Privacy Policy

Effective: February 7, 2026

1. What Mstro Is

Mstro is a browser-based workspace for Claude Code by Anthropic. It provides a remote interface to Claude Code sessions running on your own apps. Mstro does not host, execute, or store your code or conversations.

2. Your Content Stays on Your Apps

All conversations, code, files, and terminal sessions remain on the apps you connect to Mstro. The Mstro server acts as a real-time relay — messages pass through but are never stored, logged, or persisted on our infrastructure.

Conversation history is saved locally in the .mstro/ directory on your machine. We do not have access to it.

3. What We Do Store

We store the minimum information needed to operate the service:

  • Account information: Email address, hashed password, and optional display name.
  • Session tokens: Used to keep you signed in (expire after 7 days).
  • Device registrations: A device name, hostname, operating system, and CPU architecture for each app you connect. Device tokens are stored as one-way hashes.
  • Connection metadata: Which projects (orchestras) are connected and when they were last active.
  • Usage metrics: Token counts for billing purposes.

If you enable two-factor authentication, we also store an encrypted TOTP secret and hashed backup codes.

4. Error Reporting & Analytics

We use Sentry for server-side error tracking. IP addresses are stripped before events are sent. We provide configuration for optional client-side analytics via PostHog. No personal data or code content is included in either.

5. Claude Code & Anthropic

Mstro uses Claude Code under the hood. Your interactions with Claude Code are subject to Anthropic’s Privacy Policy and Anthropic’s Terms of Service. We encourage you to review those policies, as they govern how Anthropic handles data processed by Claude.

6. Data Security

Passwords are hashed with bcrypt. Device tokens are stored as SHA-256 hashes. Sessions are transmitted over HTTPS only. We do not store plaintext credentials.

7. Data Deletion

You can delete your account at any time from your Mstro settings. This removes your account data, sessions, device registrations, and connection metadata from our servers. Local data on your apps is unaffected.

8. Changes to This Policy

We may update this policy from time to time. We will notify registered users of material changes via email.

9. Contact

Questions about this policy? Reach us at bravo@mstro.app.