Understand security, privacy, permissions, and Keychain

The short version

Hindsight is designed around local capture and local recall. Screen capture, OCR, audio transcription, search, thumbnails, and compressed visual history are processed on your Mac. Your timeline is stored locally, encrypted at rest, and controlled by macOS permissions.

Hindsight still uses network access for product services that need a server. License activation and validation talk to Lemon Squeezy. Transcription model downloads fetch model files before they can run locally. Direct app updates check the configured update feed. If crash or performance reporting is enabled in a release, it is configured to avoid screenshots, view hierarchy capture, network breadcrumbs, default PII, user identity, and device host names.

This article explains what each permission does, what is encrypted, where keys live, what Keychain protects, and what privacy controls are available.

What stays on your Mac

Hindsight’s core timeline is local.

• Screen snapshots are captured locally through Apple’s ScreenCaptureKit.
• OCR runs locally over captured images.
• Visual history is written into local encrypted thumbnails and compressed encrypted segments.
• Search metadata is stored in a local SQLCipher database.
• Audio chunks are transcribed locally with WhisperKit after a model is downloaded.
• Search runs against local history on the Mac.

That means your history is not synced to a Hindsight cloud account. If you use multiple Macs, each Mac has its own local history.

What can use the network

Some product functions are separate from timeline processing and can use the network.

• License activation, validation, and deactivation talk to Lemon Squeezy.
• Transcription model downloads fetch model weights before audio search can run locally.
• App updates use the configured Sparkle update feed.
• Crash and performance reporting can send diagnostic events when enabled in a release build.

Those networked functions do not mean Hindsight uploads your timeline for search. They support licensing, updates, model setup, and diagnostics.

Screen Recording permission

Screen Recording is the required permission for visual capture. Without it, Hindsight cannot capture the main display, run OCR on visible text, or build the visual timeline.

Hindsight checks Screen Recording through macOS TCC APIs. It uses a cached grant once access has been confirmed, because macOS can return stale denial values immediately after a user grants permission. When needed during an interactive setup flow, Hindsight confirms access with ScreenCaptureKit.

Screen Recording allows the app to receive screenshots of your display. Because that is a sensitive permission, use Hindsight’s privacy settings to decide what should be excluded before you leave capture running all day.

Accessibility permission

Accessibility is used for app and window context. It lets Hindsight inspect the frontmost app, focused window title, and supported browser UI so Hindsight can attach useful context to a captured moment.

Accessibility also improves private browsing protection. With Accessibility enabled, Hindsight can inspect supported browser windows for private browsing indicators and can read browser address fields in a normalized way.

If Accessibility is not enabled, Hindsight cannot reliably inspect supported browser windows. When private browsing skipping is enabled, Hindsight treats supported browser windows conservatively so private-window detection fails closed rather than assuming a browser window is safe to capture.

Microphone permission

Microphone permission is only needed if you enable microphone audio capture. Hindsight asks macOS for microphone access when microphone recording is enabled and permission is missing.

When microphone capture is running, Hindsight uses AVAudioEngine to read the selected input device. Audio is converted to the format Whisper expects, then transcribed locally. Hindsight persists the transcript and context, not a long-running raw audio archive.

If you do not want microphone audio in Hindsight, keep microphone recording disabled.

System audio capture

System audio capture uses ScreenCaptureKit. It depends on Screen Recording access because Apple exposes system audio capture through the screen capture stack.

Hindsight captures audio-only SCStream samples, converts them to 16 kHz mono Float32 audio, and flushes short chunks for transcription. The audio is then processed by the local transcription model.

If no transcription model is downloaded, audio capture does not start because there is no local model available to transcribe the chunks.

Notifications permission

Notifications are not required for search. They help Hindsight communicate important status changes, such as permission problems, capture interruptions, or app state that needs attention.

If notifications are disabled, Hindsight can still run, but you may miss status alerts that would otherwise make setup and troubleshooting easier.

