Security & privacy

Local by default. Nothing leaves your machine unless you send it.

Scanning, bundling, redaction, and area discovery run on your device, offline, with no account and no telemetry. Every network path is opt-in, named, and listed below.

The data flow

What happens to a folder, end to end

  1. 1

    A folder on disk

    Your repo or documents, where they already live.

  2. 2

    Scan & filter

    Binaries, build output, and anything in .gitignore are skipped.

  3. 3

    Redact secrets

    API keys, tokens, and private keys scrubbed before anything is written.

  4. 4

    Count tokens

    You see the context cost before you spend it.

  5. 5

    Markdown bundle

    Clean files, to your AI tool, an MCP client, or an export folder.

Every step above happens on your machine. The optional integrations below are the only exceptions, and only when you turn them on.

No telemetry, ever

No analytics, no tracking, no usage beacons. The app does not phone home. There is no account and the free tier needs no API key.

Secrets redacted by default

Secret patterns (API keys, tokens, private keys) are scrubbed before any file is written. Redaction applies to documents too, not just code.

Binary and junk safety

Binary extensions and a NUL-byte content guard keep binaries out, and .gitignore plus your own exclude globs keep the noise out.

Deterministic and inspectable

Output is built from the source with no model in the loop, so a run is reproducible. The app is open to download and built from source in CI.

Signed and notarized

The macOS builds (Apple Silicon and Intel) are signed and notarized by Apple. Windows builds are not yet signed, so first launch needs "More info" then "Run anyway".

Licenses verified on-device

Pro and Team licenses are signed tokens checked offline against a public key embedded in the app. No license server call is needed to keep working.

What can leave your machine

The complete list of network egress

There is nothing else. If none of these are enabled, IngestMD makes no outbound connection.

A local model you run

Ask and area enhancement call the base URL you set, your own Ollama or LM Studio. The request goes to your machine, not ours.

A cloud model, with your key (Pro)

If you choose a hosted model for enhancement, the key stays in your OS keychain and a cost estimate shows before you run. Off by default.

Confluence retrieval

Only when you point the Documents tab at a Confluence page, space, or query you have access to.

License or trial activation

A one-time check to verify a license or fetch a device-bound trial. Verified offline afterward.

For the formal statement, see the privacy page. Questions? Email [email protected] or open an issue on GitHub.

Reason over confidential work, privately

Free to download, with a 3-day full Pro trial. No account, no card, nothing uploaded.

Download IngestMD See every feature