privacy
This page states LazyToken's factual data practices. They are not just policy promises: the reporting payload is governed by a strict allowlist enforced in code — an automated test on the agent blocks any change that would add a field, and the server rejects any unknown field instead of silently stripping it.
A formal legal Privacy Policy is being finalized with counsel. Until it is published, this page documents the data practices, which are enforced in code and verifiable in the open-source engine.
When an agent is enrolled, each metric record may contain only the fields below. Anything else is rejected by the server with 400 INVALID_PAYLOAD.
| Field | Example | Notes |
|---|---|---|
ts — timestamp | 1752660000 | Event time, UTC |
tool — tool name | git | First word only, max 32 chars, no spaces — arguments cannot ride along |
category | git | Coarse bucket |
ai_agent | claude-code | Which coding agent was in use |
tokens_raw / tokens_filtered | 2000 / 400 | Numeric token counters, before and after filtering |
duration_ms | 8 | Filter timing |
project_hash (optional) | a1b2… | Salted SHA-256; the salt is device-local and never transmitted; off unless policy enables it |
{type, tool, timestamp} — the rule type (e.g. aws-key) is a category, never a value. The matched secret is never sent, never logged, never written to disk. Envelope keys are limited to a device id and the agent version. Full wire schema: the Security Whitepaper.
Every row is blocked by the payload allowlist on both sides of the wire: a compile-time-exhaustive test on the agent, and a strict schema on the server.
| Never transmitted | How it's prevented |
|---|---|
| Source code — files, snippets, diffs | No field in the schema can carry it |
| Command arguments | Only the first word is sent; max 32 chars, no spaces — an argument physically can't fit |
| File paths / filenames / directories | Not in the schema; the optional project_hash is a salted hash whose salt never leaves the machine |
| Command / terminal output | Never captured for transmission — filtering happens locally |
| Environment variables | None, ever |
| Secrets / credentials / tokens | The Context Firewall redacts locally; only the rule type is reported, never the value |
| Prompts or model responses | LazyToken is not in the prompt path for reporting |
| Keystrokes, screen contents, clipboard | Never captured |
| Git remotes, commit messages, branch names | Not in the schema |
| Geolocation / device fingerprinting | Only a SHA-256-hashed hostname identifies a device |
For the hosted Free and Pro dashboards, LazyToken may use aggregated, anonymized usage data — tool names and numeric counters only, per the schema above — to improve the product and build cross-organization benchmarks and recommendations. By construction of the schema, that data cannot contain code, arguments, paths, output, or environment variables. Details in the Terms of Service (draft).
The Security & Privacy page has the full trust model and ready security-questionnaire answers; the whitepaper has the exact wire schema. A DPA template is available on request.