Privacy Policy

Last updated: June 2026

Mango ("we", "us") shows sponsored messages in your AI coding tools and pays you a share of the revenue. This policy explains exactly what we collect and why. The guiding principle is local-first: your project context is analyzed on your own machine, and nothing leaves it unless you explicitly opt in.

Plain-English summary: by default we only know a random ID, that ads were shown, and what you earned. We never see your code, files, keystrokes, or secrets. Sharing anything beyond the basics is opt-in, and you can turn it off anytime with python3 ~/.claude/ads/optin.py.

1. What we collect

A pseudonymous account ID — a random UUID and a referral code generated on your machine at install. Not tied to your name.
Ad events — when an ad is shown (impression) or clicked, we record the ad, the surface (e.g. status bar), a timestamp, and the earnings computed server-side. This is how you get paid.
Email (optional) — only if you provide one, for payouts, account recovery, and notifications.
Earnings-sharing context (opt-in, tiered) — only at the tier you choose:
- Private (default): nothing about your projects leaves your machine.
- Stack: coding-language and tool labels (e.g. "typescript", "docker").
- Context: + file extensions and a one-way hash of your project path (never the path itself).
- Max: + a short snippet of your most recent prompt, to match more relevant ads.

2. What we never collect

We do not collect your source code, file contents, keystrokes, credentials, environment variables, or the contents of files you open. Project context is detected locally and only the labels described above are ever transmitted, and only at your chosen tier.

3. How clicks work

Ad links route through a small server running locally on your own machine (127.0.0.1), which records the click and then redirects your browser to the advertiser. We don't track your browsing beyond that single click.

4. Who we share data with

Supabase — our database and backend host.
Stripe — to pay you out and to process advertiser payments. Stripe may collect identity information (KYC) required to send you money.
Advertisers — receive only aggregate, anonymized performance (impressions, clicks), never your identity or context.

We do not sell your personal information.

5. Cookies & local storage

The web portal stores your referral code in your browser's local storage so you don't have to re-enter it. If you sign in with Google, we use Supabase Auth session storage. That's it.

6. Retention & deletion

We keep account and earnings records for as long as your account is active and as needed for payouts and fraud prevention. You can remove the software anytime with curl -fsSL …/install.sh | bash -s -- --uninstall. To delete your account data, contact us.

7. Security

Earnings are computed and stored server-side and cannot be altered by clients. Database access is locked down with row-level security. No method is perfectly secure, but we take reasonable measures to protect your data.

8. Children

The service is not directed to anyone under 16, and we don't knowingly collect their data.

9. Changes

We may update this policy; material changes will be posted here with a new date.

10. Contact

Questions or deletion requests: open an issue at our GitHub repo.