On-device privacy
IncidentScribe’s privacy posture isn’t a marketing line you have to take on faith. It’s a property the operating system enforces. Your incident artefacts, the extracted timeline, and the drafted postmortem all stay on your Mac, because there is no code path that could send them anywhere — and the macOS App Sandbox is the thing checking.
What stays on your Mac
Everything the app touches. Extraction and drafting run entirely on-device on Apple Silicon. Incident data is stored locally; there is no account, no cloud sync, no shared workspace.
What we don’t do
- No cloud sync. Local storage only, configured with no CloudKit container.
- No telemetry. No analytics SDKs in the app, no remote logging, no crash reporters that ship a payload.
- No third-party SDKs. The app’s privacy manifest declares no collected data and no tracking domains.
The App Sandbox is the verifier
IncidentScribe ships through the Mac App Store with the App Sandbox enabled. Outgoing network access is limited to StoreKit receipt validation. The entitlements file declares only what the app actually needs — there is no general-purpose outbound network permission for incident data to leak through. That’s what makes “on-device” a mechanical guarantee rather than a pledge: the sandbox would block the call before it left.
The one exception, and it’s opt-in
The Pro tier offers a bring-your-own cloud key option for teams that are allowed to use cloud LLMs and want IncidentScribe’s structured pipeline on top. It’s off by default, Keychain-stored, and sits behind a compliance master switch. If your organisation bans cloud LLMs, you never touch it and nothing changes. The on-device pipeline is the product; the cloud key is a door most users never open.
This is the whole reason IncidentScribe exists: it serves the operators that cloud incident tools can’t reach. The site you’re reading uses privacy-anonymised analytics; the app does not. See the full privacy policy.