Privacy Policy

Effective April 7, 2026

The short version: Your tasks live on your device. AI requests go directly to the provider you choose — we never see them. If you pair with an AI agent, your tasks, settings, and activity sync through our Cloudflare infrastructure so the agent can manage your list. SHrimp Email and in-app feedback also pass through Cloudflare temporarily. We don't run analytics, we don't serve ads, and we don't sell your data.

1. On-device data

All task data — titles, notes, due dates, categories, archive history — is stored locally on your iPhone in the app's sandboxed storage. Nothing is transmitted unless you use one of the features described below.

AI provider settings and API keys are stored in the iOS Keychain, encrypted at rest and protected by your device passcode.

2. AI providers

When you use AI features, your task data and input are sent directly from your device to the provider you've configured. These requests never pass through any server we operate. The data sent includes your current task list, the text you type, any images you attach, and the system prompt (which you can view and edit in Settings).

SHrimp supports 8 providers:

OpenAI (ChatGPT) — openai.com/privacy
Anthropic (Claude) — anthropic.com/privacy
Google (Gemini) — policies.google.com/privacy
Mistral — mistral.ai/terms
xAI (Grok) — x.ai/legal/privacy-policy
Perplexity — perplexity.ai/privacy
Groq — groq.com/privacy-policy
OpenRouter — openrouter.ai/privacy

Each provider has its own data retention practices. In manual mode (no AI provider), no data leaves your device.

3. MCP server (agent mode)

SHrimp includes an MCP server (@hermitsh/shrimp-mcp) that lets AI agents like Claude manage tasks from the command line.

Local mode: When running unpaired, the MCP server stores tasks in a local JSON file on your computer (~/.shrimp/tasks.json). An anonymous daily ping is sent to our server to count active installations — this contains no identifying information, no task data, and no device fingerprint. That's the only network request in local mode.

Paired mode: When you pair the MCP server with the iOS app using a 6-digit code, the following data is transmitted through our Cloudflare Worker:

A pairing token that links your agent to your device
Task data (synced as snapshots between agent and phone)
Your custom prompt sections and AI provider/model configuration
Pipeline logs — your AI processing history (7-day TTL)
Inbox metadata — source, timestamp, and status of inbox items (7-day TTL)
Your APNs push token (to notify you when an agent modifies tasks or settings)

Task snapshots are stored in Cloudflare KV and overwritten on each sync. Settings and metadata expire after 7 days of inactivity. Pairing tokens are stored in a Cloudflare Durable Object for the duration of the pairing. You can unpair at any time from the iOS app in Settings, which deletes the pairing token and all synced data.

4. SHrimp Email

SHrimp Email is optional. If you enable it, the app generates a unique email address (e.g. adjective-verb-noun@hermitshell.ai) and registers it with a Cloudflare Worker.

Your APNs push token is sent to the Worker to deliver notifications
Inbound email content is stored temporarily in Cloudflare KV
Email content is deleted after you fetch it or after 24 hours — whichever comes first

No account is required. You can delete your email address and unregister from the Worker at any time in Settings.

5. Speech recognition

Dictation uses Apple's Speech framework. Depending on your device and iOS version, audio may be processed on-device or by Apple's servers — this is governed by Apple's Privacy Policy. SHrimp does not record, store, or transmit audio. It only receives the transcribed text.

6. Authentication

ChatGPT sign-in uses OAuth 2.0 with PKCE. Tokens are stored in the iOS Keychain. We never receive your OpenAI credentials. Your email address is retrieved from the OAuth ID token, stored locally, and used only to display your account identity in the app.

All other providers use API keys stored in the iOS Keychain and sent directly to the provider. We never see or store your keys.

7. What we collect

SHrimp does not include analytics, crash reporting, advertising SDKs, or tracking of any kind. There is no telemetry.

The data we do handle on our Cloudflare infrastructure, depending on which features you use:

SHrimp Email: APNs token, generated email address, inbound email content (temporary)
Agent pairing: Pairing token, task snapshots, prompt sections, provider/model settings, pipeline logs (7-day TTL), inbox metadata (7-day TTL), APNs token
In-app feedback: Message text, device model, and app version (stored 90 days, forwarded to support email)
MCP local mode: Anonymous daily ping (no identifying data)

If you don't use any of these features, we collect nothing.

8. Data sharing

We do not share, sell, rent, or trade your data with third parties. The only external data transmission is between your device and the AI provider you configure.

9. Data retention & deletion

Local task data is under your control — deleting the app removes it. Email content is auto-deleted within 24 hours. Agent pairing data is deleted when you unpair. The anonymous daily ping from the MCP server contains no data to retain.

10. Children's privacy

SHrimp is not directed at children under 13. We do not knowingly collect data from children.

11. Changes

If this policy changes, the updated version will be posted here with a new effective date.

12. Contact

Questions about this policy? Reach us at support@hermitsh.ai.