Privacy Policy

Effective date: May 14, 2026

1. Introduction

ModelPiper is built on a local-first philosophy. We believe your data belongs to you and should stay on your machine. This Privacy Policy explains what information we collect, what we don't collect, and how we handle your data.

This policy covers all ModelPiper products: the ModelPiper web application, the ToolPiper macOS companion app, the VisionPiper screen capture app, the AudioPiper audio mixer app, and the MediaPiper browser extension (collectively, the "Service").

2. Information We Collect

We collect minimal information to operate the Service:

  • Account data — if you create a ModelPiper account, we store your email address. If you sign in with Google, we additionally store your Google account identifier, verified email, display name, and profile photo URL (see Section 4)
  • Subscription data — if you subscribe, our payment processor (Apple, for Mac App Store purchases, or Stripe, for purchases through our website) sends us a transaction record confirming your entitlement. We do not receive or store your payment method, full card number, or billing address. Stripe assigns us a customer identifier we associate with your account
  • Anonymous product analytics — if analytics are enabled, we use PostHog to collect anonymous usage metrics such as page views and feature usage to improve the Service. Analytics events do not include the contents of your pipelines, prompts, model outputs, or any data fetched from third-party APIs you have connected
  • Support correspondence — if you email us, we keep the email so we can respond and follow up

3. Information We Do NOT Collect

Because ModelPiper runs locally on your machine, we do not have access to:

  • API keys — your credentials for third-party services are stored locally and never transmitted to us
  • Pipeline data — your prompts, workflows, configurations, and pipeline structures remain on your device
  • Model outputs — the responses from AI models are processed locally and never sent to our servers
  • Screen recordings or captures — all screen region data captured by VisionPiper is processed and stored locally on your device and is never transmitted to our servers
  • Audio recordings — all audio data captured by AudioPiper (microphone input, system audio, and per-application audio) is processed and stored locally on your device and is never transmitted to our servers
  • Google API data — when you connect a Google service such as Search Console to ToolPiper, the data ToolPiper fetches from Google flows directly from Google to your Mac and never transits our servers (see Section 5)

4. Sign in with Google

You may create or sign in to a ModelPiper account using your Google account. When you do, Google sends us a limited profile from your Google account so we can create or look up your account. This section covers account sign-in only. Connecting Google services such as Search Console to ToolPiper is a separate flow, covered in Section 5.

4a. What We Receive From Google

When you sign in with Google, Google sends us:

  • Your Google account identifier (sub), a stable pseudonymous id we use to recognize you on subsequent sign-ins
  • Your verified Google email address
  • Your display name, if your Google profile has one
  • Your Google profile photo URL, if your Google profile has one

We request only the email and profile OAuth scopes, which are the minimum required to identify your account. We never receive your Google password, your contacts, your Drive files, your Gmail, your Calendar, or any other Google service data.

4b. How We Use It

We use Google sign-in data only to create your ModelPiper account, sign you in on return visits, address account-related emails to you, and display your name and avatar in your account view. We do not share Google sign-in data with third parties for marketing, and we do not use it for any purpose unrelated to operating your account.

4c. Where It Lives

Account data is stored in our Postgres database at api.modelpiper.com, operated on our behalf by Railway in the US-West region.

4d. Sign-in Sessions

Once signed in, your browser holds a signed session cookie (mp_session) so you stay signed in across visits. The cookie is HttpOnly, Secure, SameSite=Lax, and contains a JWT that names your user id. During the sign-in flow itself, we briefly set a state cookie to defend against CSRF; it is deleted as soon as the flow completes.

4e. Revoking Access

You can revoke ModelPiper's access to your Google identity at any time at https://myaccount.google.com/permissions. Revoking removes future Google sign-in capability but does not by itself delete your ModelPiper account. To delete your account and the data associated with it, contact us at privacy@modelpiper.com.

5. Google Services Connected via ToolPiper

ToolPiper, our macOS companion app, can connect on your behalf to Google services such as Google Search Console so you can ask questions about your own Google data from chat. These connections are entirely separate from "Sign in with Google" (Section 4) and follow a strict local-first model.

5a. How the Connection Works

You explicitly initiate every connection by clicking Connect in the ToolPiper OAuth pane. ToolPiper opens your browser to Google's consent screen, where you choose whether to grant access. ToolPiper never initiates an OAuth flow without your explicit click and never connects in the background.

5b. Which Google Scopes We Request

We request only the scopes for features you have explicitly chosen to connect. As of this policy's effective date:

  • https://www.googleapis.com/auth/webmasters.readonly — read-only access to your Google Search Console properties, used by ToolPiper's gsc_* tools to surface your search analytics in chat

We will update this list as we add support for additional Google services. We will never silently request additional scopes; every new scope requires a fresh consent click from you.

5c. Your Google API Data Never Leaves Your Mac

This is the most important guarantee in this section. Google API data fetched by ToolPiper (including but not limited to Search Console queries, click and impression data, indexing data, sitemaps, and any other content returned by Google APIs) never leaves your Mac. The data flows directly from Google's servers to ToolPiper running on your machine, where it is rendered into your chat session and held only for the lifetime of that session. Your Google API data is never transmitted to, stored on, processed by, logged on, or routed through any ModelPiper server, including api.modelpiper.com.

