Privacy

Privacy Policy

Last updated: 8 May 2026.

TL;DR. ShellPhone doesn't collect anything about you. There is no account, no telemetry, no cloud sync, no third-party SDKs that phone home. Your servers, your keys, your traffic — that's it.

What stays on your device

Everything that defines your use of ShellPhone lives on the device you're holding:

SSH keys — encrypted on-device using the operating system's keychain (iOS / iPadOS / macOS Keychain, or Android encrypted preferences). Unlocked with biometrics or your device PIN. We do not have a server you could upload them to.
Saved connections, tunnels, snippets and macros (Power user) — host, user, port, key reference, tags, command sequences. Stored in an encrypted local database.
Command history — searchable, encrypted, local only.
Themes, fonts, language preference — local preferences (free for everyone).
Subscription entitlements — cached locally as a small signed confirmation that your unlock is currently active, including the expiry date the store returned (see the next section).

What goes over the network

ShellPhone makes exactly four kinds of outbound connection. That's it:

SSH (or Telnet, if you subscribe to Power user) to your servers. That's the entire point of the app.
VNC over TCP (if you subscribe to Remote desktop) to the VNC servers you choose. The protocol negotiates encodings (raw, CopyRect, RRE, Hextile, ZRLE) directly with your server.
Anonymous queries to cht.sh when you use the natural-language snippet search. No API key, no account, no identifying header. Stop searching and the queries stop. The free service is operated by a third party (cht.sh) under their own terms.
Subscription receipt validation, when you start a subscription, restore one, or your app revalidates a previously-cached unlock. The app asks a small service of ours to confirm with Apple or Google that your receipt is genuine, and returns a short signed confirmation that includes the expiry date so the app can unlock the bundle until then. We do not store the receipt, do not associate it with any identifier, and keep no log of the query.

No analytics endpoint. No crash reporter. No "phone home on launch" pings.

What we don't do

Spelled out, so you don't have to read between lines:

No analytics SDK — no Firebase, Mixpanel, Amplitude, Sentry, Crashlytics, TelemetryDeck or equivalent.
No advertising identifier is read or transmitted (no IDFA on iOS, no AAID on Android).
No third-party tracking SDKs of any kind.
No ShellPhone backend that stores your data. We do not run servers that hold your connections, your keys, your settings, or any other personal content. The only backend we operate is a small receipt-validation endpoint (see "What goes over the network").
No account. There is no signup screen because there is no backend that wants to know who you are.

Optional cloud sync (iCloud / Google)

ShellPhone has an optional sync mode that uses your own iCloud account (on iPhone, iPad and Mac) or your Google account (on Android) to share your saved connections, snippets and preferences across devices signed into the same account. The feature is off by default; you enable it from Settings.

When you turn it on:

Your data is stored in your iCloud or Google account — never on a ShellPhone server, because we do not run one.
Apple or Google handle the sync; we never see what you sync, who you are, or which devices it reaches.
Your SSH keys stay in the OS keychain on each device and are not part of this sync. They remain device-local at all times.
Turning sync off in Settings, or signing out of iCloud / Google, removes the synced copy from those services on the platform's normal schedule.

If you never turn it on, ShellPhone behaves exactly like a strictly-local app: everything stays on the device, nothing leaves it except your own SSH traffic to your own servers.

Permissions

The permissions the app may request, and why:

Biometric (Face ID / Touch ID / fingerprint). Used locally to unlock the app and to authorise connections. Never transmitted off the device.
Wi-Fi network name (SSID) — only with the Power user bundle and only if you enable Wi-Fi triggers. iOS requires "Location When In Use" permission to read SSIDs (it's the only Apple API that exposes them). The SSID is matched against your saved triggers locally; nothing about your location is stored or transmitted.
Local network access — only with the Network tools bundle, and only when you actively run a tool that needs it (subnet scanner, port scanner, Wake on LAN). iOS shows a "Local Network" prompt the first time. We don't scan in the background.
Files / Storage access. Used when you pick a key file or upload a file via SFTP. Standard system file picker; we don't index or copy your files in the background.

Your rights under GDPR / CCPA

You have the right to know what personal data is processed about you. The honest answer for ShellPhone is: none. There is no profile, no log, no record of you on any server we run.

If you want to delete everything ShellPhone knows about you, uninstall the app. That removes the encrypted local database, the keychain entries scoped to ShellPhone, and any cached subscription confirmations. Apple and Google keep their own subscription and billing records under their respective policies; we don't.

Children

ShellPhone is a tool for people who already know what SSH is. It is not directed at children under 13. We do not knowingly collect data from children — the simple way being that we do not knowingly collect data from anyone.

Changes to this policy

If we change this policy, we'll update the "Last updated" date at the top and post the new version at this URL. Material changes (any new data collection, integration of new third parties) will be flagged in the in-app release notes for the affected version.

Contact

Questions, complaints, or someone-told-me-this-was-broken reports:

apps.sggyamg [at] gmail [dot] com

This policy is published by sggyamg, the developer of ShellPhone, based in Madrid, Spain.