Privacy Policy
Last updated · May 17, 2026
SADFinder is built so the desktop app never sees the network in normal use. This privacy policy covers the small amount of data the website handles to manage your account and license.
What the desktop app sends
Almost nothing. The SADFinder app on your Mac does not collect or transmit:
- File names, paths, or contents.
- Folder structures or filesystem metadata.
- Analytics, telemetry, crash reports, or usage statistics.
- Your Apple ID, iCloud identity, or Dropbox account.
The app contacts our server only to (a) activate your license on a new Mac and (b) revalidate the license once every 7 days. Those requests contain only your license key, a machine identifier we generate locally, and basic metadata (macOS version, app version, device name as set in System Settings).
What the website handles
| Data | Why | Retained |
|---|---|---|
| Email address | Identifying your account, billing receipts, magic-link sign-in | While your account exists |
| Name (optional) | Receipts and personalization | While your account exists |
| Stripe customer ID and subscription metadata | Billing | While the account exists, plus required retention |
| License key and activated devices | License enforcement | While the license is active |
| Session cookie | Keeping you signed in (30 days) | Until you sign out or it expires |
| IP and User-Agent on each session | Detecting suspicious sign-ins | 90 days |
| Audit log entries | Security investigations | 180 days |
Where data lives
Application data is stored in Cloudflare D1 (SQLite) and Cloudflare KV, with replicas across Cloudflare's global edge. Email is sent through Resend. Payments and invoices are processed by Stripe — see their privacy policy for what they store.
What we don't do
- We don't sell or rent your data.
- We don't share data with advertisers — there are no ads.
- We don't load third-party analytics scripts on the marketing site or the account dashboard. No Google Analytics, no Facebook Pixel.
- We don't fingerprint your browser.
Cookies
Two cookies, both first-party and required:
-
sadf_sess— HMAC-signed session cookie. HTTP-only, secure, SameSite=Lax. Lifetime 30 days. -
sadf_csrf— anti-CSRF token. Lifetime 2 hours, SameSite=Strict.
Your rights (GDPR / California)
You can email hello@sadfinder.com at any time to:
- Get a copy of your data.
- Correct anything that's wrong.
- Delete your account. After confirmation we wipe your data within 30 days, except where retention is legally required (e.g. Stripe billing records).
Children
SADFinder isn't directed at children under 16. We don't knowingly collect data from them.
Changes
We'll update this page when our practices change. The "last updated" date at the top reflects the most recent material change. Significant changes get an email.
Contact
Reach out at hello@sadfinder.com.