MYTOOLBOX · PRIVACY

Privacy and security boundaries

MyToolbox defaults to local data, gives whole-app offline mode the highest network priority, and separates built-in modules, system permissions, and third-party extensions into distinct authorization and encryption layers.

Last updatedJuly 18, 2026

01

Local data and one root directory

The global data location in Settings is the single internal root for MyToolbox. Settings, Clipboard, Vault, Notes, Collections, Translation, Exchange, and Mac Optimization each write to a fixed subdirectory they own.

Apart from bootstrap information used to locate the global root, feature data is not scattered into a second hidden store. Work Mode and Command-K keep interface configuration only and do not copy module content.

02

Network access and the offline master switch

Whole-app offline mode takes priority over module consent, persistent plugin grants, and background work. Enabling it cancels in-flight requests and blocks update checks, exchange rates, connected translation, web previews, and third-party networking.

  • The app reads the version on davidtaylor.info only when the user requests an update check
  • Exchange rates connect only when refreshing snapshots or history
  • Connected translation sends text only to the currently selected provider
  • Collection web previews and third-party HTTPS capabilities connect only when explicitly invoked
  • Plugin network logs remove accounts, fragments, and sensitive query parameters

03

Passwords, Secure Enclave, and encryption

MyToolbox never stores the master password in plaintext. The password derives a wrapping key and a random master key is sealed with AES-GCM. Per-feature encryption depends on the active master key while the app is unlocked.

Touch ID uses a Secure Enclave P-256 private key, an ephemeral peer public key, ECDH, and HKDF to unwrap the master key. The private key is not exportable and derived wrapping material exists only in memory. The password remains the recovery method.

04

Sensitive clipboard and cross-app selection

Sensitive content copied from Vault, protected files, or Work Mode carries a one-time origin marker and is skipped before Clipboard Manager parsing. Universal Clipboard content from iPhone and iPad is also excluded before categorization.

The copy fallback for cross-app selection backs up and restores every pasteboard type only while the transaction still owns the pasteboard changeCount. If a screenshot tool or another app writes newer content, restoration is abandoned and the newer clipboard is never overwritten.

05

Third-party modules

Third-party web modules are disabled by default in a new environment. Whole-app encryption must be enabled before import, update, or activation. Each module package, Data, Cache, settings, bookmarks, and audit log is stored with an AES-GCM key independently derived from the app master key and permanent plugin ID.

The plugin interface appears first. Allow once, always allow, or never allow is requested only when the module actually reads data, connects, selects a file, or invokes a host service. Global enablement, trust mode, permission ceilings, offline mode, and per-plugin network isolation always override individual grants.

  • Plugins never receive passwords, keys, Touch ID material, or real module directories
  • Seven-day audits record operation, destination, and result structure without private content
  • Mac Optimization scans only regenerable plugin Cache and never important Data
  • Certified native companions run through App Sandbox XPC, command allowlists, and resource circuit breakers

06

System permissions

Permissions are requested per capability. You do not need to grant everything at once, and declining one permission limits only its related feature.

  • Screen & System Audio Recording supports region, window, and full-screen capture
  • Accessibility supports user-confirmed autofill and cross-app selection
  • Input Monitoring observes real pointer drag-selection events
  • Full Disk Access broadens the paths Mac Optimization can scan
  • Touch ID performs user-initiated local authentication

07

Import, export, external files, and migration

Importing a copy stores content in its module. Finder links store only paths, security-scoped bookmarks, and relative structure; originals remain protected by their disk and macOS permissions. Move, delete, and paste actions in a linked directory explicitly affect real Finder content.

A full migration archive is generated from the single data root, includes a per-file SHA-256 manifest, and imports through staging with rollback on failure. Secure Enclave wraps, device activation receipts, developer debug grants, and verification credentials do not migrate between devices.

08

Mac Optimization logs

Mac Optimization logs record category, result, count, size, elapsed time, and inaccessible count. They exclude usernames, hostnames, full personal paths, and stable device fingerprints. Scan clues are not antivirus conclusions.

09

Contact and changes

This notice changes when network features, storage structure, extension protocols, or system-permission behavior changes. Privacy and security questions can be sent through the contact page on the personal site.