Privacy Policy
Last updated: May 29, 2026
Data controller: Rockxy project
English review copy. Local translation pending.
Rockxy is a local-first macOS developer tool for inspecting and debugging HTTP, HTTPS, WebSocket, and GraphQL-over-HTTP traffic. Privacy matters because Rockxy can show you sensitive local traffic: headers, cookies, tokens, and payloads from apps you choose to debug. This policy separates captured proxy traffic, optional diagnostics, license activation, website data, and support/export flows.
The short version
- Captured traffic stays local. Rockxy does not collect request or response bodies, URLs, headers, cookies, tokens, API secrets, WebSocket messages, GraphQL payloads, or decrypted TLS traffic.
- Diagnostics are optional. Product analytics, crash/error reports, and diagnostic logs are off by default. You can choose during first run and change your choice in Settings > Privacy.
- Licensing is separate. Paid-license activation and entitlement checks use Rockxy backend/license systems and the configured payment/license processor. Turning off analytics does not disable license validation required for paid features.
1. Desktop App: Data We Do NOT Collect
The Rockxy macOS app does not collect, transmit, or sell:
- HTTP/HTTPS request or response bodies
- URLs, hosts, domains, headers, cookies, authorization headers, tokens, query strings, payloads, WebSocket messages, GraphQL payloads, or API secrets from captured traffic
- Decrypted TLS traffic
- User files, Desktop/Downloads/Documents contents, keychain contents, browser history, contacts, photos, or unrelated device data
- Root certificate private keys
- Payment card or bank details directly inside macOS app telemetry
- License keys or email addresses through analytics events
- Personally identifying analytics profiles
Captured traffic stays on your Mac unless you explicitly export it, share it, or use a feature that clearly tells you it will upload/share data.
2. Local Proxy and Certificate
Rockxy works by running a local debugging proxy on your Mac. HTTPS inspection uses a local root certificate only after you choose to install and trust it.
- Rockxy may generate and install a local root certificate after you choose to trust it in macOS.
- The certificate and key material are generated and stored locally.
- Rockxy does not upload the root certificate private key.
- Traffic capture is performed for local debugging.
- Rockxy analytics and diagnostics must not include captured request/response content.
Local capture history, transaction metadata, and large response body files stay in Rockxy's local Application Support storage until you delete them or remove the app data. Exact paths can vary by build identity and are shown in the app's Settings > Privacy screen.
3. Optional Diagnostics and Analytics
Data We May Collect With Consent
Telemetry is off by default. On first run, Rockxy asks whether to keep diagnostics off or share diagnostics. You can change the choice anytime in Settings > Privacy.
When you enable diagnostics, the app uses direct SDK observability: TelemetryDeck for anonymous product analytics, and Sentry for crash reports, non-fatal errors, diagnostic logs, and diagnostic/performance spans. Rockxy backend/license service is used for license state, not as the app telemetry destination described here.
The three controls are independent:
- Product analytics
- Crash and error reports
- Diagnostic logs
Product analytics via TelemetryDeck
If Product analytics is enabled, Rockxy may send anonymous and sanitized product metrics through TelemetryDeck, such as:
- App version, build number, and release channel
- macOS version
- Platform/device family and CPU architecture
- Anonymous installation, session, and event identifiers
- Feature usage counts or events
- Acquisition/source/channel if available in a non-identifying form
- Activation milestones, setup completion, result, and duration
- Retention/session heartbeat style usage
- License state or tier category, for example free/pro/enterprise/active/expired, but not the raw license key or buyer email
- Locale language/region
- Accessibility feature state in aggregate or sanitized form
- Error category or safe code only when routed as analytics
Crash, error, log, and span diagnostics via Sentry
If Crash/errors or Diagnostic logs is enabled, Rockxy may send sanitized diagnostics through Sentry, such as:
- Crash report metadata
- Non-fatal error type, safe error message, and stack trace where applicable
- App version/build/environment
- OS version and device architecture
- Sanitized diagnostic logs if you enable diagnostic logs
- Sanitized performance/diagnostic spans
- Anonymous session and event identifiers
These diagnostics are intended to improve stability, performance, and product quality. They are not used to reconstruct captured network traffic.
