Privacy Policy

Our Commitment

ShieldKit ("the Software", "we", "our", or "us") is built with privacy as a core principle. The application runs entirely on your Mac with no network connections required for its core functionality. We do not collect, transmit, store, or process any personal data, usage data, or telemetry of any kind.

This Privacy Policy explains what information ShieldKit accesses, how it is used locally on your device, and the limited circumstances under which any network connections are made. By using ShieldKit, you acknowledge that you have read and understood this Privacy Policy.

Scope

This Privacy Policy applies to the ShieldKit macOS application and the ShieldKit website at shieldkit.drewhowlett.com. It does not apply to any third-party websites, products, or services that may be linked from our website or application.

Data Collection — Summary

We collect nothing. ShieldKit does not collect, transmit, or store any personal data on external servers. There is no account creation, no sign-up, no login, and no registration of any kind. Specifically, we do not collect:

• Personal information (name, email address, phone number, physical address)
• Account credentials or authentication tokens
• IP addresses, geolocation data, or network information
• Device identifiers, hardware serial numbers, or UDID
• Usage analytics, session data, or behavioral telemetry
• File contents, file names, file paths, or scan results
• Browsing history, bookmarks, or URL data
• Crash reports, diagnostic logs, or error data
• Clipboard contents, screenshots, or screen recordings
• Keystroke data, mouse movements, or input patterns
• Contacts, calendar entries, or other personal documents
• Any form of advertising identifier or tracking cookie

Local Data Storage

ShieldKit stores operational data locally on your Mac to provide its functionality. This data is stored in your user-specific Application Support directory at ~/Library/Application Support/ShieldKit/ and via macOS UserDefaults. This data never leaves your computer and is fully under your control.

The locally stored data includes:

• Scan history — A record of past scans including timestamps, the number of files scanned, and any detected threats. This allows you to review past scan results and track your security posture over time.
• Quarantined files — Files you choose to quarantine are moved to an isolated local directory within Application Support. Quarantine metadata (original file path, detection reason, timestamp) is stored alongside the files.
• Application preferences — Your settings and configuration choices (such as monitored directories, scan preferences, and whether onboarding has been completed) are stored via macOS UserDefaults.
• Real-time monitoring state — Information about active file system monitors and their configuration is maintained in memory during app operation and does not persist to disk beyond preference settings.

You can delete all locally stored data at any time by removing the ~/Library/Application Support/ShieldKit/ directory and resetting the app's UserDefaults. Uninstalling the application does not automatically remove this data — you must delete it manually if desired.

File System Access

ShieldKit requires access to your file system to perform its core malware detection and monitoring functions. The application accesses files in the following ways:

• Hash computation — Files are read to compute SHA-256 checksums, which are compared against a locally bundled database of known malware hashes.
• YARA pattern matching — File contents are scanned against bundled YARA rules to detect malware families, suspicious patterns, and known exploit signatures.
• Behavioral analysis — Files are examined for suspicious characteristics such as high entropy, embedded URLs, obfuscation techniques, and structural anomalies — all without executing the files.
• Code signing verification — Application bundles and executables are checked against Apple's code signing infrastructure to verify authenticity and detect tampering.
• Directory monitoring — ShieldKit monitors specific directories (such as Downloads, Desktop, and LaunchAgents) for new or modified files using macOS file system events.
• Browser history checking — ShieldKit reads local browser history databases (Safari and Chrome) to check visited URLs against a locally bundled threat database. Browser history contents are processed in memory and are never stored, logged, or transmitted.

All file access is performed entirely on your device. No file contents, file names, file paths, file metadata, hash values, scan results, or any other information derived from your files is ever transmitted off your Mac.

Network Connections

ShieldKit's core scanning, detection, and monitoring functionality operates completely offline with no network connections whatsoever. The malware signature databases, YARA rules, and URL threat lists are all bundled with the application and do not require downloading.

The only network connection the application makes is:

• Automatic update checks (Sparkle) — ShieldKit uses the open-source Sparkle framework to periodically check for application updates. This check fetches a small public XML file (appcast) hosted on GitHub to compare version numbers. The request contains only standard HTTP headers (user agent, which includes the app version and macOS version). No personal data, device identifiers, file information, or scan results are transmitted during this check. You can verify this by inspecting the Sparkle documentation on system profiling. Update checks can be disabled in the application settings.

