Skip to main content
← Back to vsrelay.dev

Privacy Policy

Effective: June 1, 2026 · Contact: support@vsrelay.dev · Data protection: legal@vsrelay.dev

Summary

VSRelay records local diagnostic information on your device. We do not transmit, upload, persist, or otherwise process that information unless you choose to share it (by emailing a diagnostic excerpt to support, or by pairing a phone via VSRelay's pairing flow).

This page is the canonical public description of VSRelay's privacy posture. The bundled text in the EULA at vsrelay.dev/eula (Section 5) controls in the event of any conflict.

What VSRelay is

VSRelay is a mobile control plane for AI coding agents. It connects a phone-based Progressive Web App to the Claude Code agent running inside Cursor or VS Code on your own machine. The phone is a viewport and a set of controls — your code, files, and editor state never leave your machine except as directed by you.

Diagnostic logs (local-only)

The Software records a local diagnostic file at ~/.vsrelay/diagnostic.log on your device. The file rotates at 10 MB (one rotation kept as .log.1). This file is local-only: we do not transmit, upload, persist, or otherwise process its contents unless you manually email the file (or extracts of it) to support via the vsrelay.copyDiagnosticInfo command, which copies a sanitized excerpt to the clipboard for you to paste at your discretion.

Auth tokens are redacted at log-write time via the redactMessage() function and never appear in the diagnostic file.

Identifiers that may appear in the file

The following identifiers are recorded so we can correlate events when you send diagnostic excerpts to support:

  • editorInstanceIdOpaque SHA-256 hash of the canonical install realpath. Does not reveal the underlying path. Stable per Cursor / VS Code installation.
  • Supabase user UUIDPresent only after you pair a device via VSRelay's pairing flow. Identifies your VSRelay account.
  • traceIdPer-action correlation tokens. Opaque short strings (e.g. t-3kx9z2).
  • Cursor / Visual Studio Code versionRead from vscode.version (e.g. 1.93.0).
  • Claude Code versionRead from vscode.extensions.getExtension('anthropic.claude-code').packageJSON.version (e.g. 2.1.158).
  • OS familyThe process.platform value: darwin, linux, or win32.

What we explicitly do NOT collect

The following are explicitly not recorded or transmitted by the Software:

  • No workspace paths. Workspace directory paths never appear in logs after the vsrelay.copyDiagnosticInfo command runs platform-path scrubbing on excerpts.
  • No usernames or home-directory paths. /Users/<you>/, /home/<you>/, C:\Users\<you>\ are scrubbed to <workspace>.
  • No raw prompts or model output. Claude Code session events are recorded as type discriminators only; content payloads are stripped by redactMessage() at log-write time.
  • No auth tokens. Relay tokens, Supabase JWTs, and Claude Code patches' applied markers are all redacted to <4chars>...<4chars> format or stripped entirely.
  • No source code from any workspace. The diagnostic log never embeds the contents of files in your workspace.
  • No SSH private keys. The SSH key wizard accepts public keys only and rejects any private-key block at the server before it is processed.

How data leaves your device

Diagnostic data leaves your device only when you choose to send it, via one of these channels:

  1. Email to support. When you run the vsrelay.copyDiagnosticInfo command and paste the clipboard content into an email to support@vsrelay.dev.
  2. Phone-pairing flow. When you actively pair a phone using the PWA, VSRelay's relay forwards your session events to the paired phone for the duration of the session. The relay is a transparent forwarder; it does not parse or persist message bodies.

We do not run scheduled telemetry uploads. We do not register a custom issue reporter that uploads logs to our backend.

How data flows (trust tiers)

VSRelay operates across trust tiers. In each tier the data flow is different:

  • LAN-only (Tier 3)No server is in the path. The phone connects directly to the extension over your local network. No data reaches any VSRelay infrastructure.
  • BYO relay (Tier 2)You self-host the relay server. VSRelay infrastructure is not involved. Traffic flows through your own server under your own policies.
  • Trusted cloud relay (Tier 1, today's default)Messages between your phone and your editor pass through a relay hosted on Hetzner infrastructure (relay.vsrelay.dev). The relay is a transparent forwarder: it routes who-talks-to-whom, does not inspect message bodies, and does not store your prompts, code, file contents, or workspace paths. All traffic is TLS-encrypted in transit. Room admission is validated against Supabase before any messages are forwarded — each WebSocket upgrade calls a secret-gated relay_lookup_room RPC and verifies a SHA-256 hash of the presented token against the stored hash.
  • E2E-encrypted cloud relay (planned)The relay will see only ciphertext. This is on the roadmap and not yet shipped.

Supabase and account identity

Device pairing uses Supabase for account identity and room admission. When you create an account or pair a device, Supabase stores the email address you provide (if any) and a hashed representation of your relay room token — not the token itself. Supabase's own privacy policy governs their handling of that data. We do not share your account data with third parties.

Analytics

The marketing site (vsrelay.dev) uses Vercel Analytics and Speed Insights for aggregate, cookieless traffic measurement. No personal data is collected; no cross-site tracking is performed. Individual page views are not linked to your identity.

Your rights

You have the right to:

  • Access the data we hold about you — email legal@vsrelay.dev with your Supabase account email.
  • Delete your account — same channel. We will delete your Supabase account record and any associated room metadata within 30 days.
  • Correct inaccurate data — same channel.
  • Export your account data — same channel.

EU / EEA consumers may exercise the rights in Regulation (EU) 2016/679 (GDPR) and the Norwegian Personal Data Act. California residents may exercise the rights in CCPA / CPRA. Quebec residents may exercise the rights in Law 25. Local data (the extension configuration at ~/.vsrelay/ and the extension itself) is on your own machine and can be removed by uninstalling the extension and deleting the directory.

Changes to this policy

We may update this page when material changes occur and note the effective date above. When the policy changes materially, we will bump the in-extension consent state key (privacy-consent.v1 privacy-consent.v2), which causes the extension to re-prompt at next activation.

Contact