Privacy

These are not policy statements: they are the behavior of the code, which is open source and verifiable.

Default behavior: zero network calls. A default install snapshots files and git state and serves them over stdio to your local MCP client. No request leaves your machine.

The complete list of network opt-ins

Exactly four things can cause a network call, and each is off until you explicitly enable it:

Opt-inWhat enables itWhere traffic goes
notionNOTION_TOKEN env var set and notion.pageIds listed in configNotion's API, fetching only the pages you named
ollamaollama.summarize: true in configYour local Ollama endpoint (default http://localhost:11434)
consult providersconsult.providers configured (Pro feature)Only the providers you listed, using API keys from env vars you named
telemetry pingtelemetry.enabled: true in configAn anonymous install-count ping (see below)

Redaction

Everything ingested (files, Notion pages, session transcripts) passes redaction before it enters a snapshot. Secret-looking content (AWS keys, GitHub/Notion/Slack tokens, private keys, JWTs, quoted password=/api_key= assignments) is replaced, and each redaction is counted in the snapshot metadata so you can see it happened.

Denied paths go further: .env*, key files, and credential files are never read at all. They are excluded before ingestion, not redacted after.

Read-only over your data

The core never writes to your repository, your Notion workspace, or your git state. File access is scoped to the single configured root. Session connectors (Pro) read a copy, read-only. The two deliberate exceptions, both actions you invoke yourself: ctxfile export writes .ctxfile/context.{json,md} in your project, and ctxfile hooks install writes a managed block in .git/hooks/pre-commit.

Exports

ctxfile export is the one feature whose whole point is moving context somewhere else, so it defaults to the least: the repo-safe profile ships plan, git state, and a key-file manifest, and excludes file bodies, Notion pages, and session digests entirely. The full profile requires an explicit flag and prints a loud warning. Every profile re-runs secret redaction on every exported text field, and your absolute local path never appears in an export (directory basename only). Details: the export guide and the convention spec.

Pro memory encryption

Pro's cross-session memory is the one place the product writes data, and it writes only to its own store under ~/.ctxfile/. Memory content is encrypted with AES-256-GCM; the key lives in your OS keychain, not on disk next to the data. Every entry records its provenance: which tool wrote it, when, and from what source.

Telemetry, precisely

Off by default. If, and only if, you set telemetry.enabled: true, an anonymous ping is sent containing: a random install UUID, the version string, and a coarse OS platform name. Never code, never paths, never content, never identity. Its sole purpose is counting active installs. Leave the flag unset and no ping ever happens.

Licensing without phoning home

Pro licenses are Ed25519-signed keys verified locally against a public key embedded in the binary. License checks make no network calls. There is no activation server to contact.