# Telemetry Privacy & Controls
Version: 1.1.1
Last Updated: January 23, 2026
Governing Principles
- Export-first: No telemetry leaves the machine unless the user exports and uploads (manual) or explicitly enables auto mode.
- Metadata-only: No source content; no VN scripts/assets; only sanitized metadata and counts.
- Path/Message Protection: File paths and error messages are SHA256-hashed; device IDs double-hashed.
- Schema Validation:
TelemetryPackageenforces required fields and rejects raw content or paths. - Transparency: Export file (
rc-metrics.json) is human-readable for user review before upload.
Collection Boundaries
- Captured: command names, durations, counts, feature toggles, provider IDs, cache metrics, validation stats, hashed errors.
- Not Captured: file contents, raw paths, user text, credentials, access tokens.
- Default Mode:
manual(no uploads). Modes are persisted in config and surfaced in Control Center with a privacy banner.
Consent & Governance
- Opt-in sending: Uploads require user action or explicit auto-mode selection.
- Reviewable Exports: Users can open the JSON package to verify contents.
- Governance IDs: Events carry governance IDs for audit trails (AXIS5 series).
- Encoding Safety: Unicode-safe pipeline (emoji, JP/Cyrillic paths) validated by tests; prevents crashes and data loss.
UI & CLI Safeguards
- Control Center shows current mode, last upload status, and preview/export before upload.
- CLI
previewandupload --dry-runexpose what would be sent without network activity. - Upload size cap and time-range filters prevent over-collection.