Private browsing protection

Hindsight includes a privacy setting called Skip Private Browsing Windows. When enabled, Hindsight attempts to avoid capturing private browser windows.

Private browsing detection supports Safari, Chrome, Chrome Canary, Brave, Edge, Arc, Firefox, and Vivaldi. The app checks window titles and Accessibility attributes for private browsing indicators such as Incognito, Private Browsing, Private Window, and localized equivalents.

ScreenCaptureKit filtering is also used during capture. If private browser windows are detected on screen, Hindsight excludes those windows from the screenshot filter.

Private browsing detection is best-effort because browser UI and localization can change. For highly sensitive browsing, use the app exclusion controls too.

Excluded apps

Hindsight can exclude specific apps from capture. Excluded apps are filtered before capture whenever ScreenCaptureKit can identify the owning application.

Hindsight includes a default exclusion list for common password managers and credential apps, including Apple Passwords, 1Password, Bitwarden, Dashlane, Enpass, Keeper, LastPass, NordPass, Proton Pass, RoboForm, Secrets, Strongbox, and KeePassXC.

You can add or remove app exclusions in Hindsight settings. Excluding an app is the strongest built-in control when you never want a specific app to appear in local history.

Browser URLs and window titles

When Accessibility is enabled, Hindsight can attach app context, window titles, and normalized browser URLs to timeline entries. This makes search and recall more useful because a result can point back to the page or app context around that moment.

URL extraction is conservative. Hindsight accepts http and https URLs, strips user info and fragments, rejects values with whitespace or control characters, and checks that the host looks plausible.

This context is stored in local history. If you do not want browser URLs or window titles from a specific app, exclude that app from capture.

Local history encryption

Hindsight encrypts local history at rest in multiple layers.

• index.db is opened with SQLCipher using a locally generated 32-byte passphrase.
• Thumbnail files are encrypted before they are written to disk.
• Compressed visual segment files are encrypted before they are stored.
• Storage folders are created with private file permissions.
• Encrypted blob files are written with owner-only file permissions.

The database stores timeline metadata, OCR text, search indexes, frame references, audio transcript records, app names, window titles, browser URLs, and related local history data. SQLCipher protects that database file on disk.

Thumbnails and compressed segments are separate encrypted files because they are larger binary assets. They use AES-GCM through CryptoKit.

Keychain keys

Hindsight generates encryption material locally and stores it in the macOS Keychain.

There are separate Keychain entries for separate jobs:

• memory-aead-v1 stores the 256-bit AES-GCM key used for encrypted thumbnail and segment blobs.
• memory-aead-v1.database stores the separate 256-bit SQLCipher database passphrase.
• lemon-squeezy-license-v1 stores the local Lemon Squeezy license snapshot.

The encryption entries are generic password items under the app’s Keychain service, normally the app bundle identifier. They use the Data Protection Keychain and are stored with kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly.

ThisDeviceOnly matters. It means the key material is tied to this Mac and is not meant to migrate to another device through normal Keychain syncing. If you copy encrypted local history files to a different Mac without the matching Keychain keys, the copied files should not be readable by Hindsight.

AES-GCM encrypted blobs

Thumbnail and segment files use AES-GCM. AES-GCM provides confidentiality and authentication. In practical terms, it encrypts the data and lets Hindsight detect when the encrypted file does not match what it expects.

Hindsight also authenticates additional metadata with each encrypted blob.

• Thumbnail blobs authenticate the frame ID.
• Segment blobs authenticate the segment filename and encryption key ID.

That additional authenticated data helps bind encrypted content to the record it belongs to. If a file is moved or mixed with the wrong record, decryption should fail instead of silently opening the wrong content.

Encrypted blob files include a small versioned header so Hindsight can reject unsupported formats cleanly.

SQLCipher database encryption

The local history database uses SQLCipher page-level encryption. Hindsight retrieves a 32-byte passphrase from Keychain and passes it into SQLCipher when opening index.db.

