Privacy Policy
How RootShield handles your data (short answer: it stays on your Mac).
Effective: April 2026 · Last updated: April 6, 2026
The short version
RootShield is an offline macOS application. Your data never leaves your machine. We have no servers that receive your information, no analytics dashboards tracking your behavior, and no way to see what you scan. This is by design, not by accident.
- No accounts, no login, no authentication
- No telemetry, no analytics, no crash reporting
- No advertising identifiers or tracking of any kind
- Secret values are never stored — only key names and file locations
- All scan data stays in a local SQLite database on your Mac
1. What Data We Collect
RootShield does not collect personal data. The app runs entirely on your Mac and processes information locally. Here is a complete accounting of what the app reads and stores:
| Data Type | Collected? | Details |
|---|---|---|
| AI agent config files | Local only | Read from folders you explicitly grant access to. Config structure is analyzed but never transmitted. |
| Secret key names | Local only | Key names (e.g., OPENAI_API_KEY) and their file paths are stored locally. Secret values are never read, stored, or logged. |
| MCP server names | Local only | Names of configured MCP servers are stored locally. Server names (not your data) may be sent to the MCP Registry API for verification. See Section 4. |
| Scan results & findings | Local only | Stored in a SQLite database at ~/Library/Application Support/RootShield/. |
| Preferences | Local only | Appearance settings, filter states, and dismissed hints stored in UserDefaults on your Mac. |
| Personal information | None | No name, email, IP address, device identifier, or location is collected. |
| Usage analytics | None | No page views, click tracking, session recording, or behavioral analytics of any kind. |
| Crash reports | None | No crash data is sent to us. If you opt in to Apple's crash reporting in System Settings, Apple may collect standard crash logs under their own privacy policy. |
| Advertising / IDFA | None | No advertising identifiers, no IDFA, no fingerprinting, no tracking pixels. |
2. How We Handle Secrets
RootShield is a security tool that maps where your secrets are exposed. We take extra care with this responsibility:
- Secret values are never read or stored. The scanner identifies that a key named
OPENAI_API_KEYexists at a specific file path and line number. It does not read, parse, or retain the key's actual value. - No secret data is transmitted. Since RootShield operates offline, secret metadata never leaves your machine.
- Scan results reference key names only. Findings in the UI and in exports reference the key name and file location, never the secret itself.
3. Local Storage
RootShield stores data in the following locations on your Mac. All of these are standard macOS application storage paths and remain entirely under your control.
- SQLite database —
~/Library/Application Support/RootShield/— Contains scan history, baselines, and bookmarks. - UserDefaults — Standard macOS preferences storage — Contains appearance settings, filter states, and UI preferences.
- Security-scoped bookmarks — Stored by macOS to remember folders you granted access to via the system file picker (NSOpenPanel). You can revoke access at any time by removing bookmarks in the app.
- App Group container —
group.com.rootshield.shared— Used to share minimal posture data (score, grade, finding counts) with the optional macOS widget. This data never leaves your device.
You can delete all RootShield data at any time by removing the app and its associated folders. No data persists on any external server because no data is ever sent to one.
4. Third-Party Services
RootShield integrates with exactly two third-party services:
Apple StoreKit 2 (Subscriptions)
If you purchase a Pro or Team subscription, the transaction is handled entirely by Apple through StoreKit 2. RootShield does not process, store, or have access to your payment information, Apple ID, or billing details. Apple's handling of this data is governed by Apple's Privacy Policy.
MCP Registry API
During a scan, RootShield may query the public MCP Registry API (registry.modelcontextprotocol.io) to verify whether detected MCP servers are known and recognized. These queries contain only the MCP server name — no user data, file paths, secret names, or machine identifiers are included. This is the only network request the app makes.
If you prefer fully offline operation, scans will still complete successfully without this lookup; servers will simply be classified with reduced trust information.
5. Folder Access Permissions
RootShield requires read access to AI agent configuration directories to perform scans. This access is granted explicitly by you through the macOS system file picker (NSOpenPanel) and stored as security-scoped bookmarks.
- Access is read-only. RootShield never writes to, modifies, or deletes your files.
- You choose exactly which folders to grant access to.
- You can revoke access at any time from within the app.
- On the App Store version, all file access is governed by macOS App Sandbox restrictions.
6. Notifications
RootShield uses local macOS notifications (via UNUserNotificationCenter) to alert you about monitoring events and scan results. These notifications are generated and delivered entirely on your device. No push notification infrastructure or external notification service is used.
7. Children's Privacy
RootShield does not collect personal information from any user, regardless of age. Since no personal data is collected, stored, or transmitted, there is no data collected from children under 13 (or any other age threshold under COPPA, GDPR-K, or equivalent regulations).
8. Data Sharing and Transfers
We do not share, sell, rent, or transfer your data to any third party. There is no data to share. RootShield has no server infrastructure that receives user information, no database of user records, and no data pipeline of any kind.
The only outbound network requests are MCP Registry API lookups (containing only server names, as described in Section 4) and Apple StoreKit transaction verification (handled entirely by Apple).
9. Data Retention
All data generated by RootShield is stored locally on your Mac and retained until you choose to delete it. You are in full control:
- Delete individual scan snapshots from within the app.
- Remove the app and its data directories to erase everything.
- There is no remote retention because there is no remote storage.
10. Security
RootShield is designed with a security-first architecture:
- App Sandbox — The Mac App Store version runs in Apple's App Sandbox with minimal entitlements (read-only file access, app-scoped bookmarks, outbound network for StoreKit and MCP Registry only).
- Hardened Runtime — Code signing with hardened runtime enabled, preventing code injection and unauthorized library loading.
- No remote attack surface — With no server component receiving user data, there is no remote infrastructure to compromise.
- Notarized — The direct download version is notarized by Apple, verifying it has been checked for malicious content.
11. Changes to This Policy
If we make material changes to this privacy policy, we will update the "Last updated" date at the top of this page and, where practical, notify users through the app. Our commitment to offline-first, no-collection architecture is foundational to RootShield and is not something we intend to change.
12. Your Rights
Under GDPR, CCPA, and other privacy regulations, you have the right to access, correct, delete, and port your personal data. Because RootShield does not collect or store personal data on any server, these rights are inherently satisfied — your data is already entirely in your possession, on your machine, under your control.
If you have any questions about your data or this policy, we are happy to help.
13. Contact
If you have questions or concerns about this privacy policy or RootShield's data practices, contact us at:
Email: matt@rootshield.ai
Website: rootshield.ai