Skip to content
The App Foundry
Studio Apps Contact
VIEW APPS →
Studio Apps Contact VIEW APPS →
Catalyst Logo Catalyst
Overview Features Pricing Safety EULA Privacy
DOWNLOAD →
Overview Features Pricing Safety EULA Privacy

Legal · Privacy Policy

Privacy Policy

Catalyst is a local-first developer tool. It operates directly on your Mac, so your source code, SSH keys, passwords, and environment variables stay on your machine. We collect only the minimum telemetry and licensing data required to operate the App. This policy explains exactly what we collect, what we do not, and how your data is protected.

Version 1.1 Effective: 15 July 2026

This Privacy Policy ("Policy") governs your access to and use of the Catalyst macOS application, the The App Foundry website, our APIs, and all related software and services (collectively, the "App" or "Service"). By downloading, installing, accessing, or using the App, you acknowledge that you have read, understood, and agree to be bound by this Policy and by the App's Terms & Conditions. If you do not agree, do not download, install, or use the App. This Policy is incorporated into and forms part of the Terms & Conditions.

Contents
1. Overview & Scope 2. Who Operates Catalyst 3. Information We Collect 4. What We Do Not Collect 5. How Your Data Is Used 6. Analytics & Crash Reporting 7. Storage & Security 8. Third-Party Services 9. Snapshots & Secret Scrubbing 10. Subscriptions & Payments 11. Sharing & Disclosure 12. Your Rights & Controls 13. Data Retention 14. Children's Privacy 15. International Users 16. System Modification Disclaimer 17. Disclaimer of Warranties 18. Limitation of Liability 19. Indemnification 20. Assumption of Risk 21. Governing Law 22. Changes to This Policy 23. Contact

1. Overview & Scope

Catalyst is a native macOS application that helps developers manage their local development environments. Features include managing package managers (Homebrew, pip), Python virtual environments, Git repositories and the Git Graph, shell configuration, PATH and aliases, SSH keys, startup items, disk and battery health, a diagnostics engine (Dr. Catalyst), recoverable cleanup (Cruft Sweeper), and one-file environment migration (Snapshot & Migrate).

Because Catalyst operates directly on your local filesystem and executes shell commands, it is engineered to be local-first and privacy-first by design. The App does not require a traditional password account: it uses passwordless email one-time passwords (OTP) and cryptographically binds your entitlement to your specific Mac. The App relies on limited, non-advertising analytics and crash reporting to operate and improve, described transparently in Section 6.

This Policy applies solely to Catalyst and The App Foundry services described here. It does not apply to any third-party services or platforms the App interacts with, each of which is governed by its own privacy policy and terms, as described in Section 8.

2. Who Operates Catalyst

Catalyst is an independently developed application created and maintained by The App Foundry ("we," "us," "our," or the "Developer"), operated by Shivang Gulati. The Developer is the party responsible for the App for the purposes of this Policy. Because the App is operated by an independent developer and not a registered corporation, you acknowledge and accept that the App is provided on the terms set out in this Policy and the Terms & Conditions, including the disclaimers and limitations of liability in Sections 16 through 20. You may contact the Developer at any time using the details in Section 23.

3. Information We Collect

The categories below are the only categories of information the App handles remotely. Wherever possible, execution and state remain on your device and are never transmitted to the Developer.

3.1 Authentication & device information

To verify your identity and enforce licensing, we collect your email address (used solely to send login OTPs and account-related notices) and an anonymous, hardware-derived device identifier (Device UUID). This UUID binds your Catalyst license to a single Mac, preventing abuse and account sharing.

3.2 Subscription & entitlement data

We maintain records of your current plan (for example, Trial, Pro Monthly, Pro Yearly, or Student Grant), your trial start and expiration times, device-release history, and Razorpay subscription identifiers, in order to issue valid, server-signed entitlement tokens (Ed25519-signed JSON Web Tokens) to your device. We do not process or store your payment card details.

3.3 Student verification data

If you apply for a student discount, we collect and verify the academic email address you provide (for example, a .edu or .ac.in address) to grant student pricing. This email is bound to your primary account to prevent duplicate usage.

3.4 Analytics and crash-report data

The App uses a privacy-respecting analytics and crash-reporting service (Google Firebase Analytics and Firebase Crashlytics) to understand which features are used and to diagnose crashes and errors. This involves limited, non-advertising event and diagnostic data — for example, that the Cruft Sweeper was opened, that a virtual environment was created, that an installation failed, or that an app update was downloaded. This data does not include your source code, your file contents, your environment variables, or your passwords. Full detail is in Section 6.

