conductorv2

Privacy Policy

Last updated: April 9, 2026

1. Introduction

Conductor ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services, including our website, CLI tool, and cloud synchronization features.

2. Zero-Knowledge Architecture

Conductor uses a zero-knowledge encryption architecture for credential storage:

  • Your API keys and credentials are encrypted on your device before being transmitted
  • We never have access to your plaintext credentials
  • The server stores only encrypted blobs that can only be decrypted with your password
  • If you lose your password, your credentials cannot be recovered

3. Information We Collect

Account Information

  • Email address (from OAuth providers like GitHub or Google)
  • OAuth provider information
  • Account creation date

Device Information

  • Device ID (generated locally on your device)
  • Device name (you provide when pairing)
  • Public key (for encrypted communication)

Encrypted Credential Metadata

  • Plugin names (e.g., "github," "slack")
  • Creation and update timestamps
  • Only encrypted credential data - we cannot read your actual API keys

4. How We Use Your Information

  • To provide and maintain the Conductor service
  • To sync your encrypted credentials across your devices
  • To authenticate you via OAuth (GitHub/Google)
  • To communicate with you about your account
  • To improve and develop our services

5. Data Encryption

All sensitive data is encrypted using AES-256-GCM with keys derived from your password using PBKDF2 (100,000 iterations):

  • Your password never leaves your device
  • Encryption keys are derived locally
  • Server-side data is opaque encrypted blobs
  • We cannot reset or recover forgotten passwords

6. Data Sharing

We do not sell, trade, or otherwise transfer your personal information to outside parties. We may share information with:

  • Service providers who assist us in operating our service (e.g., Supabase for authentication)
  • Legal requirements when required by law or in response to valid requests

7. Data Retention

We retain your account information and encrypted credentials as long as your account is active. You may request deletion of your account and all associated data at any time.

8. Your Rights

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Export your data
  • Opt-out of non-essential communications

9. Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit (HTTPS)
  • Zero-knowledge client-side encryption
  • Secure OAuth authentication
  • Regular security reviews

10. Children's Privacy

Our service is not intended for children under 13. We do not knowingly collect personal information from children under 13.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date.

12. Contact Us

If you have any questions about this Privacy Policy, please contact us: