Last updated: May 7, 2026

Privacy Policy

1. Introduction

Nogic, Inc. (“Nogic”, “we”, “us”, or “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Services.

The short version: Nogic 0.2.0 is local-first. Your source code, your prompts, and the AI's responses never leave your machine. AI features run through your own CLI subscription (Claude Code, Codex) connected to a Nogic-hosted MCP server that runs inside the extension, locally on your computer. The only data Nogic's servers see is your account profile (email + name via your chosen sign-in method) and optional anonymous telemetry. The sections below describe this in detail.

2. Services Covered

This Privacy Policy applies to all Nogic products and services, including:

Nogic Extension: The extension available on the VS Code Marketplace, Open VSX Registry, and compatible with any VS Code-based editor or fork (Cursor, VSCodium, Windsurf, and others). The extension runs entirely on your machine and bundles a local MCP server that exposes Nogic's canvas tools to AI agents.
Nogic Backend (api.nogic.dev): A small set of hosted endpoints that handle account profile lookups, anonymous telemetry, and a few legacy code-insight endpoints used by certain diff-analysis features. Detailed in §6.
Nogic Web Dashboard (nogic.dev): The website, including account management and the auth bridge page used during extension sign-in.

Collectively referred to as the “Services.”

3. Information We Collect

3.1 Account Information

When you sign in to Nogic, we receive the following from your chosen identity provider (Google, GitHub, or email Magic Auth) via WorkOS:

Email address (verified by your identity provider)
Display name, if your identity provider exposes it
Profile picture URL, if your identity provider exposes it
A WorkOS user identifier (an opaque string, not your social identity)

We do not see passwords, OAuth refresh tokens for Google/GitHub themselves, or any data from those accounts beyond what's listed above. Authentication is mediated end-to-end by WorkOS.

3.2 Telemetry Data (optional, anonymous)

We collect anonymous telemetry to understand which features users actually use and prioritize improvements. Telemetry is fully optional and can be disabled at any time. See our Telemetry page for the complete list of events.

Telemetry never includes:

Source code, file contents, or AI-generated output
File paths, repository names, or workspace identifiers
Your prompts to the AI (only their length as a number)
Raw error messages (errors are bucketed into coarse categories)

3.3 Diff-Analysis Insights (when used)

The Diff Analyze panel's “insights” feature, when invoked, sends excerpts of the changed lines for the specific change group you're reviewing to api.nogic.dev/v1/viz/insights for a Claude-based pattern callout. This is a legacy server-side endpoint scheduled to migrate to a fully-local CLI flow in a future release. Other diff-analysis features (titles, intents, walkthroughs) already run locally through your AI CLI subscription and don't send code to Nogic.

3.4 Local Storage on Your Machine

The extension stores the following data locally, never on Nogic servers:

Code graph: A SQLite database of your project's symbols, file tree, and relationships, computed by parsing your code with tree-sitter on your machine. Stored under ~/.nogic/workspaces/ or in your editor's extension storage.
Authentication tokens: WorkOS access and refresh tokens are stored in your operating system's secure credential store (vscode.SecretStorage — Keychain on macOS, Credential Manager on Windows, libsecret on Linux). They never touch disk in plaintext.
Saved walkthroughs: AI-authored canvas walkthroughs you choose to save are stored under~/.nogic/workspaces/{hash}/saved_walkthroughs/.

3.5 Website Data

When you visit nogic.dev, our web host (Vercel) may collect standard server logs (IP address, request path, user agent) for operational and security purposes. We do not use third-party analytics, advertising trackers, or persistent identifiers on the website beyond the secure, HTTP-only authentication cookie used during the dashboard sign-in flow.

4. Information We Do Not Collect

Nogic does not collect, transmit, or store:

Your source code, file contents, or working-tree diffs (except the limited insights case in §3.3)
Your prompts to the AI or the AI's responses
File paths, repository names, branch names, or commit messages
Environment variables, secrets, API keys, or credentials from your codebase
Your code graph (symbols, dependencies, call graphs) — that lives only on your machine
The contents of saved walkthroughs you author
Personal information of other developers visible in your repository

AI features in Nogic 0.2.0 use your own AI CLI subscription (Claude Code or Codex). When you press Cmd+K, the extension launches your CLI as a subprocess on your machine and connects it to a local MCP server hosted inside the extension itself. The CLI talks directly to Anthropic's or OpenAI's servers under your account's contract — Nogic is not in that path.

5. How We Use Your Information

We use the collected information to:

Authenticate your identity and gate access to AI features
Display your account email and avatar inside the extension UI
Analyze anonymous usage patterns to prioritize development
Detect, prevent, and address technical issues and abuse
Respond to your inquiries and provide customer support

6. Third-Party Service Providers

We use a small number of third-party services. Data shared with each is limited to what is strictly necessary for that service's function:

WorkOS: Authentication and identity management for sign-in. WorkOS receives your email, name, and profile picture from your chosen identity provider (Google, GitHub, Magic Auth email). Subject to WorkOS's Privacy Policy.
Azure Application Insights (Microsoft): Anonymous extension telemetry. Data is retained for 90 days. Subject to Microsoft's Privacy Statement.
Anthropic (only when invoking insights — §3.3): Excerpts of changed code lines from the diff-analysis insights feature are sent through our backend to Anthropic's Claude API to generate pattern callouts. Subject to Anthropic's Privacy Policy. Per Anthropic's commercial terms, API inputs are not used to train their models.
Google Cloud Run: Hosts the Nogic backend (api.nogic.dev). Standard cloud infrastructure provider; no Nogic-specific data sharing.
Vercel: Hosts the nogic.dev website. May collect standard server logs for operational purposes.

What about your AI CLI subscription? When you press Cmd+K, your local Claude Code or Codex CLI sends prompts directly to Anthropic or OpenAI under your subscription's contract. Nogic is not in that path; we don't see those prompts or responses. The use of those services is governed by your agreement with Anthropic or OpenAI, not by Nogic.

7. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

With the third-party service providers listed in §6, solely for the purposes described
To comply with legal obligations or respond to lawful requests from public authorities
To protect our rights, privacy, safety, or property, or that of our users
In connection with a merger, acquisition, or sale of assets (you will be notified of any change in ownership or use of your data)

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

All data in transit is encrypted using TLS
Authentication tokens are stored in your OS's secure credential store, not in plaintext on disk
Backend secrets (WorkOS API key, etc.) are stored in Google Secret Manager and never appear in source code or extension bundles
Anonymous identifiers use irreversible cryptographic hashing
The extension's local MCP server binds to a randomly-assigned localhost port, accessible only to processes on your machine

However, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security.

9. Data Retention and Deletion

We retain your account profile only as long as your account is active.

Sign-out: Clears your authentication tokens from your machine. Your account profile remains in WorkOS until full deletion.
Account deletion: Email support@nogic.dev to request full deletion of your account profile from Nogic and WorkOS.
Telemetry: Retained by Azure Application Insights for up to 90 days.
Local data: Your code graph and saved walkthroughs live on your machine. Uninstalling the extension and deleting ~/.nogic/ removes all local Nogic data.

10. Cookies and Tracking

The nogic.dev website sets a single secure, HTTP-only authentication cookie when you sign in to the dashboard. We do not use marketing cookies, third-party trackers, or persistent fingerprinting identifiers. The extension itself does not use cookies.

11. Telemetry Opt-Out

Telemetry is optional. To disable it, do either of:

Set "nogic.telemetry.enabled": false in your editor settings.
Set "telemetry.telemetryLevel": "off" for VS Code's global telemetry — the extension respects it automatically.

See the Telemetry page for the full event list and details.

12. Your Rights

Depending on your location, you may have the right to:

Access the personal information we hold about you
Request correction of inaccurate data
Request deletion of your account and all associated data
Object to or restrict processing of your data
Request data portability
Withdraw consent at any time

To exercise any of these rights, contact us at support@nogic.dev.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Last updated” date. Material changes may also be communicated via email or in-product notices.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, contact us at support@nogic.dev.