3.5 Support and feedback submissions

If you submit a bug report, feature request, or support message (including via GitHub issues or our Google Forms), we collect the information you provide, which may include your app version, email address, and any logs or screenshots you voluntarily attach. Providing this information is optional and occurs only when you submit a form.

4. What We Do Not Collect

Catalyst is built to respect your proprietary code and infrastructure. The Developer does not collect, transmit, or upload:

  • Source code & repositories. Your Git repositories, project files, commit history, and codebase contents are never uploaded to our servers.
  • System passwords. When you execute a command requiring sudo, the App captures your macOS password locally in memory via a native dialog and pipes it directly to the local shell. It is never logged, stored on disk, or transmitted over the network.
  • Environment variables & shell config. The contents of your ~/.zshrc, ~/.bash_profile, and any variables containing API keys or secrets remain strictly on your device.
  • SSH keys & credentials. Your private SSH keys and cloud credentials are never read for upload; SSH tooling only ever shows and copies public keys.
  • Advertising & cross-app tracking. We do not run third-party advertising or ad networks, do not use advertising identifiers, do not perform cross-app or cross-site tracking, and do not sell, rent, or trade your personal data to data brokers.

5. How Your Data Is Used

Information handled by the App is used exclusively to provide, secure, and improve the Service. Specifically, it is used to: authenticate you via OTP; issue server-signed Ed25519 JSON Web Tokens verifying your subscription or grant status; enforce the single-seat device limit and the two-releases-per-90-days rule; track your free-trial expiration; verify student eligibility; understand feature usage and diagnose crashes through limited analytics and crash reporting (Section 6); and respond to feedback or support you submit. The App does not use your information for advertising, for selling or sharing with data brokers, or for automated decision-making producing legal or similarly significant effects about you.

6. Analytics & Crash Reporting

In plain terms: we look at which features are used most so we can improve them and keep the App stable while it interacts with complex macOS environments. To do this we use Google Firebase Analytics (product analytics) and Firebase Crashlytics (crash and error reporting). We have designed this integration to be as privacy-respecting as practicable, and we want to be transparent about exactly what it does and does not capture.

6.1 What is collected

Analytics records a defined catalog of interaction events — for example, that a feature screen was opened, that a virtual environment was created, that an installation started or failed, or that an app update was downloaded. Some events carry minimal, non-identifying parameters (such as a feature name or a coarse count). Crashlytics collects standard crash and diagnostic information (such as stack traces, macOS version, and device model) to help fix problems.

6.2 What is never sent

The analytics and crash-reporting layer is deliberately scoped to exclude proprietary data. It does not receive your source code, your file contents, file paths containing your username, your shell configuration, your environment variables, your secrets, or the contents of any snapshot. Where a value is included, it is a minimal, non-identifying parameter, not the underlying data.

6.3 No advertising, no cross-app tracking

This analytics is used only for product improvement and stability. It is not used for advertising, is not linked to any advertising identifier, and is not used to track you across other companies' apps or websites. Firebase processes this data as a service provider on the Developer's behalf, subject to Google's terms and privacy policy (see Section 8). Debug and development builds do not send analytics.

7. Storage & Security

Catalyst applies multiple layers of protection to your information:

  • Local-first storage. Your project metadata, preferences, and environment state are stored locally on your Mac.
  • Keychain protection. The App uses the macOS Keychain to securely persist your server-issued entitlement tokens and server-clock validations, protecting them from unauthorized modification.
  • Server-side hardening. The Cloudflare Worker backend uses cryptographic Ed25519 signatures, strict rate-limiting (including IP- and device-based throttling on OTP requests), single-use challenges, and short-lived tokens to deter abuse.
  • Encrypted transport. All network communication between the App and our services occurs over encrypted HTTPS connections.

No method of electronic storage or transmission is ever completely secure. While the App implements reasonable and appropriate safeguards, the Developer cannot and does not guarantee absolute security, and you use the App with that understanding (see Sections 17 and 18).

8. Third-Party Services

The App relies on the following third-party services. Each operates under its own privacy policy and terms, over which the Developer has no control and for which the Developer accepts no responsibility. Your use of features that depend on these services constitutes acceptance of their respective policies.

