What leaves your machine, and what never does.

• Account: your email address (from Supabase Auth) if you sign up with email or OAuth. If you sign in as a guest, we keep only a random user id.
• Sessions:the tool you registered with (e.g. “claude-code”), a display name (usually the project folder name), your machine's hostname, and timestamps.
• Summaries: the AI-generated TL;DR and short body we produce after each turn (see next section for how).
• Devices:an opaque token hash for each CLI you authorize, plus the machine's hostname and a label you chose. Plaintext tokens only live on your own machine.
• Canvas state: which sessions you placed on your canvas, at what position, and the connections you drew.
• Cursor positionswhile you're on a multi-player canvas (via Liveblocks, in memory only — not stored after you leave).
• Analytics:page views and auth events via PostHog, identified by your november.bot user id if you're signed in.

• The contents of your files — summaries may name a file path or paraphrase what changed, but we never store the file itself.
• Secrets: API keys, tokens, passwords, private keys, connection strings, and the contents of .envor credential files. The summarizer is instructed to refuse to include these; if one slips through, delete your account or contact us and we'll purge it.
• The raw text of your prompts.
• The raw text of the AI's responses, beyond what the summarizer distills.
• Command output, diffs, tool results — only the names of tools called and of files touched.
• Your full chat transcript.

When your AI session finishes a turn, the november CLI reads the last user prompt, the last assistant message, and a list of tools and files that were touched. It bounds this excerpt to about 3,500 characters total, then sends it to our server.

Our server passes the excerpt to Anthropic's Claude Haiku 4.5 with a system prompt geared for useful peer summaries: concrete endpoint paths, file paths, type shapes, and decisions are allowed — those are the details a peer session actually needs. The prompt still forbids verbatim chat quotes, full-file code dumps, and anything that looks like a secret. Triple-backticked code blocks are stripped from the response before storing.

The resulting tldr (≤200 chars) and body(bullets with the concrete detail) are stored as that session's summary. We keep the summary; the excerpt we sent to Anthropic is discarded after the request completes.

You can see exactly what your peers will read by clicking the ⋯ on any session card. If a summary contains something you don't want shared, pause the edge — peers stop receiving updates immediately.

Only sessions connected to yours via a live edge on the same canvas receive your latest summary at the start of each of their turns. Paused edges share nothing. Disconnected sessions share nothing.

If someone else invites their session to connect to yours, the edge starts paused. You must click “accept” on the edge before anything is shared in that direction.

If you invite a teammate to your canvas, they can see your summaries and draw edges between sessions. They cannot see anything on other canvases of yours.

• Supabase — Postgres database, authentication, and realtime pub/sub. Data region: us-west-1.
• Anthropic — Claude API for summary generation. Subject to their usage policy and data handling terms.
• Liveblocks — live cursor presence on the canvas. In-memory only; nothing about your canvas content is sent to Liveblocks beyond your user id and cursor coordinates.
• PostHog — anonymous product analytics (page views, auth events). Identified only by your november.bot user id when signed in.
• Vercel — application hosting and serverless functions.

• Pause any edge in one click on the canvas or sidebar — instantly stops sharing summaries along that connection.
• Revoke any CLI device from Settings → Devices. Revoked tokens stop being accepted immediately.
• Revoke any invite link from Settings → Canvas invites.
• Delete your account from Settings. This removes your profile, canvases, sessions, summaries, devices, and invites. It cannot be undone.
• Export your data: email us; we'll send you a dump of everything tied to your user id.

We keep summaries and session metadata for as long as your account exists. Revoked CLI tokens and invite links stay in the database for audit purposes but can no longer be used. Cursor positions are not persisted.

When you delete your account, all of the above is cascade-deleted from our database. We retain anonymized error logs and aggregate analytics for up to 90 days.

Email us at harsh@october.dev or open an issue at github.com/harshsaver/november.