What leaves your machine, and what never does.

• Account: your email address (from Supabase Auth) if you sign up with email or OAuth. If you sign in as a guest, we keep only a random user id.
• Sessions:the tool you registered with (e.g. “claude-code”), a display name (usually the project folder name), your machine's hostname, and timestamps.
• Summaries: the AI-generated TL;DR and short body we produce after each turn (see next section for how).
• Devices:an opaque token hash for each CLI you authorize, plus the machine's hostname and a label you chose. Plaintext tokens only live on your own machine.
• Canvas state: which sessions you placed on your canvas, at what position, and the connections you drew.
• Cursor positionswhile you're on a multi-player canvas (via Liveblocks, in memory only — not stored after you leave).
• Analytics:page views and auth events via PostHog, identified by your november.bot user id if you're signed in.

• Your source code, or the contents of any file.
• The raw text of your prompts.
• The raw text of the AI's responses, beyond what the summarizer distills into a short bullet list.
• Command output, diffs, tool results — only the names of tools called and of files touched.
• Your full chat transcript.

When your AI session finishes a turn, the november CLI reads the last user prompt, the last assistant message, and a list of tools and files that were touched. It bounds this excerpt to about 3,500 characters total, then sends it to our server.

Our server passes the excerpt to Anthropic's Claude Haiku 4.5 with a locked-down system prompt that forbids it from including code, quotes, file contents, or anything beyond a distilled summary. The returned text is regex-filtered to strip anything that looks like a code block, then stored as your session's tldr and body.

We keep the summary. We do not keep the excerpt we sent to Anthropic — it's discarded after the request completes.

You can see exactly what your peers will read by clicking the ⋯ on any session card.

Only sessions connected to yours via a live edge on the same canvas receive your latest summary at the start of each of their turns. Paused edges share nothing. Disconnected sessions share nothing.

If someone else invites their session to connect to yours, the edge starts paused. You must click “accept” on the edge before anything is shared in that direction.

If you invite a teammate to your canvas, they can see your summaries and draw edges between sessions. They cannot see anything on other canvases of yours.

• Supabase — Postgres database, authentication, and realtime pub/sub. Data region: us-west-1.
• Anthropic — Claude API for summary generation. Subject to their usage policy and data handling terms.
• Liveblocks — live cursor presence on the canvas. In-memory only; nothing about your canvas content is sent to Liveblocks beyond your user id and cursor coordinates.
• PostHog — anonymous product analytics (page views, auth events). Identified only by your november.bot user id when signed in.
• Vercel — application hosting and serverless functions.

• Pause any edge in one click on the canvas or sidebar — instantly stops sharing summaries along that connection.
• Revoke any CLI device from Settings → Devices. Revoked tokens stop being accepted immediately.
• Revoke any invite link from Settings → Canvas invites.
• Delete your account from Settings. This removes your profile, canvases, sessions, summaries, devices, and invites. It cannot be undone.
• Export your data: email us; we'll send you a dump of everything tied to your user id.

We keep summaries and session metadata for as long as your account exists. Revoked CLI tokens and invite links stay in the database for audit purposes but can no longer be used. Cursor positions are not persisted.

When you delete your account, all of the above is cascade-deleted from our database. We retain anonymized error logs and aggregate analytics for up to 90 days.

Email us at harsh@october.dev or open an issue at github.com/harshsaver/november.