Skip to content
Fregata Docs

Privacy & telemetry

The canonical, lawyer-reviewed version of this lives at fregata.app/privacy. This page is the engineer’s-eye-view: what’s actually in the request bodies, how to read the code, and how to turn it off.

What leaves the Mac

Section titled “What leaves the Mac”

Three categories, that’s it.

1. License activation (one-time)

Section titled “1. License activation (one-time)”

Sent when you click Activate in the activation window.

POST /v1/activate
{
  "license_key":   "frgt_XXXX-XXXX-XXXX-XXXX",
  "email":         "<your-license-email>",
  "machine_id":    "<sha256 of IOPlatformUUID>",
  "hostname_hint": "MacBook-Pro.local",
  "app_version":   "1.0.3"
}

machine_id is a one-way hash. The original IOPlatformUUID never leaves the machine; only its SHA-256 digest does, used solely to bind the license to this Mac.

hostname_hint is included so the license-management page can show “this license is on MacBook-Pro.local” instead of an opaque ID. It’s a hint only and is editable from the dashboard.

2. License heartbeat (every ~6 hours)

Section titled “2. License heartbeat (every ~6 hours)”

Sent in the background to keep the token fresh and confirm the license is still valid.

POST /v1/heartbeat
{
  "token":       "<current Paseto v4.public token>",
  "app_version": "1.0.3",
  "telemetry": {                       // optional; omitted if FREGATA_TELEMETRY_DISABLED=1
    "app_version": "1.0.3",
    "os_version": "macOS 14.5",
    "mac_model": "MacBookPro18,1",
    "arch": "arm64",
    "cpu_cores": 10,
    "ram_gb_bucket": "16-32",
    "camera_count": 4,
    "detector_type": "coreml",
    "uptime_hours": 72,
    "crash_count_since_last": 0
  }
}

The server replies with a refreshed token and stores nothing about the request body except the telemetry fields (when present). No IP addresses are stored — Cloudflare strips them at the edge before the Worker sees the request.

3. Update manifest fetch (daily)

Section titled “3. Update manifest fetch (daily)”

Anonymous, unauthenticated.

GET /v1/manifest

Returns the latest version, its DMG hash, the minimum license expiry that version requires, and an Ed25519 signature. No identifiers in the request, no body. This is how the Update available menu item gets populated.

What does not leave the Mac

Section titled “What does not leave the Mac”
  • Camera URLs, names, or credentials. Never.
  • Recordings, snapshots, event clips. Never.
  • Detection events, zones, classes. Never.
  • Your IP address. Cloudflare drops it at the edge before the Worker sees the request.
  • Your hostname, beyond the optional hostname_hint you can edit / delete from the management page.
  • Your email, beyond what you typed at activation. (For GenAI / Frigate+ integrations you’d configure with your own API keys, those calls go directly from the Mac to the chosen provider — see the Frigate GenAI docs.)
  • Crash dumps, system logs, ffmpeg logs, or anything else Frigate writes locally.

There is no Sentry, no Mixpanel, no DataDog, no third-party SDK of any kind.

How to disable telemetry

Section titled “How to disable telemetry”

Set FREGATA_TELEMETRY_DISABLED=1 in Settings → Environment Variables in the menu-bar tray. Restart Frigate.

After that, heartbeat requests omit the entire telemetry block. The server inspects the missing-block case, marks the activation as opted-out, and skips the time-series write to its analytics table. Subsequent heartbeats from the same activation never write analytics rows.

You can verify by tailing the Frigate log on the next heartbeat (roughly six hours later) — the log line says heartbeat sent (telemetry: off). The off confirms the env var was picked up.

How to disable heartbeats entirely

Section titled “How to disable heartbeats entirely”

You can’t, while staying activated. The heartbeat is also the license-validity check; turning it off would strand the app in a permanent grace state, which is precisely the failure mode the grace was designed for.

The closest thing to “no network calls at all” is to put the Mac on a network with no internet. Fregata happily runs in that mode indefinitely while the app stays up; only restarts past 7 days of offline time need a network round-trip to reactivate. See Running offline.

What about the manifest fetch?

Section titled “What about the manifest fetch?”

It’s anonymous and signed. Disabling it loses the Update available menu item but doesn’t affect anything else. There’s no runtime toggle today; if you really want it gone, you can block the licensing host at the network level — Fregata will treat the failed fetch as “no update available” and move on.

Reading the code yourself

Section titled “Reading the code yourself”

If you’d rather verify the behavior than take our word for it:

WhatWhere
Activation request bodyfregata-core/src/license/activate.rs
Heartbeat request body + telemetry structfregata-core/src/license/heartbeat.rs
Telemetry opt-out checkfregata-core/src/license/heartbeat.rs (FREGATA_TELEMETRY_DISABLED)
Manifest fetchmacos-bundle/FregataApp/FregataApp/ManifestChecker.swift
Server-side telemetry handlinglicensing-worker/src/handlers/heartbeat.ts

The licensing-worker source is in the same repo; for the public mirror, github.com/3rdBitLabs/Fregata points at the relevant directories.

Data retention on our side

Section titled “Data retention on our side”

Per the privacy policy:

  • Telemetry rows are kept for 24 months in Cloudflare D1, then moved to encrypted cold storage for another 24 months before deletion.
  • Activation rows (license ↔ machine binding) are kept while the binding is active and for 12 months after a release / refund.
  • Stripe handles all card details; we receive only the email, Stripe transaction ID, and status.

For deletion requests, reply to your license email. Honoured within 30 days, less the data we’re required to retain for tax / refund compliance.