Privacy & trust

Your app data stays on your Mac.

Switchboard is a local-first macOS utility with no background HTTP server. Its update-count telemetry is anonymous and opt-out, while license purchase, email delivery, and activation use only the checkout and device details needed to process the license. This page describes what the app and purchase flow read, write, and send.

Last updated: 2026-06-09.

Summary

  • Anonymous, aggregate usage stats only: an active-install count with minimal update-check metadata. No identifiers, no raw IP stored, no crash reports. On by default; opt out in Settings → Privacy.
  • No user account or signup. Free use needs no license key; a Switchboard Pro license activates by key only.
  • No background server, no listening network port.
  • The installed app's routine outbound requests are update checks and, for Switchboard Pro licenses, license activation/validation. You can turn off update counting, update checks, or both.
  • All configuration, logs, and approval state are stored on your Mac under your home folder.
  • Buying a Switchboard Pro license on this website sends checkout details to the license service, Paylink for card payments, and a transactional email provider for order delivery.

Buying and activating a license

When you buy a Switchboard Pro license, the checkout form sends the details needed to create and deliver the order: name, mobile number, email address, locale, payment method, amount, and order references. Card payments are completed on Paylink's hosted payment page. Bank transfer orders stay pending until the transfer is confirmed.

Transactional email is sent through an email service provider: bank-transfer instructions, license-key delivery, purchase notifications, and refund notices. Email is used for order delivery and support, not marketing newsletters.

The license service keeps the order, license, email-delivery, and activation records needed to deliver the license, support recovery or refunds, and enforce the 3-Mac activation limit. Activating or validating a Switchboard Pro license sends the license key and a device hash to the license service. Your local services, logs, docs, and command approvals are not sent.

What the app does not do

  • No crash reporting or behavioral tracking. Switchboard does not send crash dumps, does not record which features or services you use, attaches no user or machine identifier, and uses no third-party analytics SDK. The one signal it does send for update counting — an anonymous active-install count — is described in Outbound requests below.
  • No cloud sync of your data. Your configuration, logs, and approval state stay on your Mac. The app does not upload them anywhere.
  • No background HTTP server. The app does not listen on any network port. Other processes cannot connect to Switchboard.
  • No arbitrary shell access from the UI. The webview cannot run shell commands you type. See Command security below.
  • No reading of unrelated files. Switchboard reads and writes its own configuration directory and, when you add a docs folder, the folders you explicitly point it at. It does not scan your home directory or your projects on its own.

What stays on your Mac

Everything Switchboard remembers between launches lives in your Application Support folder:

~/Library/Application Support/com.azzuwayed.switchboard/

That directory contains:

  • services.yaml — the services you have configured.
  • commands.yaml — the command definitions (allowlist) behind each service action.
  • settings.yaml — app preferences (theme, language, update-check toggle, poll intervals, autostart, etc.).
  • approvals.json — fingerprints of commands you have approved to run.
  • observer-state.json — discovered services the observer has remembered.
  • activity.log — local action log (start, stop, restart, approval changes).
  • backups/ — pre-write backups of the above.

None of this leaves your Mac. There is no “sync to cloud” setting because there is no cloud.

Outbound requests

With Check for updates automatically enabled (the default), the app checks for a newer release on launch and roughly once a day after that. This is a small static update file with the latest version and download information.

From automatic app checks — and only those, never update downloads — the update service records an anonymous, aggregate active-install signal with minimal app and system metadata needed for coarse totals. It stores no raw IP and no identifier. The app attaches no user identifier, no machine identifier, and no installation token.

Turn off Anonymous usage statistics in Settings → Privacy and the daily check carries an opt-out marker — it is never counted, while update checks keep working. Turning off Check for updates automatically (Settings → Updates, or the About dialog) stops the request entirely. The Check for updates button still works as a manual, one-shot fetch when you press it.

Switchboard Pro license activation and validation contact the license service to check the key status and device slot count. They do not upload your service list, logs, command output, docs folders, or other local app data.

Website forms for key recovery, device reset, checkout, and contact also call the license service. The contact form sends the name, email address, topic, and message you enter so support can reply. The contact form includes an abuse-prevention check, and support replies are delivered through an email service provider.

Command security

Switchboard manages local services by running real OS commands (Homebrew, Docker, launchctl, etc.). To keep that useful without letting the UI become a remote shell, the boundary between webview and operating system is intentionally narrow.

  • The webview sends only a serviceId, an action, and explicit confirmation state.
  • The Rust backend maps the action to an exact allowlisted cmd + args definition. The webview cannot pass an executable path, command string, environment variable, or shell fragment.
  • Every command runs through tokio::process::Command with a sanitized environment and a fixed PATH — never through sh -c.
  • Each command carries a risk level (safe, normal, destructive, privileged, network-install). Anything above safe requires an approval fingerprint, which is checked against approvals.json before the command runs.
  • Imported templates and command definitions are previewed command-by-command before they can run. New or changed definitions stay unapproved until you review them.
  • Command output is bounded; secret redaction defaults to on.

Updates and signing

When the update manifest reports a newer build, the in-app updater downloads the new .app.tar.gz bundle and its accompanying .sig file from the GitHub Release for that version. Before the bundle is unpacked, the minisign signature is verified against a public key compiled into the currently-running app. If verification fails, the update is rejected and nothing on disk is replaced.

The private signing key never leaves a local keychain and CI secret store. Release builds are also signed with an Apple Developer ID certificate and notarized by Apple, so a freshly-installed update opens normally.

macOS permissions

Switchboard does not request Full Disk Access, Accessibility, or Screen Recording. It does not need them to manage services. If you add a docs folder under Settings → Documentation, macOS may show its standard file-access prompt for that folder; the app reads it but does not relay its contents anywhere.

The app uses a launchd login item only when you opt in via Launch at login in Settings.

Source and license

Switchboard is proprietary software, and the source repository is not planned to be public. The app is built and operated by Abdullah Alzuwayed, and the app itself is © 2026 Abdullah Alzuwayed. All rights reserved. Switchboard stays useful for free; Switchboard Pro licenses activate by key and unlock the paid optional tools.

Changes to this statement

If a future release adds a new outbound request, a new on-disk artifact, or a new permission, this page is updated in the same release. The release’s public changelog calls out the change. Transactional purchase email may go only to customers who supplied an email address during checkout.

Contact

Questions or concerns about anything on this page? Use the contact form.