Security

Code and Workspace Data

Athas does not upload file contents, source code, terminal contents, workspace paths, chat messages, prompts, or secret values as part of telemetry. When you use an AI feature, the text and context you choose to send are sent to the selected provider so that feature can work. If you use a local provider, those requests stay with that local endpoint.

Telemetry

Anonymous usage telemetry is off by default. If you enable it, Athas sends operational metadata for app health, extension behavior, and crashes. Update checks still send a small operational signal with app version, platform, architecture, anonymous install ID, and update status so releases can be delivered and monitored.

API Keys and Credentials

Desktop secrets such as AI provider keys, GitHub tokens, database passwords, and saved remote credentials are stored locally using OS secure storage when available. Athas does not need your provider API keys unless you choose to save them for a feature that uses that provider.

Account Data

Athas uses account data to provide the service, process payments, handle support, and keep account features working. Payment card details are handled by Lemon Squeezy, so Athas does not store card details directly.

Connections

Athas web services use HTTPS/TLS in transit. OAuth sign-in is handled through supported providers such as GitHub and Google. Desktop database and remote connections use the connection details you provide, and saved credentials are kept locally.

Updates

Athas ships desktop updates through release channels. Update checks are used to determine whether a newer version is available for your platform, and security fixes are prioritized when they affect users or supported release paths.

Cookies and Advertising

Athas does not use advertising cookies, and the product is not built around selling user data. Essential cookies are used for authentication and session management, while optional analytics cookies are only used after consent.

Data Requests

Contact [email protected] to request access, correction, deletion, export, or objection to processing. Account deletion removes personal data within 30 days except where retention is required for legal compliance.

Vulnerability Reports

Email [email protected] with the subject Security Report. Include the affected version, platform, reproduction steps, impact, and any logs or proof of concept that help us verify the issue. Please avoid accessing data that is not yours, disrupting service, or publishing details before we have had a reasonable chance to respond.

Security Reviews and DPA Requests

Send security review, questionnaire, or DPA requests to [email protected]. We will answer with the current information we can provide for your review process.