privacy policy

last updated: May 27, 2026

Flaudit is a Mac app that reads your iMessages locally to show you a Wrapped-style summary of how often your friends actually follow through on plans. This policy explains what we see, what we don’t, and where each piece of your data goes.

We’re a small independent project run by Stanford students, currently in a closed Stanford-only beta. For any privacy question or request, email divyeshk@stanford.edu.

1. What runs on your Mac

When you grant Full Disk Access during onboarding, Flaudit reads ~/Library/Messages/chat.db directly. The reading happens entirely on your Mac:

All of your iMessages are read locally so a regex-based prefilter can identify plan-related clusters.
Your Contacts are read locally so friends appear by name instead of by phone number.
The Wrapped reveal (slides, cards, evidence quotes) is built locally from ~/.flakedrop/last_reveal_payload.json and never leaves your Mac.

The cached payload includes verbatim message snippets used as evidence. These stay on your device. You can wipe them at any time by deleting the ~/.flakedrop/ folder.

2. What leaves your Mac, and why

Three categories of data leave your Mac in normal use. Nothing else.

2.1 Plan-related message snippets — to Anthropic, via our proxy

To detect whether a plan was kept or flaked on, Flaudit runs a local prefilter that selects plan-relevant message clusters (roughly 5–10% of your total message volume) and sends them to Anthropic’s Claude Haiku model for classification. Sent over the wire:

The text of the clustered messages plus a small window of neighboring messages for context.
The same classification prompt for every request.
No phone numbers, no contact names, no email addresses, no message metadata beyond timestamps within the cluster.

Routing:

Requests go to a proxy we run at flaudit.xyz/api/classify and flaudit.xyz/api/batches/*. The proxy holds the Anthropic API key server-side and forwards the request body verbatim — it doesn’t log or persist message content.
You’re authenticated to the proxy via your Supabase session token.
Anthropic’s commercial API terms apply: data retained for up to 30 days for abuse monitoring, then deleted. They do not use API data to train models.

If you’re not comfortable with this, the app can’t function — classification is what produces your Wrapped score. The “stays on your Mac” framing applies to the vast majority of your messages; the plan- related minority is the exception, and an essential one.

2.2 Your school-year flake score — to Supabase

After each scan, the app pushes a single row to our Supabase database with:

A pseudonymous user id (a Supabase UUID, not your email).
Your school-year totals: how many plans you committed to, and how many you flaked on.

That row contains no message text, no message metadata, no contact names, no phone numbers, and no other identifying detail beyond the user id (which only Supabase can map back to your email).

2.3 Your display name and onboarding profile

When you complete the survey, your name, class year, and major persist locally to ~/.flakedrop/profile.json. Your name is also synced to your Supabase user row so the public leaderboard can derive initials. Your class year and major stay on your Mac and are not synced.

2.4 Per-scan usage stats — to Supabase

Each time you run a scan, the Mac app pushes a summary row to a Supabase table called scan_audits. This lets us see whether the app is actually working at a usage level (and whether the cost controls we set are accurate).

Each row contains only:

when the scan started and ended, how long it took, and which stage of the pipeline took how long
counts: number of messages read, plan-shaped clusters found, plans returned by the classifier, flakes among them
the cost estimate in USD, the scan mode (batch vs concurrent), the app version
if the scan failed: the error code and a short error message (capped at 500 characters)

Each row does not contain any message text, any contact name or phone number, any conversation ID, any plan description, or any other content from your chats. The Supabase table’s row-level security limits reads to your own rows; only the four-person admin allowlist (visible inside our migrations folder on GitHub) can read across users via the /admin dashboard. The local source of truth is ~/.flakedrop/scan_history.jsonl; you can read the raw history any time with python -m pipeline.run audit --raw.

3. The public leaderboard

flaudit.xyz shows a “flakiest students” leaderboard derived from a Supabase view that exposes only:

Your initials (derived from the name you entered in the survey).
Your annual flake count and plan count.

No full names, emails, phone numbers, or per-event details are ever exposed. Until at least ten Stanford users have opted in, the page shows a placeholder demo list rather than a sparse real list.

Default-on (opt-out). You’re auto- included on the leaderboard after your first scan syncs. We made this an opt-out rather than opt-in to keep the leaderboard populated; if you’d rather not appear, email divyeshk@stanford.edu and we’ll flip your public_leaderboard_opt_in flag to false. An in-app toggle is on the roadmap.

