privacy policy

Last updated: February 11, 2026

tl;dr - wingthing is a dumb pipe. Your terminal traffic is end-to-end encrypted. We can't read it. We don't want to.

1. what we collect

When you use the hosted service at wingthing.ai, we collect:

Account information: If you authenticate via GitHub, Google, or magic link, we store your username and email address to identify your account and your wings.
Device tokens: When you run wt login, a device token is generated and stored on the server to authenticate your wing's WebSocket connection.
Session metadata: Session IDs, agent type (e.g. "claude", "ollama"), and connection timestamps. We need this to route WebSocket connections.

2. what we do not collect

Terminal content: All PTY traffic between your browser and your wing is encrypted end-to-end using X25519 key exchange and AES-GCM. The roost relays encrypted bytes. It cannot decrypt them. We do not log, inspect, store, or analyze your terminal sessions.
File contents: We do not access, read, or store any files on your machine. Your wing runs on your hardware.
Agent conversations: We do not see what you say to AI agents or what they say to you.
Keystrokes: Input is encrypted before it leaves your browser. We relay ciphertext.

3. how we use your data

Account data authenticates your WebSocket connection to the roost. Session metadata (IDs, timestamps) routes messages between your browser and wing. Session content - what you type, what the agent says, your files - never reaches the roost. That data travels E2E encrypted and lives on your machine.

We do not sell, rent, or share your data with third parties. We do not use your data for advertising, analytics, or model training.

4. data storage

The roost database contains accounts (emails, usernames), org membership, device auth tokens, and passkey public keys and credential IDs used for wt wing allow. No terminal data, no files, no session content. If the database leaked, an attacker would get emails and passkey public keys - but public keys can't be used to impersonate you, and locked wings verify passkey signatures locally.

5. self-hosted instances

If you self-host wingthing, your data never touches our servers. You control everything. This privacy policy applies only to the hosted service at wingthing.ai.

6. third-party services

GitHub OAuth: If you authenticate via GitHub, GitHub's privacy policy applies to the authentication flow. We receive only your username and email.
Google OAuth: If you authenticate via Google, Google's privacy policy applies to the authentication flow. We receive only your name and email. We do not request access to your Google Drive, Gmail, or any other Google services.
Fly.io: The hosted roost runs on Fly.io infrastructure. Fly.io's privacy policy governs their handling of network-level data.

7. data deletion

To delete your account and associated data, contact [email protected].

8. changes to this policy

We may update this policy. Material changes will be communicated via the Service. Continued use constitutes acceptance.

9. contact

Privacy questions: [email protected]