Third-Party Services

ShieldKit does not integrate with, send data to, or receive data from any third-party analytics, advertising, tracking, crash reporting, A/B testing, or data processing services. We do not use:

• Google Analytics, Mixpanel, Amplitude, or any analytics platform
• Facebook Pixel, Google Ads, or any advertising network
• Sentry, Bugsnag, Crashlytics, or any crash reporting service
• Intercom, Drift, or any customer communication platform
• Stripe, RevenueCat, or any payment processing (the app is free)
• Any cloud-based malware scanning or file analysis service

The only third-party component embedded in the application is:

• Sparkle (MIT License) — An open-source macOS update framework used solely for checking for and installing application updates. sparkle-project.org

Website Analytics

The ShieldKit website (shieldkit.drewhowlett.com) is hosted on Vercel. Vercel may collect standard web server logs (IP address, user agent, page requested) as part of its hosting infrastructure. We do not add any additional analytics, tracking scripts, cookies, or fingerprinting to the website. The website does not use cookies.

Children's Privacy (COPPA)

Since ShieldKit collects no personal data whatsoever, the application is compliant with the Children's Online Privacy Protection Act (COPPA). The app does not require an account, does not collect personal information, and does not have any age-gated features. There are no special considerations regarding children's privacy because no data is collected from any user of any age.

California Privacy Rights (CCPA/CPRA)

Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California residents have specific rights regarding their personal information. Because ShieldKit collects no personal information:

• There is no personal information to disclose, delete, or correct
• We do not sell or share personal information with third parties
• We do not use personal information for targeted advertising
• We do not use sensitive personal information for any purpose
• There is no need to opt out, as no data collection occurs

If you are a California resident and have questions about your privacy rights, you may contact us at the email address below.

European Privacy Rights (GDPR)

Under the General Data Protection Regulation (GDPR), residents of the European Economic Area (EEA) have enhanced rights regarding personal data. Because ShieldKit collects no personal data:

• No legal basis for processing is required, as no processing occurs
• No data controller or data processor relationship exists
• No international data transfers occur
• Rights to access, rectification, erasure, restriction, portability, and objection are not applicable as no personal data is held
• No Data Protection Officer (DPO) appointment is required

The Sparkle update check fetches a publicly hosted XML file and transmits only standard HTTP headers. This does not constitute personal data processing under the GDPR, as no user-identifying information is collected or stored by us. The update server does not log requests or retain any visitor information.

Data Security

Because ShieldKit does not collect or transmit personal data, the primary security consideration is the protection of locally stored application data (scan history, quarantined files, preferences). This data is protected by:

• macOS file system permissions — data is stored in your user-specific Application Support directory, accessible only to your user account
• macOS FileVault — if enabled on your Mac, all local data is encrypted at rest
• macOS App Sandbox — the application is signed and notarized by Apple
• Code signing — the application binary is signed with a valid Apple Developer ID certificate, ensuring it has not been tampered with

Data Retention

Since we collect no data, there is no data retention policy for remote data. Local data (scan history, quarantined files, preferences) is retained on your device indefinitely until you choose to delete it. There is no automatic expiration or remote deletion of local data.

Do Not Track

ShieldKit does not track users in any way, so the application inherently honors Do Not Track (DNT) signals. The ShieldKit website does not use cookies or tracking scripts and therefore also honors DNT signals by default.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date at the top of this page. Given that our core commitment is zero data collection, we do not anticipate significant changes to this policy. We encourage you to review this page periodically for the latest information on our privacy practices.

If a future version of ShieldKit introduces any form of data collection (which we have no plans to do), we will provide clear notice within the application before any data collection begins and will require explicit consent where required by law.

Contact

If you have questions, concerns, or requests regarding this Privacy Policy or ShieldKit's privacy practices, please contact us at:

Email: getpawdiohelp@gmail.com

We will respond to privacy-related inquiries within 30 days.