4. Subprocessors

Three companies (and one upcoming) see some piece of your data on the way to providing the service:

Subprocessor	What they see	Retention
Anthropic	Plan-related message snippets (text only)	30 days for abuse monitoring, then deleted. No training.
Supabase	Auth (email), display name, school-year flake score	Until you delete your account
Vercel	Hosts the proxy + landing page. Sees IP + request metadata in access logs; not request bodies.	~30 days (Vercel default)
Resend (upcoming)	Your email address for transactional mail (account verification, occasional product updates).	Per Resend’s policy

We do not use third-party analytics SDKs, advertising platforms, or trackers. There is no Facebook pixel, Google Analytics, PostHog, Segment, or similar.

5. Authentication

Flaudit is in a Stanford-only beta. Sign-in requires an @stanford.edu email and uses Supabase Auth’s one-time-code (OTP) flow. Session tokens are stored locally (renderer localStorage + macOS Keychain via keytar) and refreshed automatically.

6. What we explicitly do NOT do

We do not sell your data.
We do not use your messages to train, fine-tune, or evaluate any model — ours or anyone else’s.
We do not run third-party analytics or fingerprinting.
We do not store credit-card or payment information (the v1 product is free).
We do not access any messaging platform other than Apple iMessage on your Mac.
We do not upload non-plan-related messages. They’re read locally to find clusters, but stay on your device.

7. Your rights and how to use them

Even as a small project we honor the standard data-protection rights:

Access — request a copy of everything we store about you.
Deletion — see the box below. Self-serve in the Mac app, or email us if you can’t access it.
Correction — request that we fix incorrect data (e.g. a wrong display name).
Opt-out of the leaderboard — see Section 3.

Delete your flaudit account

Two paths — both are documented on a dedicated page at flaudit.xyz/delete-account:

(1) Self-serve in the Mac app. The dashboard has a danger-zone card with a one-click delete my account button. That call immediately removes your row + your school-year flake score + your per-scan audit rows from our database, wipes ~/.flakedrop/ on your Mac, signs you out, and brings you back to Welcome. Nothing is recoverable after.

(2) Email us. If you can’t access the app (Mac dead, FDA revoked, etc.), send a message to divyeshk@stanford.edu with subject “Delete my Flaudit account.” We’ll process it within 7 days.

For access, correction, or any other request: divyeshk@stanford.edu. We’ll respond within 7 days during the beta.

You can also locally:

Delete ~/.flakedrop/ to wipe your scan history and evidence cache.
Quit and uninstall the app to stop all collection.
Revoke Full Disk Access in System Settings → Privacy & Security → Full Disk Access.

8. Security

All network traffic between the Mac app, our proxy, Supabase, and Anthropic uses TLS.
Supabase row-level-security policies restrict each user to reading/writing only their own rows; the public leaderboard view exposes only initials + year aggregate score for opted-in users.
Phone numbers are SHA-256 hashed with a per-user salt stored in your macOS Keychain before any planned future server write. (The hashed-contact column exists in our schema for a friend-board feature we have not yet shipped; it is currently unused.)
The Anthropic API key lives only on our proxy server, never shipped in the Mac binary.

No system is perfectly secure. If we become aware of a data incident affecting your personal information, we’ll notify you and follow applicable breach-notification rules.

9. Data retention

On your Mac: the plans corpus and Wrapped payload sit in ~/.flakedrop/ until you delete them. There is no automatic expiration.
In Anthropic: 30 days, then deleted (per Anthropic’s commercial terms).
In Supabase: until you request deletion.
In Vercel access logs: roughly 30 days (Vercel default).

10. Children’s privacy

Flaudit is for Stanford students aged 18+. We don’t knowingly collect personal data from anyone under 18. If you believe a minor has signed up, email divyeshk@stanford.edu and we’ll delete their data.

11. Region-specific rights (GDPR / CCPA)

The project is operated from the United States. If you reach us from the EEA, UK, or California, the access / deletion / correction rights in Section 7 apply to you under GDPR and the CCPA/CPRA. You also have the right to lodge a complaint with your local data protection authority if you believe we haven’t adequately addressed your concerns. We do not “sell” or “share” personal information as defined under CCPA/CPRA.

12. Changes to this policy

If this policy changes materially, we’ll post a notice on flaudit.xyz and email currently-active users at least 14 days before the change takes effect. The “last updated” date at the top of this page reflects the most recent revision.

13. Contact

For anything privacy-related — questions, requests, complaints — email divyeshk@stanford.edu.