Privacy Policy - TerminaLLM

Last Updated: March 7, 2026

Overview

TerminaLLM ("the App") is a mobile SSH terminal client that enables secure remote command execution. This Privacy Policy describes how we collect, use, and protect your information.

Information We Collect

Data Stored Locally on Your Device

The App stores the following information locally on your device using platform-native encrypted storage (iOS Keychain / Android EncryptedSharedPreferences):

• SSH Connection Details: Host address, port number, and username
• TOTP MFA Secrets: Encrypted secrets for multi-factor authentication
• Host Key Fingerprints: SSH server fingerprints for man-in-the-middle attack prevention
• Security Audit Logs: Connection attempts, authentication events, and security-related activities (up to 1,000 most recent events)
• Session Information: dtach session identifiers for session persistence
• App Preferences: Biometric authentication settings, security profiles, terminal preferences
• Credential Vault (Opt-in): If you enable the Credential Vault, SSH passwords, private keys, and passphrases are encrypted and stored locally using AES-256-GCM authenticated encryption with HKDF-Expand key derivation and per-credential random nonces. Vault entries have configurable TTL expiry and are stored exclusively in platform-native encrypted storage
• Media Drop (Camera/Photo Library): When you use the Media Drop feature, the App requests access to your device camera or photo library on demand via standard iOS/Android permission prompts. Selected images or files are uploaded directly to your remote server at ~/terminallm-uploads/ (or /tmp/terminallm-uploads/ if home is not writable) via SFTP with chmod 600 (owner-read/write only) permissions. Media files are not cached or stored locally by the App — they are streamed from the system picker to the remote server. Camera and photo library access can be revoked at any time in your device settings
• SFTP Trash: When you delete files through the SFTP browser, they are moved to ~/terminallm-trash/ (or /tmp/terminallm-trash/) on your remote server as a soft delete. These files remain until you manually remove them
• Port Forwarding Rules: Saved port forwarding rules (local port, remote host, remote port, rule name) are stored locally per connection profile. No network traffic is intercepted or logged — tunnels bind exclusively to localhost (127.0.0.1) on your device
• AI Chatbot Usage: Your chatbot subscription tier is stored locally. The AI chatbot is available to Pro subscribers only. The last 50 chatbot messages are persisted in platform-native encrypted storage for conversation continuity across app sessions
• Terminal Session Recordings: If you use the recording feature, terminal sessions are captured in asciicast v2 format (.cast files) and stored locally in the app's documents directory. Recordings contain all terminal output and input events with timestamps. Recordings are not encrypted at rest and are never automatically uploaded or shared
• Encrypted Backups: If you create a backup, an encrypted .tlmbackup file is generated containing your selected data categories (profiles, snippets, settings, and optionally vault credentials). Backups are encrypted with AES-256-GCM using a password-derived key (PBKDF2). Backup files are stored locally or shared via the system share sheet — they are never uploaded to TerminaLLM servers
• Custom Terminal Themes: User-created terminal color themes (23 color values per theme) are stored in platform-native encrypted storage
• Connection History: Timestamps, durations, and host information for recent connections (up to 10 entries) are stored locally in encrypted storage for the session resume feature
• Connection Health Check: TCP port reachability results for saved profiles are cached in memory with a 60-second TTL. Health check results are never persisted to disk or transmitted
• Proxy Authentication Token: A JWT token for proxy authentication is stored locally in encrypted storage. It contains only your device identifier and subscription tier — no personal information
• Device Identifier: A randomly generated device identifier (not linked to your hardware or advertising ID) is created and stored locally for proxy authentication purposes
• Push Notification Tokens: If you enable push notifications for AI prompt alerts, a Firebase Cloud Messaging (FCM) device token is generated by Google's Firebase SDK. This token is sent to the TerminaLLM proxy server and exchanged for an opaque push token (tlm_ prefix) that is stored locally in encrypted storage and deployed to your remote server's ~/.terminallm/config file. Push tokens expire automatically after 30 days and are re-registered on reconnect. No phone number, email address, or personal information is included in push tokens
• AI Prompt Monitor: When push notifications are enabled, a lightweight POSIX shell script (idle-notify.sh) is deployed to your remote server at ~/.terminallm/. This script uses dtach-rev's native idle detection (-I/-C flags) to fire when the terminal session has been idle for a configurable timeout, then sends a notification request to the TerminaLLM proxy server via curl. Notification payloads are transient — they are relayed as a push notification and not stored on the proxy server
• iOS Live Activities: When an SSH session is active on iOS 16.1+, session metadata (server name, connected AI tool, AI state, and file change counts) is written to an App Group shared container (NSUserDefaults) and displayed on the Lock Screen and Dynamic Island via iOS Live Activities. This data is visible without unlocking your device. Live Activities are automatically ended when you disconnect or the session is idle for 8 hours (iOS system limit)

