Privacy

Last updated: April 27, 2026

Short version: Your notes, your selected text, your URLs, your tags, and your screenshots never leave your Mac. They go straight to your Obsidian vault on disk — not to us, not to anyone else. The only thing Capture ever sends over the network is a small amount of anonymous usage data (how many captures you made, not what you captured), plus a check for app updates.

What stays on your Mac

Everything you actually capture — your notes, any selected text you grabbed from a webpage, the URL of the tab you captured from, any tags you added, and any screenshots — is written directly to your Obsidian vault as a plain markdown file. Capture never uploads, backs up, or transmits that content anywhere. It's your file on your disk.

Your settings (which vault folder, which tags, which hotkey, etc.) are stored locally in macOS's standard preferences store.

What we do send, and why

Capture sends anonymous usage signals to a privacy-respecting analytics service called TelemetryDeck. This helps us understand whether the app works well (are people capturing successfully? are they getting stuck in onboarding?) without knowing anything about who you are or what you captured.

The signals collected are things like:

app.launched — when the app starts up.
capture.completed — when a new note is saved. Attached metadata: the kind of attachment (e.g. screenshot, image, none), how many tags were attached (just the count, not the tag names), and whether the AI title feature was used.
capture.appended — when text is appended to an existing note. Attached metadata: whether it was a pinned target or an ad-hoc file pick, the attachment kind, and the tag count.
onboarding.started, onboarding.completed, onboarding.skipped — so we can see where new users get stuck. Attached metadata: whether Accessibility permission was granted, how many tags were configured, and which step you were on if you skipped.

This list is the current set; as the app gains features there may be additional signals of the same shape (an event name plus a few low-cardinality counts or flags). Whatever the list looks like at any given time, the rule doesn't change: no note content, no selected text, no URLs, no tag names, no file paths, no screenshots, no keystrokes, and nothing that identifies you personally is ever sent. Just counts and flags about how the app itself is being used.

TelemetryDeck anonymizes everything with a daily-rotating salted hash. No IP addresses, no account identifiers, no persistent device fingerprints.

You can turn this off at any time. Open Capture's Settings → Info and switch off "Anonymous diagnostics". Once it's off, no signals are sent at all.

Update checks

Capture periodically checks capture.surf for new versions using Sparkle, the standard macOS update framework. This check fetches a small XML file listing available versions. It sends nothing about you — just a standard web request from your Mac to our server.

Accessibility permission

Capture asks for macOS Accessibility permission for three reasons, all local to your Mac:

To listen for your ⌥C hotkey system-wide, so you can trigger a capture from anywhere.
To read the URL of the active browser tab when you capture from a web browser, so the resulting note can link back to the source.
To grab the text you've highlighted at the moment you fire a quote capture, so it can become the body of your note. Capture only reads the current selection at the instant you trigger a capture — it doesn't watch your selections in the background or read anything you haven't highlighted.

This permission is granted by you in System Settings and can be revoked at any time. Capture never records keystrokes, never watches what you're typing, and never reads content from other apps outside of these three moments.

Third parties

Capture uses exactly three third-party services, all privacy-respecting:

TelemetryDeck — anonymous analytics (covered above).
Sparkle — fetches the update feed from capture.surf. No data sent, just a version-check request.
Polar — handles purchases and license-key validation. When you buy Capture, Polar receives your name, email, billing address, and payment details (we never see your card number). When the App checks that your license is still valid, it sends only your license key and a per-Mac instance ID — nothing about what you've captured. Polar is our merchant of record and its privacy policy covers the payment portion.
Buttondown (on the website only, not in the app) — our waitlist signup form. If you give us your email, Buttondown stores it for the mailing list. If you don't, no email is collected.

What we keep about your purchase

If you buy Capture, we receive a record of your order from Polar: your name, email, country (for tax purposes), license key, and order number. We use this only to deliver your license, send your receipt, support you if you write in, and process refunds. We don't sell or share this information, and we don't add you to any marketing list unless you separately opt in.

You can ask us to delete your purchase record at any time by emailing support@capture.surf. Note that we may need to keep transactional records for tax-compliance reasons (typically 7 years in the US) — but we'll delete everything we're not legally required to retain.

No accounts, no tracking

Capture has no user accounts, no login, no cloud sync, no cookies, no ad tracking, no social-media pixels, and no ability to "follow you around the web" because it's a desktop app and does not talk to the web outside of the narrow cases described above.

Questions

If you want to know more, spotted something wrong, or want your email removed from the waitlist: support@capture.surf.