5d. Where the OAuth Tokens Live

The access token and refresh token issued by Google are stored in the macOS Keychain on your Mac, under ToolPiper's keychain access group. They are never transmitted to any ModelPiper server. ToolPiper refreshes expired tokens by talking directly to Google's token endpoint from your Mac.

5e. Limited Use of Google User Data

ModelPiper's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google user data only to provide and improve the user-facing features that the user explicitly connected (for example, the Search Console tools in ToolPiper chat)
  • We do not use Google user data for serving advertisements, including retargeted or personalized advertising
  • We do not transfer Google user data to third parties except (a) as necessary to provide or improve a user-facing feature that the user requested, (b) to comply with applicable law, or (c) as part of a merger, acquisition, or sale of assets with prior notice to affected users
  • We do not allow humans, including ModelPiper employees or contractors, to read Google user data, except (a) with the user's explicit consent for specific data, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and de-identified for internal operations. Because Google API data is never transmitted to our servers (Section 5c), in practice no ModelPiper personnel has the ability to read it

5f. Revoking Access

You can disconnect a Google service from inside ToolPiper at any time by opening Settings → OAuth and clicking Disconnect on the relevant provider row. You can also revoke ToolPiper's access from your Google account at https://myaccount.google.com/permissions. Either action invalidates the token immediately; ToolPiper's next request to Google will fail and surface a reconnect prompt in chat.

6. VisionPiper — Screen Capture & Recording

VisionPiper is a companion macOS application that provides screen capture and recording capabilities. This section describes how VisionPiper handles screen recording data.

6a. Features That Use Screen Recording

VisionPiper uses the macOS Screen Recording permission (via ScreenCaptureKit) to provide the following features:

  • Region capture — capture a still image of a user-selected screen region
  • Screen recording — record a user-selected screen region to a local .mp4 video file
  • GIF conversion — convert a recorded screen region to a local animated GIF file
  • Live streaming — stream a user-selected screen region over a local WebSocket connection (localhost only) for display in a browser tab on the same machine

6b. What Data Is Captured

VisionPiper captures screen content only from user-selected regions and only when explicitly initiated by the user. The user defines the capture region by dragging a selection rectangle on screen. VisionPiper never captures the full screen without the user's explicit selection and consent. No metadata about other applications, windows, or desktop content outside the selected region is collected.

6c. Purpose of Screen Recording Data

Screen recording data captured by VisionPiper is used for the following purposes, all initiated by the user:

  • Capturing screen regions for analysis by locally-running or user-configured AI models
  • Recording workflows and screen activity for the user's own reference
  • Creating animated GIF images from recorded screen regions
  • Streaming a screen region to a local browser tab for real-time preview

6d. Third-Party Sharing

Captured images and recordings are never shared with third parties automatically. Images may be sent to user-configured AI providers (such as OpenAI, Anthropic, or Google) only when the user explicitly initiates an analysis request. This transmission occurs directly from the user's machine to the third-party provider; it is never routed through our servers. The user has full control over whether, when, and to which provider any captured data is sent.

6e. Storage & Retention

All screen capture data is stored locally on the user's Mac under ~/Library/Application Support/VisionPiper/. Recordings, screenshots, and GIF files are saved to a location chosen by the user or to the application's local support directory. No screen capture data is uploaded to our servers or any cloud storage. Users may delete their captured data at any time by removing the files from their local filesystem.

7. AudioPiper — Audio Capture & Recording

AudioPiper is a companion macOS application that provides multi-source audio mixing and recording capabilities. This section describes how AudioPiper handles audio data.

7a. Features That Use Audio Recording

AudioPiper uses macOS audio permissions to provide the following features:

  • Microphone recording — capture audio from the user's selected microphone input
  • System audio capture — capture system-wide audio output
  • Per-application audio capture — capture audio from a specific application using Core Audio Taps
  • Multi-source mixing — combine multiple audio sources into a single recording
  • Audio trimming & export — trim recorded audio and export to standard audio formats

7b. What Data Is Captured

AudioPiper captures audio data only from sources explicitly selected by the user. The user chooses which audio sources to enable (microphone, system audio, or specific applications) through the application interface. AudioPiper never records audio from sources the user has not explicitly selected and enabled. No background or ambient audio is captured without the user's knowledge and consent.

7c. Purpose of Audio Recording Data

Audio data captured by AudioPiper is used for the following purposes, all initiated by the user:

  • Recording audio from selected sources for the user's own reference
  • Mixing multiple audio sources for podcast production, meeting notes, or workflow documentation
  • Providing audio input for analysis by locally-running or user-configured AI models (such as speech-to-text transcription)
  • Trimming and exporting audio files in standard formats

7d. Third-Party Sharing

Audio recordings are never shared with third parties automatically. Audio data may be sent to user-configured AI providers (such as speech-to-text or transcription services) only when the user explicitly initiates an analysis request. This transmission occurs directly from the user's machine to the third-party provider; it is never routed through our servers. The user has full control over whether, when, and to which provider any audio data is sent.

