Privacy Policy
Your terminal stays yours.
Termio's relay holds a small, bounded in-memory cache of recent terminal snapshots for live streaming. It is not written to disk and is dropped when your iOS app disconnects. Other content (Agent Inbox messages, session board summaries) IS persisted on the relay; the table below lists exactly what and where, and how to wipe it.
Last updated: June 2026
What we store
Server side — account, routing metadata, and platform notifications
- users row: id, username, email (optional), display_name (optional), password_hash (scrypt), password_hint (optional), created_at.
- daemons row: id, user_id, daemon_token (hashed), machine_name, paired_at, last_seen_at, revoked_at.
- pair_tokens row: 5-minute single-use tokens minted at pairing. Deleted on consumption or expiry.
- invites row: 6-char codes, single-use, with optional expiry.
- Platform notifications: Announcements, product updates, and billing notices we send you. Non-sensitive content authored by us. Never your conversation content.
- Auth-event audit log: timestamps, source IPs, action types (login.success, login.fail, register, pair.complete, daemon.connect, daemon.disconnect). No message bodies, no command text, no pane content.
Server side — ephemeral, RAM only
For reconnection robustness the relay holds a short-lived in-memory buffer per pane: about 10 minutes OR 1 MB per pane, whichever comes first. Lives in process memory only — never written to disk, never replicated, never backed up. Dropped the moment your Mac daemon disconnects. Note: this covers the live terminal snapshot stream specifically; other content (Agent Inbox messages, session board summaries) IS persisted on the relay.
Mac side (your daemon)
~/.termio/daemon/.env— RELAY_URL + DAEMON_TOKEN (long-lived pairing credential). File mode 0600.~/.termio/messages.sqlite— local message history, owner-only (0600). Bounded by 100 MB OR 30 days; oldest rows are dropped, then VACUUM reclaims space./tmp/termio-audit.log— metadata-only daemon audit log: per request, the ts, reqId, paneId, textLen, action, and target. Rotates at 10 MB; one previous file kept.
iOS side (your phone)
- Warm message cache (SQLite): per-device scrollback under the app sandbox at
Library/Application Support/termio/messages.sqlite. - Auth state: JWT in the iOS Keychain. Encrypted at rest, protected by device passcode / Face ID / Touch ID.
- Preferences: pane MRU order, dismissed suggestion hashes, live-card display state. No message content.
What we do not store
- ✗Server: no message content, ever. No tmux output, no pane buffers, no user prompts, no assistant responses. The relay routes; it does not log what was sent.
- ✗Audit log content body. Both the server-side auth audit log and the daemon-side log record textLen (a number), never text.
- ✗Backups of your messages.The relay's in-memory replay buffer is the only server-side store of anything resembling pane content, and it evaporates on disconnect. No nightly dump, no S3, no cron-rsync.
- ✗Cross-device telemetry. No analytics SDK, no crash reporter feeding a third party, no usage pings. Debug logs you generate stay on your device unless you choose to share them.
Where your data lives
| Data | Location | Who can read it |
|---|---|---|
| Account row | Relay box, MySQL | Operator (you) |
| Platform notifications | Relay box, file-backed per user | Operator + you |
| Daemon token | Mac ~/.termio/daemon/.env (0600) | Your macOS user |
| Pair token | Relay memory + DB, 5 min TTL | Operator |
| Message history | Mac ~/.termio/messages.sqlite | Your macOS user |
| iOS warm cache | iOS app sandbox (encrypted by iOS) | Your phone, when unlocked |
| JWT | iOS Keychain | Your phone, when unlocked |
| Replay buffer | Relay process RAM | Operator (in process) |
| Audit log | Mac /tmp/termio-audit.log | Your macOS user |
How to delete your data
iOS: Settings → Sign Out wipes the local message cache, JWT, pane MRU, and preferences on this device.
Mac daemon: Stop the daemon, then rm -rf ~/.termio/ removes all local state including the message history and daemon token.
Account: Email [email protected] to request account deletion. The server-side account row, daemon rows, and invite records will be purged within 7 days.
Contact
Privacy questions or data-deletion requests: [email protected]