  • Cloudflare (Workers, D1, KV). Hosts our backend database, OTP verification logic, and entitlement endpoints. Handles your email, Device UUID, and subscription state.
  • Razorpay. Processes all subscription payments securely. We never receive your full card number or bank details.
  • Vercel. Hosts our marketing website and relays our OTP authentication emails via standard SMTP.
  • Google Firebase (Analytics & Crashlytics). Non-advertising product analytics and crash reporting — no source code, file contents, or secrets (see Section 6).
  • Sparkle & GitHub. Facilitate cryptographically verified app updates and host release binaries.

9. Snapshots & Secret Scrubbing

If you use Catalyst to generate an environment "Snapshot" (exporting your setup), the App employs a local secret-scrubber that attempts to redact obvious API keys, tokens, and passwords from your exported configuration before writing the snapshot to your local disk. This scrubbing happens entirely on your device, and the snapshot is never uploaded to the Developer. Automated scrubbing is best-effort and cannot guarantee that every secret is removed. You are solely responsible for reviewing any generated snapshot to ensure no sensitive data remains before sharing it with others.

10. Subscriptions & Payments

The App offers optional auto-renewable subscriptions (Monthly and Yearly Pro plans) and may offer non-recurring student grants. All payments are processed by Razorpay. The Developer does not receive, process, or store your payment card numbers or bank account details. Subscriptions and grants are bound to your verified email and Device UUID. Billing, cancellation, and refund terms are set out in the Terms & Conditions and the Cancellation & Refund Policy.

11. Sharing & Disclosure

The Developer does not sell, rent, trade, or otherwise share your personal information for monetary or other valuable consideration. Your information is disclosed only in these limited circumstances: (a) to the third-party service providers listed in Section 8, strictly to deliver the Service; (b) where you direct it, such as submitting a support form or exporting your own data; (c) to comply with applicable law, legal process, or a valid governmental or regulatory request; (d) to protect the rights, property, safety, or security of the Developer, users, or the public, or to investigate fraud or abuse; or (e) in connection with a transfer of the App or its assets, in which case any successor will be bound by commitments no less protective than this Policy.

12. Your Rights & Controls

Because your proprietary data lives on your device, you retain direct control over it. You can:

  • Delete local data by uninstalling the App and clearing its Application Support folder, which removes local metadata.
  • Manage devices by signing out and releasing your device allocation from the App's profile sheet (subject to the two-releases-per-90-days limit).
  • Limit analytics through your device privacy settings (see Section 6).
  • Request deletion of your account and backend data by contacting us at any time.

Depending on where you live, you may have additional rights under applicable data-protection laws — for example, under the EU/UK GDPR (access, rectification, erasure, restriction, portability, and objection) or the California CCPA/CPRA (know, delete, correct, and opt out of "sale" or "sharing," noting that the Developer does not sell or "share" personal information for cross-context behavioral advertising). To make a request, contact the Developer using Section 23.

13. Data Retention

We retain your account email, device binding, and subscription data on our Cloudflare backend for as long as your account is active, or as needed to enforce licensing rules (for example, retaining device-release history for 90 days), prevent trial abuse, and comply with legal or tax obligations. Analytics and crash-report data are retained by the analytics provider in accordance with its retention settings. Support and feedback submissions are retained only as long as necessary to address your request and for reasonable record-keeping. Security tokens are short-lived and are automatically refreshed or deleted upon expiry.

14. Children's Privacy

Catalyst is an advanced developer tool that involves system-administration privileges. It is not directed to children under the age of 13 (or the higher minimum age that may apply in your jurisdiction). The Developer does not knowingly collect personal information from children. If you believe a child has provided information in a manner inconsistent with this Policy, contact the Developer so it can be addressed.

15. International Users & Regional Rights

The App uses global infrastructure (Cloudflare, Vercel, Firebase) that may process your authentication and analytics data on servers located in various jurisdictions, including the United States and India; those providers maintain their own safeguards. To the extent applicable, residents of certain regions have specific rights under laws such as the GDPR and CCPA/CPRA, as described in Section 12. By using the App, you consent to the processing described in this Policy in the jurisdictions where the App and its providers operate.

16. System Modification Disclaimer

Catalyst executes privileged shell commands (including brew, pip, sudo, and edits to system and shell configuration files). The App is not a passive tool; it actively modifies your operating system and environment at your direction. You acknowledge that using features such as the Cruft Sweeper, system-wide package installations, or shell-profile edits carries a real risk of data loss or system instability, for which the Developer is not liable. You are responsible for maintaining your own backups and for reviewing each action before you confirm it.

17. Disclaimer of Warranties

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE APP AND ALL CONTENT, FEATURES, AND SERVICES ARE PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS, WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND. THE DEVELOPER EXPRESSLY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, ACCURACY, AND NON-INFRINGEMENT.

