Docs / Security

Privacy & telemetry

NetShell ships with telemetry off — analytics are strictly opt-in, never include your secrets, and are never sold or used for advertising.

No telemetry by default

NetShell is a free SSH client for iPhone, iPad & Mac, and it collects nothing about how you use it unless you explicitly turn analytics on. There is no NetShell account to create, no background reporting, and no “phone home” on launch. Out of the box the app is silent: it connects to the servers you tell it to and nothing else. Privacy is the default state, not a setting you have to hunt for.

This matters for a tool that lives next to production infrastructure. The hostnames, usernames, container names, and commands you work with are sensitive by nature, so the safe default is to send none of it anywhere.

Analytics are opt-in only

If you want to help improve NetShell, you can choose to enable anonymous product analytics. The toggle is off until you flip it, and you can turn it back off at any time. When analytics are off, the app captures and transmits nothing — there is no hidden “essential telemetry” tier running underneath.

Tip. You can use every feature of NetShell — terminal, SFTP, Docker, scanning, AI, sync — with analytics permanently disabled. Opting in changes nothing about what the app can do for you; it only helps us see which features get used.

What is collected if you opt in

With analytics enabled, NetShell records coarse, anonymous usage signals — for example that a feature screen was opened or an action succeeded or failed. The goal is to understand which parts of the app earn their keep and where errors cluster, not to profile you. Specifically, opt-in analytics are designed so that:

  • Events are sanitized before they leave the device — sensitive substrings are stripped, not transmitted.
  • No passwords, passphrases, or private keys are ever included — those never leave the hardware-backed Keychain.
  • IP addresses, hostnames, and .local names are scrubbed from any captured error text, along with user@host fragments and filesystem paths.
  • Command contents and terminal output are not collected. NetShell does not ship what you type or what your servers return.

In short: the app reports that something happened, not the private details of what you were doing.

How errors are handled

When analytics are on, error reports are run through the same sanitizer before being recorded, so a failure message about a connection can be counted without revealing which server, which account, or which path was involved. Errors are also classified by severity so genuine problems can be told apart from expected, routine conditions. If analytics are off, none of this runs.

No ads, no data selling

NetShell contains no advertising and no third-party ad SDKs. We do not sell, rent, or broker your data to anyone, and there is no profile of you to sell in the first place. The app is free with no subscription, and it is not monetised by harvesting your usage. The opt-in analytics exist solely to make the product better.

Where your data actually lives

The most sensitive data never reaches any server we run:

  • Private keys & passphrases — stored in the hardware-backed iOS Keychain, protected by Face ID. They sync only through Apple's end-to-end encrypted iCloud Keychain, never a NetShell server. See Key sync.
  • Host (known-hosts) keys — stay device-local and do not sync, so host verification stays a per-device decision.
  • Connections, snippets, folders, groups, and tags — sync through your own iCloud (Key-Value Storage), described in Sync across devices. That is Apple's iCloud, tied to your Apple Account — not infrastructure we operate.

NetShell runs no sync server and no key escrow. Your working data moves between your own devices through Apple's services, or stays put if you turn iCloud features off.

On-device AI keeps prompts private

If you use the built-in Apple Intelligence assistant, requests are processed privately on-device with no account and nothing sent to NetShell. If you instead choose to bring your own model (Claude, OpenAI, or a local Ollama server), prompts go directly to the provider you configured under your own API key — NetShell is not in the middle relaying or logging them.

Security stays on regardless

Privacy and security are separate from analytics: the protective behaviours run whether or not you opt in. Host verification fails closed so credentials are never sent to an unknown or changed host, the command guard intercepts destructive commands like rm -rf and DROP TABLE, and the app auto-relocks behind Face ID after it sits idle. None of that depends on telemetry.

Your controls in one place

  1. Analytics — off by default; toggle on or off in Settings whenever you like.
  2. iCloud sync — disable iCloud Keychain or iCloud for the app in iOS Settings to keep data on one device.
  3. AI — choose on-device Apple Intelligence, your own provider key, or no AI at all.
Note. Get NetShell on the App Store. There is no subscription and no account — privacy-by-default comes standard.
Next
Encryption → Related
Key sync →