Data Transmitted to External Services

• AI Chatbot: When using the built-in AI chatbot (Pro only), your messages are sent through the TerminaLLM proxy server (hosted on Google Cloud Run) to the Anthropic API. The proxy server receives your device identifier and subscription tier for access control. Your remote server's OS type and shell may be included as context with requests. A mode field ("chat" or "translate") is also sent to indicate the request type. Messages are not stored on the proxy server — they are streamed through to Anthropic and discarded. See Anthropic's Privacy Policy for how Anthropic handles API data
• Voice-to-Command Translation: When using the wand button or voice input to translate natural language into shell commands (Pro only), your spoken text is sent through the same TerminaLLM proxy server to the Anthropic API. Your remote server's OS type and shell are included as context to generate OS-appropriate commands. A mode field ("translate") distinguishes these requests from chat requests. No audio is transmitted — only the transcribed text. Requests are streamed and not stored on the proxy server

Data We Do NOT Collect

• Passwords (by default): SSH passwords are not stored by default — you enter them at connection time and they are cleared from memory after use. If you opt in to the Credential Vault, credentials are encrypted and stored locally with configurable TTL expiry (see "Credential Vault" above)
• Command History: Commands executed on remote servers are not logged by the App
• Terminal Output: Content displayed in the terminal is not stored or transmitted
• Location Data: We do not access your location
• Personal Information: We do not collect names, emails, or other personal data

Voice Input

The App offers optional speech-to-text input for dictating terminal commands and chatbot messages. Two speech engines are available:

• Built-in (platform STT): Uses the device's native speech recognition engine. Platform engines may send audio to their respective servers for processing, depending on your device model and OS version
• Whisper (on-device AI): Runs entirely on-device via whisper.cpp — no audio leaves the device. Creates a temporary WAV file that is deleted immediately after transcription

TerminaLLM never permanently stores audio data. Users choose their preferred engine in Settings. Microphone access is requested only when the mic button is tapped.

How We Use Information

All data stored by the App is used solely to provide its functionality:

• Connection Details: Enable quick reconnection to previously accessed servers
• Credential Vault: Enable seamless reconnection without re-entering credentials (opt-in only, encrypted locally, auto-expires per TTL)
• TOTP Secrets: Verify your identity through multi-factor authentication
• Host Key Fingerprints: Protect against man-in-the-middle attacks
• Audit Logs: Allow you to review security events on your device
• Session Information: Enable resumption of interrupted AI coding sessions
• Media Drop: Upload photos, screenshots, and files to your remote server for use in AI coding sessions
• Port Forwarding Rules: Quickly re-establish SSH tunnels for accessing remote development servers
• Device Identifier & Subscription Tier: Enforce Pro subscription access control via the proxy server
• AI Chatbot: Provide AI-powered assistance for terminal and coding questions
• Push Notifications: Alert you when AI coding assistants need input while the app is backgrounded
• AI Prompt Monitor: Detect AI tool prompts on your remote server and trigger push notifications

Data Security

Encryption at Rest

• iOS: All sensitive data stored in Apple Keychain with first_unlock_this_device accessibility
• Android: EncryptedSharedPreferences with AES-256 encryption

Encryption in Transit

• All SSH communications use industry-standard SSH protocol encryption
• Host key verification prevents man-in-the-middle attacks
• AI chatbot communications use HTTPS/TLS

