Privacy Policy

At a glance

SSHed is a native SSH and Telnet client for iPhone, iPad, and Mac, with an optional AI assistant for command suggestions and output explanation. We treat your servers and credentials as highly sensitive — most of this policy is about how we don't collect things.

1. Information stored on your device

The following data lives only on your device (and optionally syncs across your own Apple devices via iCloud — see §3):

Data	Storage	Default sync
Saved hosts (hostname, port, username, nickname, group)	UserDefaults / CloudKit	iCloud sync (Apple ID required)
Connection history and favorites	UserDefaults / CloudKit	iCloud sync
SSH passwords, ed25519 private keys, TOTP secrets	iOS / macOS Keychain	Local only — never synced unless you opt in per-host
Quick Commands (text + optional TOTP secret)	UserDefaults + Keychain (TOTP)	Local only in v1; cross-device sync planned for a future update
AI provider configuration (Mac only — bring-your-own-key users)	Keychain	Local only, never synced

Removing the app from your device deletes all locally stored data. iCloud-synced metadata persists across reinstalls until you remove it from your iCloud account.

2. The AI assistant

SSHed includes an AI assistant that helps you compose shell commands and interpret terminal output. We want to be very specific about how it works because the privacy implications are real.

2.1 What the AI sees

The AI receives only the following, and only when you explicitly use it:

• The natural-language question you type into the AI input sheet.
• The connected username (e.g. deploy) — used so the AI knows whether to suggest sudo or not.
• Recent terminal output, only when you tap the "Explain Output" button. We send the most recent ~100 lines from the on-screen buffer.
• A device profile tag (e.g. "Cisco IOS", "Linux") if SSHed has detected one — never any host identifier.

The AI does not see your hostname, IP address, SSH password, private key, TOTP secret, or anything else from your saved profile.

2.2 Where requests go

On iOS and iPadOS, AI requests flow:

SSHed app  →  api-sshed.ray-zhang.xyz  →  api.deepseek.com

The middle layer is a Cloudflare Worker we operate. It exists to:

• Track a daily / hourly call quota per anonymous device (so we can offer a free tier).
• Hold the upstream API key, so each user doesn't need to manage one.
• Enforce rate limits to prevent abuse.

The Worker logs aggregate metrics (timestamp, anonymized device hash, latency, HTTP status, model name) for billing and abuse prevention. It does not log message content. See §4.2 for retention.

On macOS, you can optionally configure your own AI provider key (bring-your-own-key). In that case requests go directly from your Mac to your chosen provider and never touch our servers.

2.3 What the AI does not do

• It never executes a command for you. AI-suggested commands appear in a code block; you must tap "Send to terminal" or copy them yourself. This is a hard product invariant, audited by our test suite.
• It never sees screenshots, photos, contacts, location, calendar, or any other system data.
• It never speaks to your servers directly — only your device does.

3. iCloud sync

SSHed uses Apple's CloudKit to sync your host list, history, and favorites across your devices. We do not see this data — it is end-to-end encrypted via your iCloud account.

Two tiers of sync exist:

• Tier 1 (default on): Hostname, port, username, nickname, group, last-used timestamp, favorites, connection history. Required for the app to work consistently across devices.
• Tier 2 (opt-in per host): SSH passwords, key passphrases, encrypted private keys. You must explicitly toggle "Sync this credential" on each host's detail page. iCloud Keychain encrypts these end-to-end — Apple cannot read them, and neither can we.

Disable iCloud sync entirely from the first-run onboarding sheet ("Keep Local Only"), or in the iOS / macOS system Settings → iCloud → SSHed.

4. Third-party services

4.1 DeepSeek (LLM provider)

Your AI prompts are processed by DeepSeek (api.deepseek.com), which generates the response. Per their policy, DeepSeek may retain prompts and responses for service operation and abuse prevention. We do not control or modify DeepSeek's data practices.

We may switch the upstream model provider in the future (e.g. to OpenAI or Anthropic) without changing this policy materially — the provider category and our obligations stay the same.

4.2 Cloudflare

The Worker that proxies AI requests runs on Cloudflare. Cloudflare may retain request metadata (IP address, timestamp, response status) per their standard infrastructure logging. They do not see message content beyond what's required to forward it.

Our own Worker logs (Cloudflare Analytics Engine) retain anonymized aggregates for up to 90 days for cost and abuse monitoring.

4.3 Apple

Apple processes payments for the Pro subscription via the App Store, validates receipts, and provides crash reports through Xcode Organizer. We receive only what Apple shares with developers — anonymized crash logs and aggregate sales data.

4.4 What we don't use

SSHed does not integrate Firebase, Google Analytics, Mixpanel, Amplitude, Sentry, or any other third-party SDK that collects user behavior. There are no banner ads, interstitial ads, or affiliate trackers.

5. Pro subscription

If you subscribe to SSHed Pro, Apple processes the payment. We receive an anonymized receipt that proves you have an active subscription, plus your subscription tier (free or pro). We use this only to lift your daily AI call quota.

Cancel anytime from iOS / macOS Settings → Apple ID → Subscriptions. Apple's standard refund policy applies.

6. Children's privacy

SSHed is a developer tool for managing remote servers. It is not directed to children under 13, and we do not knowingly collect data from children under 13.

7. Your rights

You can:

• Delete all local data by uninstalling the app.
• Delete iCloud-synced data via iOS / macOS Settings → Apple ID → iCloud → Manage Storage → SSHed → Delete Data.
• Cancel your Pro subscription anytime; existing data remains, only quota reverts to Free tier.
• Email us at crusade.ray@gmail.com to request a copy of any data tied to your anonymized device hash, or to have it deleted from our Worker logs. We respond within 30 days.

Residents of the EU, UK, California, and other jurisdictions with data-protection laws have the right to access, correct, port, or erase data we process about them. Email us using the address above.

8. Security

We use HTTPS / TLS for all network traffic. Local credentials use the iOS / macOS Keychain with kSecAttrAccessibleAfterFirstUnlock. Optional iCloud Keychain sync is end-to-end encrypted by Apple. The Worker uses HS256-signed JWTs with short expiration (5 minutes per token, refreshed silently).

That said: no service is perfectly secure, and we recommend not storing the password to your most sensitive servers in any third-party app — including ours. Use SSH keys with passphrases when possible.

9. Open source

The SSHed app is in the process of being open sourced. The Cloudflare Worker code is also open source. You can audit how data is handled at github.com/crusaderay. If you find a privacy issue, please email us before disclosing publicly — we'll fix it fast.

10. Changes to this policy

If we change anything material — new third-party service, new data category, new retention practice — we will update the "Effective" date at the top and notify users on next app launch with a banner. Old policies remain accessible at the project's GitHub repository under docs/sshed-intro/.

11. Contact

Questions, requests, or anything else:

crusade.ray@gmail.com

We're one engineer working on this independently — replies usually arrive within 1–2 business days.