Privacy Policy
PhoneCMD lets you control your own computer from your phone. It is built privacy-first: your traffic is end-to-end encrypted, your credentials stay on your device, and the relay that carries traffic can't read it. This policy explains exactly what we do — and mostly don't — collect.
Who this covers
This policy applies to the PhoneCMD mobile app, the PhoneCMD desktop app,
and this website (phonecmd.emirbaycan.com.tr).
What the app does with your data
PhoneCMD is a thin client: your phone connects to a host app running on your own computer. The work happens on your PC. Specifically:
- Commands, terminal output, and files flow directly between your phone and your PC over an end-to-end encrypted channel (X25519 key exchange + XChaCha20-Poly1305). They are not sent to, stored by, or readable by us.
- The connection may be relayed through Cloudflare so you can reach your PC over the internet. The relay only forwards ciphertext — it cannot see your commands or files.
- Pairing between your phone and PC uses a QR code shown on your desktop and an on-device approval step. Pairing data stays between the two devices.
API keys (OpenAI and others)
If you use the GPT agent, your OpenAI API key is stored only on your phone, in the device's secure keystore (Keychain on iOS, Keystore on Android). It is never transmitted to our servers or to your desktop. The agent talks to OpenAI directly from your phone; requests to OpenAI are governed by OpenAI's privacy policy.
Coding CLIs
When you launch a coding CLI (such as Claude, Codex, or Copilot), it runs on your PC under your own accounts and configuration. Those tools handle their own data per their providers' policies. PhoneCMD only passes your prompt to the tool on your machine.
Subscriptions
If you purchase a subscription, the purchase is processed by Google Play or the Apple App Store — we never see or handle your payment details. To keep your subscription status in sync, our subscriptions server stores a minimal record:
- A store account identifier (the obfuscated account id / app account token the store provides — not your name or email).
- The product you subscribed to, the status (active, expired, etc.), the renewal/expiry date, and a purchase token used to verify with the store.
We use this only to answer "is this user subscribed?" so the app can unlock paid features. We receive subscription lifecycle notifications from Google and Apple to keep it current. We do not use it for advertising or sell it.
What we do not collect
- No accounts, names, or email addresses are required to use PhoneCMD.
- No command history, file contents, or terminal output on our servers.
- No API keys or credentials on our servers.
- No advertising identifiers, and no selling of personal data.
This website
The website is a static informational page. It does not set advertising cookies. Your browser may store a small local preference for light/dark theme; that never leaves your device. Standard server access logs (IP, request time) may be kept by our host for security and operations.
Data retention
Subscription records are kept while your subscription is active and for a reasonable period afterward to handle renewals, refunds, and store reconciliation. You can request deletion (see below); note that an active store subscription may be re-created from store notifications.
Your choices
- Remove your OpenAI key anytime in the app's Settings — it's deleted from your device's keystore.
- Manage or cancel your subscription in Google Play or the App Store.
- Request deletion of your subscription record by contacting us.
Children
PhoneCMD is a developer tool and is not directed to children under 13 (or the equivalent minimum age in your region).
Changes
We may update this policy; we'll change the "last updated" date above and, for material changes, note it in the app or on this page.
Contact
Questions or data requests: privacy@emirbaycan.com.tr.