Privacy Policy

Effective date: July 10, 2026

Pupa is an open-source native iOS and macOS app. This policy explains, in plain language, what data the Pupa app does and does not handle. The short version: the Pupa app collects no analytics, has no accounts, and gathers no personal data. Your data lives on your own devices and on a backend that you run and own.

The architecture, and why it matters for privacy

The Pupa app is a client. It talks to a backend that you run and own — either locally on your own machine, or deployed to your own cloud account. Pupa does not operate a server that sits between you and your data. There is no Pupa account to create and no Pupa-operated service collecting your usage.

What the app collects

  • No analytics. The app does not track your usage, does not embed third-party analytics, and does not send telemetry to us.
  • No accounts. There is no sign-up, no login to a Pupa service, and no user profile held by us.
  • No personal data collected by us. We do not receive, store, or process your personal information.

Where your data lives

  • On your devices. Your MyApps (typed components, canvas state) and your long-lived Memories filesystem are stored locally on your device, in the app's own storage.
  • On your own backend. When you pair the app to a backend, that backend is one you run — locally or in a cloud account you control. Conversation state and any persistence it keeps live there, under your control, not ours.

Model providers

Your backend sends your conversations to whichever model provider you configure it with — for example Anthropic, Amazon Bedrock, or any OpenAI-compatible endpoint. That processing is governed by that provider's terms and privacy policy, and by the credentials you supply to your own backend. Pupa does not choose a provider for you and never receives your API keys — they live in your backend's environment, never in the app or with us.

Marketplace downloads

When you browse or install a MyApp bundle (a .pupa file) from a marketplace, the bundle is fetched over HTTPS from a public host — the official marketplace is served from GitHub. Fetching a public file is a standard web request to that host; we do not track which bundles you view or install. Bundles are inert JSON and are validated as untrusted input on import.

Children's privacy

Pupa is not directed at children under 13 and collects no personal data from anyone, including children.

Changes to this policy

We may update this policy as the app evolves. Material changes will be reflected here with a revised effective date.

Contact

Questions about privacy? Open an issue on GitHub, or email pupa-app-help@proton.me.