice. Google sign-in uses an industry-standard OAuth flow with a public client and cross-site-request-forgery protection; the AI relay forwards your provider token without storing it.
  • Transport security. Network requests to third-party services use HTTPS, and authentication headers are never written to logs.

As noted above, the local database and files (other than keychain-stored secrets) are not encrypted by the app. Securing the device itself — with full-disk encryption, a strong account password, and timely deletion of data you no longer need — is an important part of protecting this data.

Retention and deletion

Because your data lives on your device, you control retention. Conversations, run logs, transcripts, memory, code indexes, and other data persist locally until you delete them or remove the app's data. Isolated repository working copies created for a conversation or task are automatically garbage-collected when that unit ends.

Deleting data through the app removes it from the active database and files, but, like any deletion, the underlying disk blocks may remain recoverable until overwritten by your operating system. Diagnostic data sent to Sentry is retained according to Sentry's retention settings and deleted thereafter.

Your choices and rights

You have meaningful, direct control over your information:

  • Choose what leaves your device. Using the local agent adapter, leaving integrations disconnected, turning off diff sharing, and disabling diagnostics all reduce what is transmitted.
  • Disconnect services. You can remove stored credentials and revoke access from each provider's account settings (for example, revoking the app's access in your GitHub, Google, or Linear account).
  • Access and delete. Your data is in files and a local database you own; you can inspect, export, or delete it directly, and removing the app's data directory erases its local storage.

Depending on where you live, you may have rights under laws such as the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR) — including rights to access, correct, delete, or restrict the processing of your personal data, and to object to processing. For data the app holds on your device, you can exercise these directly. For data shared with a connected service or with Sentry, you can exercise your rights with that provider, or contact us and we will help where we can. You also have the right to lodge a complaint with your local data-protection authority.

Children

Control Center is a professional developer tool intended for adults. It is not directed to children, and we do not knowingly process the personal data of children. If you believe a child has used the app in a way that raises a concern, please contact us.

Changes to this policy

We may update this policy as the app evolves — for example, when we add an integration or change how diagnostics work. When we make material changes, we will update the "Last updated" date above and reflect the changes here. Significant changes may also be noted in the app's changelog. Your continued use of the app after an update means you accept the revised policy.

Contact

Questions, concerns, or privacy requests? The best way to reach the maintainers is through the project's GitHub repository — open an issue at github.com/SamuelAlev/control-center/issues. For requests that involve personal information you would rather not post publicly, mention that in the issue and we will arrange a private channel.