Privacy

Last updated: 2026-04-20.

Where TPM runs

TPM v1.2.0 runs entirely on your machine as a CLI. There is no TPM-operated backend. The only outbound traffic from tpm audit goes to:

• api.anthropic.com — model inference, using your Anthropic API key.
• The marketing URL you optionally pass to tpm audit, if any.

What TPM stores locally

• ~/.tpm/config.yaml — your Anthropic API key (chmod 600), model tier, any per-stage overrides. Masked when displayed via tpm config show.
• .tpm/tpm.sqlite (per project) — audit history and per-stage costs. Integer micro-USD totals; no prompt contents.
• .tpm/artifacts/ (per project) — generated YAML / JSON / HTML / spec.md per audit. These are yours; delete any time.

What TPM does NOT collect

• Your source code — it never leaves the machine except as inference prompts sent to Anthropic under your API key.
• Analytics, telemetry, or phone-home. No usage counters. No update pings. No device registration.
• Your Anthropic API key — never written to logs, never sent anywhere except api.anthropic.com.

Third parties

• Anthropic — receives the inference prompts TPM sends. Subject to Anthropic's privacy policy.
• Cloudflare Pages — hosts this marketing site (not the CLI).

What changed in 1.2.0

v1.1.x had a hosted-trial proxy on Cloudflare Workers AI (with device-flow auth, a D1 audit log, and R2 artifact sync). Removed entirely in v1.2.0. The relevant code is deleted from the repo.