Privacy Policy

Last updated: March 26, 2026

Overview

Sidekar is designed to be local-first. The CLI runs on your machine and does not collect telemetry. Some features, including authentication, the dashboard, and session relay, require communication with our servers as described below.

CLI

The sidekar binary runs on your local machine. It does not phone home or collect telemetry. Browser automation, desktop automation, and inter-agent communication all happen locally.

The CLI makes outbound network requests in these cases:

• Authentication: sidekar device login initiates a device-auth code exchange with sidekar.dev. The device token is stored locally in Sidekar's SQLite state under ~/.sidekar/.
• Session relay: when you start a session, the CLI connects to relay.sidekar.dev via WebSocket so that the dashboard can display and interact with your active sessions. Session metadata (name, hostname, working directory, agent type) is transmitted to the relay.
• Updates: sidekar update checks GitHub Releases for new versions. This is optional and must be explicitly initiated by you.

Chrome Extension

The Sidekar Chrome extension connects to a local Sidekar bridge on 127.0.0.1 (localhost). It does not:

• Send page data to Sidekar servers as part of the local browser bridge
• Collect analytics or telemetry
• Track browsing history or behavior

The extension reads page content, including DOM text, accessibility data, and screenshots, only when the local sidekar process sends a command.

The extension signs in separately from the CLI. The local bridge verifies that the extension user and the CLI user belong to the same Sidekar account before it accepts commands.

The extension requests <all_urls> host permission because AI agents may need to interact with any page you explicitly direct them to. This permission is not used to access pages unless your local Sidekar process requests work.

Website & Dashboard

The sidekar.dev website is a static site hosted on Vercel. It uses no cookies, analytics, or tracking scripts.

When you log in to the dashboard, we store the following server-side:

• Account information: your GitHub username and ID (from the OAuth login flow)
• Devices: a list of devices you have authorized, including device name and authorization date
• Session metadata: active session names, hostnames, working directories, agent types, and connection timestamps. This data is used to display your sessions in the dashboard and is removed when sessions disconnect.

This data is stored in a MongoDB Atlas database. We do not sell, share, or use this data for any purpose other than operating the Sidekar service.

Local Data Storage

The CLI stores the following data on your machine:

• Chrome profiles: ~/.sidekar/profiles/
• Configuration and auth state: ~/.sidekar/sidekar.sqlite3
• Extension bridge secret: ~/.sidekar/ext-secret (0600 permissions)
• Temporary files: /tmp/sidekar-*

Third-Party Services

• GitHub: used for OAuth login and for checking software updates via GitHub Releases
• Vercel: hosts the sidekar.dev website and API
• MongoDB Atlas: stores account, device, and session metadata as described above

Sidekar does not integrate with any analytics, advertising, or data-collection services.

Contact

Questions about this policy: hello@kilospark.com