Privacy Policy

Short version: Sudo stores your SSH credentials and keys locally on your device in the iOS Keychain. We do not collect analytics, advertise, or send your data to our servers. The only optional network activity is the AI commit-message feature, which sends your staged diff directly to the AI provider of your choice using your own API key.

1. Who we are

Sudo is an iOS application ("we", "us"). You can reach us at privacy@sudo-app.com.

2. Data stored on your device

All of the following is stored locally on your device and is never transmitted to our servers:

SSH credentials — passwords and private keys are stored in the iOS Keychain with kSecAttrAccessibleWhenUnlockedThisDeviceOnly. They do not leave the device.
SSH host keys — known-host fingerprints are written to a local file in Application Support.
SSH key pairs — Ed25519, ECDSA P-256, and Secure Enclave P-256 keys are generated on-device. Secure Enclave keys are hardware-bound and cannot be exported.
Git identity — your committer name and email address are stored in iOS UserDefaults.
AI provider API keys — stored in the iOS Keychain, used only to authenticate outbound AI requests that you initiate.
App Lock PIN — stored as a PBKDF2-SHA256 hash with a random salt in the iOS Keychain. The PIN itself is never stored.
Terminal session logs — written to Application Support only when you explicitly enable logging. Shared only when you choose to share them.
Snippets and host configuration — stored in Application Support and optionally synced to your own iCloud account (see Section 5).

3. Data we do not collect

No analytics or crash reporting SDKs are included in Sudo.
We do not operate any backend servers that receive app telemetry.
We do not use advertising networks or cross-app tracking.
We do not use third-party login (no "Sign in with Google/Facebook").

4. AI commit-message feature (optional)

When you tap Suggest in the Git workflow, Sudo sends your staged diff to the AI provider you have configured (Anthropic Claude or OpenAI). This transmission goes directly from your device to the provider's API — Sudo does not proxy or log it.

Your API key is used to authenticate the request and is stored only in the iOS Keychain.
The diff may contain source code, file paths, and other data from your repositories.
Do not use this feature with code that contains secrets, credentials, or proprietary information you are not permitted to share.
Anthropic's and OpenAI's own privacy policies govern how they handle your data. Review them before enabling the feature.
Sudo shows an in-app disclosure the first time you use the feature and again in the AI settings section.

5. iCloud sync (optional)

If iCloud is enabled on your device and the Sudo iCloud container is provisioned, your host list (hosts.json) is synced to your personal iCloud account using Apple's CloudKit framework. This data goes to Apple's servers under your Apple ID — it does not go to our servers. Passwords and private keys are never included in the sync.

6. Support email

When you contact support via the Help & Feedback screen, Sudo pre-fills the email body with diagnostic information: OS version, device model, device name, and app version. You can review and edit this information before sending. The email is sent directly from your Mail app to our support address.

We use the information you send only to respond to your support request.

7. Subscriptions and purchases

In-app purchases are processed entirely by Apple's App Store. Sudo does not receive or store your payment details. We receive a StoreKit transaction receipt to verify your subscription tier.

8. Biometric authentication

App Lock can optionally use Face ID or Touch ID via iOS LocalAuthentication. Biometric data is processed entirely by iOS; Sudo does not have access to it and it never leaves the device.

9. Local network access

Sudo requests local network permission to discover SSH-capable devices on your local network via Bonjour/mDNS. This scan happens only inside the app and only when you open the device discovery screen. No discovery data leaves your device.

10. Data retention and deletion

All data is stored on your device. Deleting the app removes all app data except items stored in the iOS Keychain. To remove Keychain items, delete the app and then reset the device's Keychain, or use the in-app Settings to remove individual SSH keys and hosts before deleting.

11. Children's privacy

Sudo is not directed at children under 13. We do not knowingly collect personal information from children.

12. Changes to this policy

We may update this policy from time to time. The effective date at the top of this page will reflect when the latest version was published. Continued use of Sudo after changes constitutes acceptance of the revised policy.

13. Contact

Questions about this Privacy Policy? Email us at privacy@sudo-app.com.