Privacy policy

1. Scope

This policy describes how the Gortex project handles your data when you use any of the following:

• The gortex CLI binary, daemon, MCP server, and HTTP server, distributed via get.gortex.dev, Homebrew (zzet/tap/gortex), or signed release tarballs from GitHub.
• The gortex.dev static website (this site).
• The Gortex Anthropic Plugin Marketplace bundle distributed at github.com/gortexhq/claude-plugin.
• The Gortex Cloud product, where it has been opted into (see §6 below).

2. What the CLI collects

Nothing leaves your machine without an explicit action by you. The CLI is a single Go binary. When you run it, it:

• Reads source files from the directories you point it at, parses them with tree-sitter, and stores the resulting graph in a local cache directory (~/.cache/gortex/ on macOS / Linux).
• Writes a small per-machine identifier (a UUID at ~/.cache/gortex/server.id) used only to disambiguate concurrent local instances. It is never transmitted off-machine.
• Tracks cumulative token-savings statistics in ~/.cache/gortex/savings.json for the gortex savings CLI command. This file stays on your machine.
• Optionally fetches a sentence-embedding model on first use (see §4).

The CLI carries no analytics SDK, no error-reporting service, no usage telemetry, and no auto-update beacon. You can verify this by reading the source or by running gortex with the network disabled — every command except those explicitly documented as "fetches X" works fully offline.

3. What this website collects

gortex.dev is a static site served via Cloudflare Pages. It runs no analytics scripts, sets no cookies, and embeds no third-party trackers. Cloudflare records standard edge-server logs (IP address, user agent, request path, timestamp) for security and abuse mitigation; these logs follow Cloudflare's privacy policy and are not accessed by Gortex except in response to a suspected security incident.

4. Third-party services the CLI may contact

The CLI reaches the following endpoints only in response to an explicit user action:

• GitHub Releases — when the installer at get.gortex.dev fetches a release tarball, or when a user-initiated gortex upgrade pulls a new version. GitHub's privacy statement applies.
• Hugging Face — when the local sentence-embedding model (MiniLM-L6-v2) is auto-downloaded on first use of semantic search. The model is cached locally and not re-fetched. Hugging Face's privacy notice applies to that single download. You can disable semantic search to avoid this fetch entirely.
• Anthropic Plugin Marketplace — when you install the Gortex plugin via Claude Code's /plugin command, Claude Code fetches the plugin bundle from github.com/gortexhq/claude-plugin. We do not see or store any data about your installation; only GitHub does.

No other outbound network requests originate from the CLI in its default configuration.

5. The marketplace plugin

The Anthropic Plugin Marketplace bundle for Gortex is a static archive of skills, slash commands, MCP server configuration, and hook scripts. Installing it configures Claude Code to invoke your local gortex binary; it does not establish any connection to a Gortex-operated server. Privacy behaviour is identical to the CLI itself, described in §2.

6. The Gortex Cloud product (opt-in)

Gortex Cloud is a hosted multi-tenant version of Gortex. It is opt-in by explicit action — you initiate it by running gortex cloud login and authenticating to the Cloud control plane, or by installing the Gortex GitHub App on a repository.

When you opt in, the Cloud product collects and processes:

• Account identifiers (email, GitHub user ID, organisation ID).
• Source code from repositories you explicitly authorise, indexed into a managed graph and held server-side for as long as the integration is installed.
• Authentication tokens needed to access those repositories on your behalf, stored encrypted at rest.
• Usage metrics (tool-call counts, query latency) for billing and capacity planning.

Cloud-specific data is never used to train models we do not already disclose to you, and is never sold or licensed to third parties. Detailed Cloud terms — including data retention, deletion, sub-processors, and security commitments — are published as a separate document at the time the Cloud product becomes generally available.

7. Children's privacy

Gortex is a developer tool and is not directed at children under 13. We do not knowingly collect personal information from children.

8. Your rights

Because the CLI does not transmit personal data to us, there is normally nothing for us to access, correct, export, or delete on your behalf. If you have used the Cloud product, you may request access to, correction of, export of, or deletion of your Cloud-side data by contacting the address in §10.

Where applicable, you have rights under the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA / CPRA), and analogous laws, including the right to lodge a complaint with your local data protection authority.

9. Security

Release artifacts are signed with cosign (keyless OIDC), accompanied by SLSA-3 provenance, and scanned with VirusTotal before publication. The website is served over HTTPS only. Cloud-product authentication tokens, when collected (§6), are stored encrypted at rest. Despite reasonable precautions, no system is perfectly secure; you assume the residual risk inherent to any internet-connected service.

10. Contact

Privacy questions, data-access requests, and complaints: privacy@gortex.dev.

Commercial / licensing inquiries: license@zzet.org.

11. Changes to this policy

Material changes will be reflected by updating the "Last updated" date at the top of this page and, for Cloud-product users, by an in-product notification. We do not operate a mailing list and will not contact you by email about policy changes unless you have opted into Cloud-product email notifications.

12. Governing law

This policy is governed by the law of the operator's jurisdiction (see LICENSE.md for the operator identity). Statutory rights you have under your local law are unaffected by this clause.