THE DEVELOPER DOES NOT WARRANT THAT THE APP WILL BE UNINTERRUPTED, SECURE, OR ERROR-FREE; THAT SYSTEM ENVIRONMENTS OR CONFIGURATIONS WILL BE PRESERVED WITHOUT CORRUPTION OR LOSS; OR THAT DEFECTS WILL BE CORRECTED. YOU ASSUME TOTAL RESPONSIBILITY AND RISK FOR YOUR USE OF THE APP. SOME JURISDICTIONS DO NOT ALLOW CERTAIN WARRANTY EXCLUSIONS, SO SOME MAY NOT APPLY TO YOU; IN SUCH CASES WARRANTIES ARE LIMITED TO THE MINIMUM EXTENT PERMITTED BY LAW.

18. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL THE DEVELOPER, OR ANY OF ITS AFFILIATES, CONTRACTORS, OR REPRESENTATIVES, BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUE, DATA, SOURCE CODE, OR SYSTEM INTEGRITY, ARISING OUT OF OR RELATING TO YOUR ACCESS TO, USE OF, OR INABILITY TO USE THE APP, REGARDLESS OF THE THEORY OF LIABILITY AND EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

TO THE FULLEST EXTENT PERMITTED BY LAW, THE DEVELOPER'S TOTAL CUMULATIVE LIABILITY FOR ANY AND ALL CLAIMS ARISING OUT OF OR RELATING TO THE APP OR THIS POLICY SHALL NOT EXCEED THE GREATER OF (i) THE TOTAL AMOUNT YOU ACTUALLY PAID TO THE DEVELOPER FOR THE APP IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM, OR (ii) FIVE U.S. DOLLARS (US $5.00). YOU ACKNOWLEDGE THAT THESE LIMITATIONS ARE AN ESSENTIAL BASIS OF THE BARGAIN. SOME JURISDICTIONS DO NOT ALLOW CERTAIN LIMITATIONS, SO SOME MAY NOT APPLY TO YOU; IN SUCH CASES LIABILITY IS LIMITED TO THE SMALLEST AMOUNT PERMITTED BY LAW. NOTHING HEREIN EXCLUDES LIABILITY THAT CANNOT LAWFULLY BE EXCLUDED.

19. Indemnification

To the maximum extent permitted by applicable law, you agree to defend, indemnify, and hold harmless the Developer and its affiliates, contractors, and representatives from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to your use of the App, your execution of destructive or privileged system commands, your violation of this Policy or the Terms & Conditions, or your infringement of any third-party right.

20. Assumption of Risk & Release

You knowingly and voluntarily acknowledge that installing, cleaning, modifying, migrating, or otherwise administering a macOS developer environment carries inherent risks — including accidental deletion of files or repositories and corruption of system or Python environments — and you assume full and exclusive responsibility for all such risks. To the maximum extent permitted by applicable law, you release, waive, and forever discharge the Developer from any and all claims arising out of or relating to your use of the App, including any data loss, financial loss, or damage of any kind.

21. Governing Law & Dispute Resolution

This Policy and any dispute arising out of or relating to it or the App shall be governed by and construed in accordance with the laws of India, without regard to its conflict-of-laws principles, except where the mandatory consumer-protection or data-protection laws of your country of residence apply and cannot be excluded. The dispute-resolution and arbitration provisions of the Terms & Conditions apply equally to this Policy.

22. Changes to This Policy

The Developer may update this Policy from time to time to reflect changes to the App, legal requirements, or operational practices. When the Policy changes, the version number and effective date at the top of this page will be updated, and material changes may be communicated within the App and may require your renewed acknowledgment. Your continued use of the App after a revised Policy takes effect constitutes your acceptance of the changes. If you do not agree, you must stop using and uninstall the App.

23. Contact

If you have any questions, concerns, or requests regarding this Policy or your data, you may contact the Developer:
The App Foundry — toshivanggulati@gmail.com.

This document is provided for informational purposes and does not constitute legal advice. The Developer recommends consulting a qualified attorney to confirm this Policy meets all legal requirements applicable to the App's distribution markets.

The App Foundry
Automating the obvious.
More apps in the foundry, soon.
Explore Home Catalyst Features Pricing Download Contact
Legal Terms of ServicePrivacy PolicyCancellation & Refund
Say Hello toshivanggulati@gmail.com @shivanggulati on Linktree
© 2026 The App Foundry. All rights reserved. All systems operational