After applying the key, Hindsight probes the database by querying SQLite metadata. If the key is rejected, Hindsight treats the local store as unreadable. This prevents the app from continuing with the wrong key against encrypted data.

The database also uses WAL journaling for reliability. The storage usage view counts the database file and related WAL and SHM files as metadata storage.

File permissions

Hindsight creates private storage directories with owner-only access. The encrypted file writer also sets encrypted blob files to owner-only file permissions.

File permissions are not a replacement for encryption. They are an additional local boundary. Permissions help normal macOS user separation, while encryption protects copied or offline files that do not have the matching Keychain keys.

What encryption protects against

Encryption at rest helps protect local history if someone copies the history files without the matching Keychain items. It also reduces exposure if local storage files are viewed outside the running app.

Encryption does not mean the app cannot read your history. Hindsight must decrypt local history while it is running so it can show previews, search results, and transcript matches.

Encryption also does not protect against every local threat. A user account with full control of the Mac, malware running with your privileges, screen capture tools you approve, or someone using your unlocked Mac can still see sensitive information. macOS account security, FileVault, a strong login password, and careful app permissions still matter.

License data in Keychain

License activation data is stored separately from timeline encryption keys. Hindsight stores the Lemon Squeezy license snapshot in Keychain under lemon-squeezy-license-v1.

That snapshot can include the license key, Lemon Squeezy instance ID, instance name, plan tier, license status, activation limit, activation usage, customer email when returned by Lemon Squeezy, activation date, and validation date.

License validation uses the Lemon Squeezy License API. If validation cannot reach Lemon Squeezy, Hindsight can keep working from the last successful validation for a limited offline grace period. If Lemon Squeezy reports the key is invalid, expired, disabled, or for the wrong product, new capture is disabled.

Existing local history remains on disk when licensing changes. License state controls product access. It does not erase your local timeline.

Transcription models

Hindsight uses WhisperKit for on-device transcription. Model files are downloaded before use and then loaded from local disk.

The model download is the networked part. Once a model is present, transcription runs locally on your Mac. Larger models use more disk space and can improve language coverage or accuracy, but they still run locally after download.

You can remove downloaded transcription models from settings. Removing a model disables audio search for that model until you download it again.

Diagnostics and logs

Hindsight writes operational logs through Apple’s unified logging system. Logs help diagnose permission failures, storage errors, compression problems, model downloads, licensing problems, and capture state.

Be careful when sharing diagnostic logs. Logs can include operational context, app names, error messages, and in some cases transcript-related details. Review logs before sending them anywhere.

Release builds can use Sentry for crash and performance diagnostics when configured. Hindsight configures Sentry with default PII disabled, automatic breadcrumbs disabled, network tracking disabled, screenshot capture disabled, view hierarchy capture disabled, and user and server name fields stripped before sending.

What to check if something feels wrong

Start with permissions and privacy settings before deleting files.

1. Open Hindsight Settings.
2. Confirm Screen Recording is enabled if visual capture should run.
3. Confirm Accessibility is enabled if you rely on app context, browser URLs, or private browsing detection.
4. Confirm Microphone is enabled only if you want microphone audio search.
5. Review Skip Private Browsing Windows.
6. Review Apps Excluded from Capture.
7. Check Storage settings if local history size looks unexpected.
8. Remove unused transcription models if audio search is no longer needed.

If the app reports a Keychain or encryption error, note the exact message before changing anything. Keychain errors can make encrypted local history unreadable until the underlying Keychain access problem is fixed.

Before contacting support

Include these details when asking for help:

• Your macOS version.
• Your Hindsight version.
• Which permission is enabled or missing.
• Whether FileVault is enabled on the Mac.
• Whether you recently migrated to a new Mac or restored from backup.
• Whether the error mentions Keychain, SQLCipher, encryption, local history, permissions, or licensing.
• Whether the affected feature is screen capture, audio transcription, search, private browsing exclusion, license activation, or updates.

Those details make it easier to separate a macOS permission issue from a Keychain issue, a corrupted local store, a licensing problem, or normal privacy filtering.