Privacy
Coax is a local-first developer tool. Everything you do — every workspace, collection, request, environment variable, secret, and response — lives only on your machine, in the application database under your OS's standard application data directory. We do not have a server. We do not have an account system. We cannot read your data.
This document covers the one narrow exception: opt-in anonymous crash reporting.
TL;DR
- Crash reporting is off by default.
- You are asked once, on first launch, with a clear yes/no. Either choice is remembered.
- If you say "no thanks," nothing is ever sent anywhere.
- If you say yes, only crash data is sent — stripped of URLs, headers, response bodies, file contents, and variable values before transport.
- You can change your mind any time in Settings.
What gets collected (only if you opt in)
The crash reporting integration is built on Sentry. When the application crashes:
- Stack trace. Function names, file names within the Coax codebase, line numbers.
- Operating system. "macOS 15", "Windows 11" — broad family + version.
- Coax version. So we know which release introduced a regression.
- Process + component. "main" vs "renderer", and the component that crashed.
- Breadcrumbs. A short trail of events leading up to the crash. Console logs are explicitly filtered out.
What is never collected
Every event runs through a scrubber before it leaves your machine:
| What | Replaced with |
|---|---|
Any URL (https://..., http://...) | <url> |
| Workspace and home directory paths | <workspace>, <home> |
HTTP request lines from .http files | <http-line> |
Authorization: header values | Authorization: <redacted> |
Bearer tokens (Bearer abc...) | Bearer <token> |
{{variableNames}} from your workspace | {{var}} |
| Request headers, cookies, request bodies | dropped entirely |
We additionally do not collect: name, email, IP address, account identifier
(we don't have accounts), content of your .http files, workspace / collection /
request names, env variable names or values, response bodies / headers / status codes, or the
endpoints you talk to.
Where the data goes
- To Sentry's servers (see Sentry's privacy policy).
- Not to us in any other form. No usage analytics, no feature-flag service, no telemetry beacon, no auto-update phone-home.
Configuring crash reporting
- Build-time. Crash reporting only compiles into builds that have a Sentry DSN configured. Builds without one have no code path that could send data.
- User preference. Even with a DSN, no data is sent unless you explicitly opt in. Your choice is stored locally; first-launch dialog is the only time you'll be prompted.
- Runtime toggle. Change it any time in Settings. Takes effect on next launch.
Verifying nothing is sent
- Network monitor. With Little Snitch / Wireshark /
tcpdump, confirm Coax makes no outbound connections except to endpoints you explicitly hit. - Inspect the binary. Search the packaged app's resources for
sentry.io. With telemetry off, the SDK transport URL list is empty.
Change log
- 2026-05-20. Initial version covering crash reporting only.