Privacy

MacSweep does not collect, transmit, or sell your personal data. Scans run locally on your Mac.

Local Scans

Disk usage, cache, Docker, leftover, duplicate, and cleanup findings are generated on your device. File paths and scan results are not uploaded to MacSweep servers.

Anonymous Product Analytics

To understand which features are used and what to improve, MacSweep sends limited, anonymous usage events through analytics.flutely.app. This is on by default, and you can turn it off at any time in the app under Privacy Guardian → Share Anonymous Product Analytics; the app also shows a notice about this on first run. Events may include the app version, broad action names (such as which section was opened or which cleanup ran), counts, coarse size buckets, and your license tier. Events do not include file paths, filenames, scan results, device identifiers, license keys, email addresses, or any personal content. No cookies are set and no cross-app profile is built.

App Update Checks

The app checks releases.macsweep.app for updates: a scheduled Sparkle check fetches the signed update feed (appcast.xml), and a fallback notifier fetches a small version file (latest.json). These are plain fetches of static files — they carry no account, license, file, or scan information, and the app does not send a system profile. Updates are verified against a public key embedded in the app and are never installed without your confirmation. As with any web server, the host's standard access log records the request (time, client IP, User-Agent).

Downloads

When you click a download button, your browser navigates to MacSweep's first-party /dl endpoint on the same domain, which redirects to the release file. MacSweep's download links carry only the app version, a random join key (dlid, generated in your browser for that page-load), and the allowlisted campaign parameters you arrived with (UTM source, medium, campaign, content, term, and the Google or Reddit click ID if present) — never your email or personal content. As with any web server, the site's standard access log records the request (time, client IP, User-Agent, and the requested URL); our download report reads only the campaign parameters and the join key from /dl requests and ignores anything else. No cookies are set. This is used to measure which channels drive downloads. The release file is served from releases.macsweep.app, whose standard server logs record the request too; only the dlid join key is forwarded there — not the campaign parameters.

Purchases and Licenses

Paid purchases are processed by Gumroad. License delivery email is handled by MacSweep infrastructure and an email provider. License records include the Gumroad sale ID, customer email, tier, purchase date, and generated license ID so support can re-send a license if needed. If you arrived from a paid ad, the campaign parameters and the ad network's click ID (Google's gclid or Reddit's rdt_cid) from that visit are attached to the checkout and stored with the sale record; a Google click ID is shared with Google Ads to measure which ads led to a purchase (Reddit click IDs are stored for the same measurement purpose but are not currently shared with Reddit). If you downloaded the app before buying, the time of that first download and a random download identifier (no personal data) are also attached to the checkout and stored with the sale, used only to link the download to the purchase and measure how long people take to decide (the download-to-purchase interval). At launch, and before each scheduled background maintenance run (whether run by the app or the command-line tool), the app also downloads a small public list of revoked licenses (stored as hashes, not keys) from macsweep.app/revoked.json and checks it locally — your license key is never sent; the app only reads the list.

Permissions

Full Disk Access and administrator prompts are used only so MacSweep can inspect and clean protected local paths after your confirmation.

Website

The website uses a privacy-safe analytics endpoint at analytics.flutely.app to measure page views and conversion clicks such as download, pricing, compare, checkout, and legal-policy actions. The website does not set cookies and does not collect file paths, scan data, license keys, email addresses, or personal content. Paid ad links may include campaign parameters and an ad-network click ID (Google's gclid or Reddit's rdt_cid). These are kept in your browser's local storage (not in cookies) for a 90-day attribution window — so if you download the app and purchase in a later visit, we can still tell which channel referred you — after which the value is discarded (or sooner if you clear your browser). They are used in first-party analytics to measure ad performance; if you complete a purchase, they are also forwarded to Gumroad with the checkout, and a Google click ID is shared with Google Ads to measure ad conversions (see Purchases and Licenses above).