Additional Security Measures

• Optional multi-factor authentication (TOTP)
• Optional biometric authentication (Face ID / Fingerprint)
• Session timeouts after inactivity
• Rate limiting on authentication attempts
• Screen capture prevention (platform-native)
• Clipboard auto-clear after paste operations

Data Retention

• Connection Details: Retained until you uninstall the App or clear app data
• Audit Logs: Last 1,000 events retained, older events automatically deleted
• Session Data: Retained until you clear session or uninstall the App
• Chatbot Messages: Last 50 messages persisted in platform-native encrypted storage for conversation continuity. System messages (welcome prompts) are not persisted. Clearing conversation removes all stored messages
• Terminal Recordings: Retained until you manually delete them or uninstall the App
• Encrypted Backups: Backup files exist wherever you saved or shared them; the App does not manage backup file lifecycle after export
• Custom Themes: Retained until you delete the theme or uninstall the App
• Connection History: Up to 10 recent entries retained; older entries automatically removed
• Health Check Cache: In-memory only, cleared when the App is closed (60-second TTL)
• Push Notification Tokens: FCM tokens and proxy push tokens expire after 30 days. Disabling push notifications in settings immediately clears all stored tokens. The server-side monitor script and config at ~/.terminallm/ remain on your remote server until you remove them manually or they are cleaned up on next connect with push notifications disabled
• Device Identifier: Retained until you uninstall the App or clear app data

Your Data Rights

Access Your Data

You can view your stored audit logs within the App's settings.

Export Your Data

Audit logs can be exported as JSON format from the App settings.

Delete Your Data

• Delete All Data: Open the App → Settings → scroll to bottom → Delete All Data. This erases all locally stored data and resets the App to its initial state
• Uninstalling the App also removes all locally stored data
• You can clear specific data (saved connections, audit logs, chat history) from App settings

For EU Residents (GDPR)

You have the right to:

• Access your personal data
• Rectify inaccurate data
• Erase your data ("right to be forgotten")
• Restrict processing
• Data portability
• Object to processing

To exercise these rights, use the in-app data management features or contact us at the address below.

For California Residents (CCPA/CPRA)

You have the right to:

• Know what personal information is collected
• Delete your personal information
• Opt-out of the "sale" of personal information (we do not sell data)
• Non-discrimination for exercising your rights

Third-Party Services

The App integrates with the following third-party services:

• Anthropic, PBC — AI chatbot responses are powered by Anthropic's Claude API. Requests pass through our proxy to Anthropic. See Anthropic's Privacy Policy
• Google Firebase — Firebase Cloud Messaging (FCM) is used to deliver push notifications to your device when AI tools need input. An FCM device token (an opaque identifier generated by Google's Firebase SDK) is transmitted to Google for push delivery. No message content is stored by Firebase. Firebase Crashlytics is used to collect anonymous crash reports (device model, OS version, app version, stack traces) to help diagnose and fix bugs. Crash reporting is enabled by default and can be disabled at any time in Settings > Security > Crash Reporting. No terminal content, SSH credentials, or personally identifying information is included in crash reports. See Google's Privacy Policy
• Google Cloud Run — Our proxy server infrastructure is hosted on Google Cloud Run (US-East region). The proxy does not store message content or push notification payloads
• GitHub — Bug reports and feature requests can be submitted via GitHub Issues

Open Source Libraries

The App uses open-source libraries for SSH connectivity and terminal rendering. These libraries do not collect or transmit user data.

Children's Privacy

The App is not intended for children under 13 years of age. We do not knowingly collect personal information from children.

Changes to This Policy

We may update this Privacy Policy periodically. Changes will be noted by updating the "Last Updated" date. Continued use of the App after changes constitutes acceptance of the updated policy.

Contact Information

For privacy-related questions or concerns:

GitHub Issues: github.com/terminallm-issues/.github/issues

Data Processing Location

Most data processing occurs locally on your device. When using the AI chatbot, message data is processed through our proxy server (Google Cloud Run, US-East region) and Anthropic's API servers. When push notifications are enabled, notification relay requests pass through the same proxy server and are forwarded to Firebase Cloud Messaging (Google) for delivery to your device.