4. License Activation
License activation is separate from optional analytics and diagnostics. The macOS app may contact Rockxy backend/license systems to activate, validate, deactivate, and manage paid-license/device entitlement state.
Rockxy backend/license systems may process data required for paid licenses, such as:
- Email address or account identifier, if required by the license flow
- License key or license identifier
- Device/license activation identifier
- Subscription/license status
- Plan/tier/entitlement state
- Purchase/receipt metadata as provided by the payment/license processor
License activation data is separate from optional product analytics. Turning off analytics does not necessarily disable license validation required for paid features.
Current Rockxy Web and backend configuration uses Lemon Squeezy for hosted checkout, payment processing, tax/receipt handling, webhooks, and license-provider flows. Rockxy does not receive full card numbers or bank account details from the checkout provider.
5. Support, Export, and Sharing
If you export a session, share logs, attach diagnostics to support, or use a future cloud/team feature, you choose what to share.
- Exported sessions may contain sensitive traffic depending on what you select.
- Review exported sessions, shared logs, and support attachments before sending them.
- Where Rockxy offers sanitized diagnostics, treat that as a one-time choice for that support/export flow.
If you email [email protected] or open a GitHub issue, the message and email/handle used to send it are kept for support-history purposes. We do not use support messages for marketing.
6. Third-Party Service Providers
These providers process data only to provide the listed service. This list is based on the current Rockxy Web/backend config and app implementation review.
| Provider | Purpose |
|---|---|
| TelemetryDeck GmbH | Anonymous product analytics when Product analytics is enabled |
| Functional Software, Inc. (Sentry) | Crash reports, non-fatal errors, diagnostic logs, and diagnostic/performance spans when the relevant controls are enabled or a crash report is approved |
| Rockxy backend/license service | License activation, validation, deactivation, subscription/license-device state, and entitlement checks for paid features |
| Lemon Squeezy, Inc. | Hosted checkout, payment processing, tax/receipt handling, webhooks, and license-provider flows |
| Vercel, Inc. | Static website hosting and website analytics |
| Google LLC | Google Analytics on the public website and Gmail support inbox |
| Resend, Inc. | License Manager access-link email delivery when that flow is used |
| GitHub, Inc. | Source hosting, public releases, issue discussions, and download hosting if you use those GitHub flows |
7. User Controls
- Open Settings > Privacy to change privacy controls.
- Toggle Product analytics on or off.
- Toggle Crash/errors on or off.
- Toggle Diagnostic logs on or off.
- After an unexpected quit, Rockxy may show a one-time crash prompt with Send Report, Don't Send, and an optional always-send sanitized crash reports choice.
- Support/export flows may offer a one-time Include sanitized diagnostics choice where applicable.
8. Website Data
The public website may use standard website analytics and hosting telemetry to understand page views, downloads, checkout clicks, JavaScript errors, and site reliability. Website analytics are separate from macOS app diagnostics and do not include captured proxy traffic.
You can block or delete cookies from your browser settings. Blocking website analytics cookies does not prevent the static website from loading.
9. Security, Retention, Children, and Legal
Security. Rockxy uses local macOS storage and Keychain-backed storage where applicable. Review exported sessions before publishing or sending them; they may include sensitive traffic you chose to capture.
Retention. Local app data stays on your Mac until you delete it. Provider-side diagnostics, license, payment, support, and website analytics retention periods still need product/legal review before final publication.
International transfers. Providers may process data in the United States, EU, or other jurisdictions. Exact transfer safeguards still need legal review.
GDPR/CCPA and other rights. Depending on your location, you may have rights to access, correct, delete, export, object to, or restrict certain personal data. Email [email protected] to make a request.
Children. Rockxy is a developer tool and is not directed at children under 13 or the minimum age required by local law.
10. Changes to This Policy
Updates to this privacy policy are versioned in the RockxyWeb source repository. The date at the top reflects the most recent public revision.
11. Contact
Privacy, data, deletion, support, or billing questions: [email protected]. Security issues: follow the security policy on GitHub.