7e. Storage & Retention

All audio data is stored locally on the user's Mac under ~/Library/Application Support/AudioPiper/. Recordings and exported audio files are saved to the application's local support directory or to a location chosen by the user. No audio data is uploaded to our servers or any cloud storage. Users may delete their audio data at any time by removing the files from their local filesystem.

8. How We Use Information

Any information we collect is used to:

  • Operate your account and authenticate you (including via Google sign-in, if you chose that option)
  • Send product updates and announcements (email, only with your consent)
  • Improve the Service based on anonymous usage patterns
  • Respond to support requests or inquiries
  • Process subscription payments and entitlements

We do not sell, rent, or share your personal information with third parties for marketing purposes.

9. Third-Party Services

AI providers. When you use ModelPiper to connect to third-party AI providers (such as OpenAI, Anthropic, Google Gemini, Ollama, or others), your prompts and data are transmitted directly from your machine to those services. ToolPiper may proxy these requests locally to inject API keys stored in your macOS Keychain, but the traffic is never routed through our servers. Each provider has its own privacy policy and data handling practices, and you are responsible for reviewing them.

Google, as an identity provider. If you sign in with Google, Google's handling of your authentication is governed by Google's Privacy Policy. The specific data we receive is listed in Section 4.

Google, as a connected service provider. When you connect a Google service such as Search Console through ToolPiper, ToolPiper communicates directly with Google's APIs from your Mac. The data exchange is between you and Google; we do not see, route, log, or store the response. See Section 5 for details and the Limited Use disclosure.

HuggingFace. When you browse or download AI models, ToolPiper communicates directly with HuggingFace (huggingface.co) to search repositories and download model files. HuggingFace may log your IP address and search queries in accordance with their own privacy policy.

Apple, for App Store purchases. Subscription purchases made through the Mac App Store are processed entirely by Apple. Apple's handling of your payment information is governed by Apple's Privacy Policy.

Stripe, for website purchases. Subscription purchases made through our website are processed by Stripe. Stripe receives your payment method and billing details directly; we receive a customer identifier and a confirmation of your entitlement. Stripe's handling of your payment data is governed by Stripe's Privacy Policy.

Railway, for hosting. Our API is hosted on Railway. Railway processes account and subscription data on our behalf as a data processor.

PostHog, for product analytics. If analytics are enabled, anonymous usage events are sent to PostHog. We do not send Google user data, Google API data, your prompts, your pipeline data, or your model outputs to PostHog.

10. Local Storage & Cookies

Cookies on modelpiper.com. We use a small number of strictly necessary cookies to operate your signed-in session:

  • mp_session — your signed-in session token (HttpOnly, Secure, SameSite=Lax), set after you sign in
  • mp_oauth_state — a short-lived CSRF defense set during a Google sign-in flow and deleted as soon as the flow completes

We do not use advertising cookies, cross-site tracking cookies, or analytics cookies. PostHog analytics, if enabled, uses cookieless event tracking.

Browser local storage. The ModelPiper web application uses browser localStorage to persist your pipeline data, configurations, and preferences. None of this is transmitted to our servers.

Local disk on your Mac. ToolPiper stores data on disk under ~/Library/Application Support/, including downloaded model files and exported logs. API keys and OAuth tokens are stored in the macOS Keychain, not in plain-text files.

Browser extension storage. The MediaPiper browser extension uses browser.storage.local to save your settings, discovery cache, and saved items. This data is not synced to any cloud service.

11. Data Security

For any data we do collect (such as email addresses and account records), we use industry-standard security measures to protect against unauthorized access, alteration, or destruction.

All communication between companion apps (ToolPiper, VisionPiper, AudioPiper) and the web application occurs over localhost using per-session bearer tokens (32 bytes of cryptographic randomness, scoped to the local machine). No application data leaves your machine through these channels.

OAuth tokens for connected services (including Google) are stored exclusively in the macOS Keychain on your Mac and are never transmitted to our servers.

12. Data Retention

Because the Service is local-first, most data is stored on your device and retained until you delete it. For any data we hold server-side (such as your account record and email address), we retain it for as long as your account is active and for a reasonable period after account closure to comply with legal, accounting, and tax obligations. You may request earlier deletion at any time by contacting us.

OAuth tokens for connected services live on your Mac, not our servers, and are deleted when you click Disconnect, revoke from the provider's account page, or remove the companion app from your Mac.

13. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate personal data
  • Delete your personal data
  • Object to or restrict the processing of your data
  • Data portability — receive your data in a structured, machine-readable format

Because the Service is local-first, most of your data is already under your direct control on your own device. For any data we hold server-side, you can exercise these rights by contacting us at privacy@modelpiper.com. We will respond within 30 days.

If you are a California resident, you have additional rights under the CCPA, including the right to know what personal information is collected and the right to opt out of its sale. We do not sell personal information.

14. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so we can take appropriate action.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

16. Contact

If you have questions about this Privacy Policy or your data, please contact us at privacy@modelpiper.com.