Privacy Policy

Last updated: May 7, 2026

No data collected No network requests No account required No analytics

The Short Version

Sieve does not collect, transmit, or store any data outside of your Mac. Everything — scan results, secret fingerprints, vault entries — stays entirely on your device. We cannot access your data because we have no server to receive it.

What Sieve Stores Locally

  • Findings database — A local SQLite file at ~/Library/Application Support/Sieve/sieve.db containing finding metadata: rule ID, source path, redacted preview, and an HMAC fingerprint of the detected value. The raw secret value is never written to this database.
  • Vault entries — Secrets you explicitly store are saved in macOS Keychain under the service namespace com.sieve.vault.macapp. Only you can read them; they require Touch ID or your Mac login password to copy.
  • Sandbox bookmarks — Security-scoped bookmarks are stored in UserDefaults so Sieve can access your AI tool directories across launches without asking again.
  • MCP settings — Whether the MCP server is enabled, stored in ~/Library/Application Support/Sieve/mcp-settings.json.

What Sieve Never Does

No telemetry No crash reports No analytics No advertising No cloud sync No plaintext secrets in DB
  • Does not make any network requests
  • Does not send scan results to any server
  • Does not collect usage statistics
  • Does not use third-party analytics SDKs
  • Does not store raw secret values anywhere except macOS Keychain
  • Does not sync data to iCloud

The MCP Server

When you enable the MCP server in Settings, Sieve launches sieve-mcp — a local stdio binary that Claude Code communicates with over standard input/output on your Mac. It is not a network service. It does not open a network port. MCP tool responses never contain raw secret values; only fingerprints and redacted metadata are returned.

File Access

Sieve uses Apple's security-scoped bookmarks to read AI tool directories you grant access to via the standard macOS Open dialog. Access is limited to the specific folders you select. Sieve requests read-only access to these paths and does not write to them (except when you explicitly use the SQLite redaction feature, which creates a backup first).

Deletion

To remove all Sieve data:

  • Delete the app — removes the application and its container
  • Delete ~/Library/Application Support/Sieve/ — removes the findings database and settings
  • Open Keychain Access → search for com.sieve.vault.macapp → delete entries — removes vault secrets

Contact

Questions about this policy: gautamumapathy@gmail.com