Privacy Policy
Last updated: July 2026
Overview
LimitWatch ("the App") is developed and operated by an independent developer. We take your privacy seriously. This policy explains what data the App accesses, how it is used, and your rights.
Data That Stays on Your Devices
The Mac app reads quota and usage data from locally installed AI tools (such as Claude, Codex, Gemini, and Cursor) by accessing their configuration and session files on your computer. The raw tool files are parsed on your Mac and are never uploaded. LimitWatch keeps the derived quota snapshots (and optional session summaries) in the app's private container — the Mac app is distributed as a notarized Developer ID app, not through the App Store. If you enable iCloud sync or QR pairing, those derived records are transmitted through Apple's iCloud / CloudKit as described below.
iCloud Sync
LimitWatch uses Apple's CloudKit and iCloud Key-Value Store to sync quota snapshots, preferences, and notification state between your Mac, iPhone, and Apple Watch that are signed in to the same Apple ID. This data is transmitted and stored through your personal iCloud account under Apple's privacy terms. This same-account sync path uses only your personal iCloud — not our servers. The exceptions are described below: cross-account QR pairing (which shares data through Apple's CloudKit, not our servers) and two purpose-separated minimal backends used only for subscription validation and push-notification routing.
Cross-Account Pairing (QR)
If you scan a QR code to pair a Mac signed in to a different Apple ID, that Mac's quota snapshots (and any session summaries you choose to sync) are shared through Apple's CloudKit public database, isolated by a pairing token. This shared snapshot / session data lives in Apple's CloudKit, not on our servers; our backend only routes the compact push notifications and approval decisions for paired devices. This is the only case where data leaves a personal iCloud account into a shared store. Access is gated by the pairing token, which you can revoke at any time by removing the pairing in the app. No AI prompts, chat content, or full transcripts are shared this way.
Our Backends (Subscriptions & Push)
We operate two purpose-separated minimal backends:
- Subscription validation at
paywall.limitwatch.app. This backend receives Apple's signed App Store transaction notifications and stores subscription identifiers (such as the Apple transaction ID and an optional app account token), the product and tier, status, and purchase / expiration / revocation dates. We never receive your payment card details, Apple ID, email address, name, or App Store password. - Push notifications at
apn.limitwatch.app. If you enable push alerts, this backend stores your device's Apple Push Notification service (APNs) token, preferred notification language, and pseudonymous routing identifiers — one-way hashes of your iCloud account and any pairing tokens, never the raw values — so notifications reach the right devices and can be localized per device. An APNs alert may include the visible notification title, body, and provider branding needed to show the banner, plus a compact event pointer; the canonical inbox, session, and quota data is fetched through Apple / iCloud and is not stored on our backends. For agent approvals, a small allow / deny decision may be relayed to your paired Mac. Beyond the registration and routing data above, the push backend stores only delivery metadata (event id, hashed token, status, timestamps) — never the notification title or body.
These backends do not store your AI usage, quota values, session transcripts, prompts, or chat content. You can disable push notifications at any time in the app or in system Settings.
Crash Reporting (Sentry)
We use Sentry to collect anonymous crash reports and performance data. This helps us identify and fix bugs. Crash reports may include:
- Device model and OS version
- App version and build number
- Stack traces from crashes
- Basic performance metrics
Crash reports do not include your AI usage data, session transcripts, quota information, API keys, or any personally identifiable information. Sensitive fields (authorization tokens, passwords) are automatically scrubbed before transmission.
Update Checks (Sparkle)
The Mac app checks for updates using Sparkle. Each update check sends a request to dl.limitwatch.app/appcast.xml that includes anonymous system information as URL query parameters. This lets us serve the right build to the right hardware and understand which macOS versions are still in use.
- macOS version
- CPU architecture, type, subtype, and 64-bit capability
- Number of CPU cores
- Mac model code (e.g. Mac16,10)
- Preferred system language
- App marketing version and build number
- App release channel (stable / beta)
These requests do not include any personal identifier, Apple ID, email, AI usage data, or quota information. Raw request logs stay on the update server (dl.limitwatch.app) and rotate on a standard HTTP server schedule. You can disable automatic update checks at any time in the app's settings.
No Advertising, No Tracking
LimitWatch does not include any advertising SDKs, analytics trackers, or cross-app / cross-website tracking. Beyond Apple's own services, the third parties involved are Sentry (crash reporting) and Sparkle (Mac update checks); push delivery uses Apple Push Notification service, while subscription validation and push routing run on our own purpose-separated minimal backends (paywall.limitwatch.app and apn.limitwatch.app). If you set up optional webhook or chat integrations (for example a Bark, Discord, Slack, or custom webhook target), your Mac sends the alerts you choose directly to those services using the endpoint and token you provide — we do not store those integration credentials on our backends. We do not sell, share, or monetize your data in any way.
In-App Purchases
Subscription and purchase transactions are processed by Apple through the App Store; we never receive your payment card or billing details. To unlock paid features across your devices, our subscription backend validates your subscription and stores Apple transaction identifiers and status — see "Our Backends (Subscriptions & Push)" above.
Data Deletion
You can delete all your data at any time through the app's Settings. This removes all local data and iCloud-synced data associated with your account.
Children's Privacy
LimitWatch is not directed at children under the age of 13. We do not knowingly collect personal information from children.
Changes to This Policy
We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date.
Contact
If you have questions about this privacy policy, contact us at [email protected].