Skip to content
Orb
securitywhat it does, what it doesn't

Why you should believe this.

Orb runs entirely on your Mac. There is no backend to trust, because there is no backend.

orb securitywhat it does and does not do

No telemetry, no account: Orb collects nothing and has nothing to sign in to.

The Mac app has no server of its own and no account system. It does not send your prompts, files, or usage anywhere, and it includes no telemetry or analytics. Settings and sessions stay on your own machine.

Read the privacy policy

Pairing is end to end encrypted: your Mac and iPhone talk directly, with no relay server that could read your sessions.

You pair by scanning a QR code shown in the dock header, and that is the whole setup. The link uses keys only your two devices hold, and you can revoke a paired device any time in Settings, under Devices. Away from home, Tailscale carries the same direct link over your own private tailnet: still no relay in between.

How pairing works

Snapshots strip credentials: saved baselines exclude your keys and tokens, so a shared or cloned session never carries them.

At the moment you Save Snapshot, Orb removes credential material before it freezes anything, then scans the exact thing it is about to freeze. If anything looks off, it aborts and keeps your existing baseline rather than risk sealing a secret inside one.

Read how snapshots work

Permissions, listed: Orb asks for no Accessibility access and no network entitlements beyond pairing. Here is everything it does request, and everything it does not.

Opt-in only
Accessibility, so “New session from selection” can read the frontmost app’s selected text. It stays off until you turn it on in Settings.
Never requested
Accessibility for the global hot key (Carbon’s RegisterEventHotKey needs none) or for per-Space session scoping (a private CoreGraphics call, not Accessibility), and no network entitlement beyond the direct link to a paired iPhone.
See the full permissions overview

Signed updates: releases are Developer ID signed, notarized by Apple, and update over Sparkle with EdDSA signatures.

The same signing you can already see on the download page carries through every update: the in-app updater checks each new version’s signature before installing it, so a tampered build cannot install as if it came from Orb.

See how the Mac app is signed