What we know about you.

The desktop app

Mr. Mags runs on your Mac or Windows machine. The brain — every memory you save, every pattern, every state value — is a database file in your user data folder.

• Mac: ~/Library/Application Support/Mr. Mags/brain/
• Windows: %APPDATA%\Mr. Mags\brain\

We don’t upload that folder anywhere. There is no “Mr. Mags cloud sync” — your data stays on your machine. There is no background telemetry from Mr. Mags reporting the contents of your memories. The browser extension (across claude.ai, chatgpt.com, gemini.google.com, and any custom AI server you add) and Claude Desktop’s MCP relay both talk to Mr. Mags via a localhost-only HTTP API on 127.0.0.1:11436 — your computer talking to itself for the Mr. Mags side of things.

The honest fine print: when you chat with Claude, ChatGPT, or Gemini, that conversation still goes to Claude, ChatGPT, or Gemini — that’s how using AI works, Mr. Mags doesn’t change it. If you turn on auto-inject, the most relevant memories get prepended to the message you’re about to send, so they ride along with your prompt to whichever AI you picked. Mr. Mags is the memory layer, not a man-in-the-middle. We don’t add ourselves to your trust chain.

Your conversations with the AI you chose are between you and them; we are not in the middle.

This website

The site is hosted on Cloudflare Pages. Every page request hits Cloudflare's servers, which keep standard access logs (timestamp, IP address, user-agent, URL) for a short window — that's how the internet works, not specific to us.

On top of that, we run a download counter: when you click a Download button, our server logs the filename, a salted SHA-256 hash of your IP (so we can roughly count unique downloads without ever holding the IP itself), an 80-character snippet of your browser's user-agent, and Cloudflare's two-letter country code. Then it 302-redirects you to the actual binary on our CDN. Numbers come back at /api/stats — total, last-7-days, breakdown by file. Public, in case you're curious.

That's it. No Google Analytics. No Meta pixel. No Hotjar. No newsletter signup popup. No retargeting cookies. No ad networks.

The teacher verifier

If you submit your school email at /teachers, we store:

• Your email address
• A pending verification token (24-hour TTL, one-time use)
• Once you click the link: a permanent license code we generated for your account

That's stored in a Cloudflare D1 database (SQLite-compatible, in our account). The verification email itself goes through Resend — one transactional email provider we use, who sees the send-event but doesn't keep the message contents long-term per their policy.

We don't sell, share, license, or otherwise hand off your email. We don't add it to a newsletter. If you want it deleted, email [email protected] and we delete the row. Real human, real keyboard.

Telemetry

The desktop app sends no telemetry and no memory content — nothing you typed leaves your machine. The one network call it makes on its own is the update check: on launch it asks our CDN whether a newer version exists. That request carries no memory and no identifier — just the same IP any download exposes.

Where the source lives

Mr. Mags is source-available under BSL 1.1. The pieces that make the privacy claims on this page checkable:

• The Mr. Mags desktop app (the tray app, the localhost API, and the Claude Desktop relay)
• The Mr. Mags browser extension (auto-capture, the remembered toast, and Undo)
• The local memory engine — the part that owns your brain on disk
• This website you're reading (mrmags.org)

The source is available for audit on request under BSL 1.1. Email [email protected] and we send read-only links to anyone who asks. The privacy claims here are checkable; the gate is paperwork, not principle.

Contact

Questions, requests, complaints, audits — [email protected]. Reply within a couple days. One human reads everything.