DevStats
Posture

Private by default.

Plain-English version: what we collect, what we refuse to collect, what we do with it, and how to walk away.

What we collect
  • SESSION COUNTSCounts of conversations / chats per day, per tool.
  • TOKEN COUNTSAggregate input / output / cache tokens per session, when the tool exposes them.
  • DURATIONSWall-clock time between the first and last message of a session.
  • MODEL NAMESShort strings like claude-opus-4-7, gpt-4o.
  • HASHED PROJECT NAMESSHA-256 truncated to 12 chars. The plaintext path never leaves your machine.
  • ACCOUNT METADATAEmail (from auth provider), chosen username, public/private toggle.
What we never collect
  • Message content, prompts, completions, or any conversation text
  • Real file paths, repository URLs, or directory listings
  • Code snippets, diffs, or source contents
  • Environment variables, API keys, or any secrets
  • Cursor positions, edit history, or anything keystroke-level
  • Browser activity outside the DevStats web app
How the CLI enforces this

The CLI parses files locally and constructs a NormalisedSession object per session before any network call. The shape is fixed:

{ tool, startedAt, endedAt, durationMs,
  tokensIn, tokensInputRaw, tokensCacheRead, tokensCacheCreate,
  tokensOut, linesAdded, linesRemoved, model, projectSlug }

That's it. No "raw payload" field, no "extra context" field. Run any command with --dry-run to inspect exactly what would be sent before it leaves your machine.

Visibility

Your account starts PRIVATE. Going public requires an explicit consent modal that lists exactly what becomes visible.

  • PRIVATEOnly you can see your dashboard. Leaderboard ignores you. /u/<you> returns 404.
  • PUBLICAggregate totals, heatmap, tool/model breakdown visible at /u/<you>. Leaderboard ranks you.
  • FLIP BACKToggling private removes your leaderboard entries immediately and 404s the profile URL.
Third parties
  • SUPABASEHosts auth + Postgres. Subject to their privacy terms.
  • UPSTASHHosts the Redis cache that powers the leaderboard's hourly refresh. Caches public aggregates only.
  • VERCELHosts the web app. Standard request logs.
  • NO ANALYTICSNo Google Analytics, no PostHog, no Mixpanel, no third-party trackers on any page.
Removing your data

From /settings (account):

  • EXPORTDownload every session row, your profile, streaks, and follow graph as one JSON file — Settings → Your data → Download JSON.
  • DELETE ONE TOOLWipe a single tool's sessions (e.g. after a bad import) without touching the rest — Settings → Your data → Delete session data.
  • DELETE ACCOUNTRemoves your user row, every session, streaks, leaderboard entries, and follows. Also deletes the auth identity. Irreversible — Settings → Your data → Delete account.