Privacy Policy
Last updated: July 13, 2026
This policy describes what CMDOP Inc. (“Cmdop”, “we”, “us”) does with data. It covers the cmdop.com website, your account, the Cmdop agent that runs on your machine, and our relay and inference services.
1. The short version
Cmdop runs on your machine. Most of what it touches — your files, your shell, your command output — never leaves it.
Three things do leave, and they are the honest subject of this policy: what you send to the model (so it can answer), what we need to run your account (so you can sign in and pay), and which machines you connect (so they can find each other).
We do not store the content of your prompts, your code, or your command output. We do not train on any of it.
2. Your account
To have an account we store: your email address, your name, and — if you provide them — your phone number, company, job title, avatar, language, and timezone.
If you sign in with GitHub, we receive and store your GitHub username, email, avatar URL, and the access token that lets us act on the permissions you granted.
We record account activity — sign-ins and significant actions — together with the IP address and browser user-agent they came from. We use this to investigate suspicious access and to secure accounts.
3. Your machines
Each machine you connect reports, and we store: its hostname, operating system and version, kernel version, CPU model and core count, total RAM, architecture, public IP address, battery level, and its public key.
We store connection metadata — which machine connected, when, and for how long.
We do not store the contents of your terminal sessions, the files the agent reads or writes, or the traffic passing through the relay edge.
Hostnames often contain a person’s name, and a public IP address identifies a network. We treat both as personal data.
4. What the agent sends us
When you ask the agent something, your prompt and the context it gathers (file excerpts, command output, whatever the task needs) are sent to our inference service, which forwards them to a model provider.
Command output and file contents can contain secrets — credentials, keys, personal data. The agent does not detect or strip them. What the agent sends is determined by what you ask it to do. You are responsible for not pointing it at things you would not want sent.
5. What we keep from your prompts: nothing
This is the part most worth reading carefully, because it is unusually strong and we want to be precise about its limits.
We do not store the content of your prompts or the model’s responses. Not for training, not for debugging, not for abuse review. Our inference service records only what billing requires: which model you used, how many tokens, what it cost, how long it took, and whether it succeeded. There is no field in our systems that holds prompt or response text.
We do not train models. We have none.
What we cannot promise is what the model providers do. We forward your request to a third-party provider, and their retention is theirs, not ours:
- Most requests are served under agreements where the provider does not retain input or output and does not train on it.
- Some models fall outside those agreements and are served under the provider’s standard terms, which may include retention.
- Providers may run automated abuse classifiers. If one triggers, that provider may retain the request to investigate it, under their policy.
We would rather say this than claim a blanket guarantee we do not control. The current list of providers, and which category each falls into, is published with our subprocessors.
6. Payments
Payments are processed by Stripe. Your card number never reaches us — you enter it directly into Stripe’s payment form.
We store what we need to bill you: your Stripe customer ID, your subscription and its status, orders, invoices, amounts, and usage counts. We also store the raw event Stripe sends us when something changes on your subscription.
7. Analytics and telemetry
Website. We use Google Analytics on cmdop.com to see which pages people visit. Google receives that data. Details are in our Cookie Policy.
Agent. When the agent crashes, it may send us a crash report: the error, a stack trace, the version, your operating system and architecture, a hostname, and a random installation identifier. Hostnames often contain a person’s name, and the installation identifier is stable across restarts, so we treat crash reports as personal data. We delete them after 90 days.
The agent does not send analytics about what you do with it.
8. Who else sees your data
We use third parties to run the service. Each receives only what its job requires.
Model providers — your prompts and the context the agent gathers are forwarded to one of: OpenAI, Anthropic, OpenRouter, Alibaba Cloud (DashScope), or Gonka. Which one depends on the model you choose. Serper receives your query when the agent searches the web.
Payments — Stripe receives your email, name, and the amounts you are billed.
Infrastructure — Cloudflare provides DNS, storage, and the tunnel service; certificates are issued by Let’s Encrypt.
Accounts — GitHub, if you sign in with it.
Website analytics — Google Analytics (see our Cookie Policy).
Mobile notifications — Apple (APNs), if you use a mobile app.
We do not sell your data, and we do not share it for advertising.
9. How long we keep things
| What | How long |
|---|---|
| Prompt and response content | Not stored at all |
| Account details | While your account exists |
| Machine details and connection metadata | While the machine is registered to your account |
| Account activity logs | While your account exists |
| Crash reports | 90 days |
| Billing records | As long as tax and accounting law requires, after your account closes |
10. Your rights and how to use them
You can ask us to show you the data we hold about you, correct it, delete it, or send you a copy. You can object to how we use it, and you can withdraw consent where we relied on it.
Email [email protected] and we will act on it. We respond within one month; if a request is complex we may take longer, and we will tell you before the first month is up.
Deleting your account deletes your profile, your machines, and your activity history. Billing records survive it, because tax law requires that.
If you think we have got this wrong, you can complain to your local data protection authority.
11. Where data is processed
We and our providers operate internationally, so your data may be processed outside the country you live in. Where it leaves the European Economic Area or the UK, we rely on Standard Contractual Clauses or another safeguard the law recognises.
One provider is worth naming specifically, because you should not have to dig for it: the Qwen models are served by Alibaba Cloud, which processes them in China. If that matters to you — and for many people it will — do not select a Qwen model. Every other model provider we use processes in the United States or the European Union.
12. Children
Cmdop is not for children. You must be at least 16 to use it, or the minimum age of digital consent where you live, whichever is higher.
13. Changes
We will update this policy when what we do changes, and we will move the date at the top. If a change materially affects you, we will tell you rather than leaving you to notice.
Contact: [email protected]