PRIVACY WHITEPAPER · v1 · 2026-04

The shortest privacy policy you'll read this year.

EyeGuard does not collect, transmit, store-remotely, sell, share, or analyze your data. The camera you grant access to feeds Apple's on-device Vision SDK, and the resulting numbers stay in your sandbox. That's the policy. Below is the verification.

1. What data EyeGuard handles

EyeGuard accesses your front-facing camera during sampling windows (default ~60s every 20 minutes, configurable). Each frame passes through Apple Vision in-process and is dropped immediately. Only derived numerical metrics are kept:

Eye Aspect Ratio per frame (single double precision number)
Face landmark positions for head pose estimation (transient)
Face bounding-box width (for distance estimate)
Aggregate counts: blinks, PERCLOS percentage, median pose angles

No raw frames, no images, no video, no audio is recorded by default.

2. Where data is stored

Aggregated metrics live in a single SQLite database inside your App Sandbox container:

~/Library/Containers/com.alex.eyeguard/Data/Library/Application Support/EyeGuard/events.sqlite

The schema contains events(id, ts, kind, payload) — every entry is local, time-stamped, and retained for 90 days. Older rows are pruned automatically; you may also clear all data instantly from Preferences → Stats → Clear all data.

3. What does not happen

EyeGuard does not request com.apple.security.network.client in its sandbox entitlements. Inspect any installed copy via codesign -d --entitlements - /Applications/EyeGuard.app.
EyeGuard ships with zero third-party SDKs — no Firebase, no Sentry, no Mixpanel, no anything. The only embedded library is GRDB.swift (open-source SQLite wrapper).
EyeGuard does not run a "diagnostics opt-in" toggle that's secretly always on. The only crash reporting path is Apple's own first-party ReportCrash, which you control in System Settings → Privacy & Security → Analytics.
EyeGuard does not register any LaunchAgent, daemon, or background helper outside the sandbox.

4. Camera permission, in detail

The first time the scheduler decides to sample, macOS prompts for camera access using the description string declared in our Info.plist:

"EyeGuard needs camera access to detect your blink rate and posture distance. The camera only opens during the last 60 seconds of each cycle. Video data does not leave your device."

If you decline, EyeGuard continues to function as a 20-20-20 timer with no monitoring — every detection feature is gracefully disabled. You can revoke access any time via System Settings → Privacy & Security → Camera.

5. Verify it yourself

Three independent checks anyone can run:

Network monitor. Install Little Snitch or Lulu in silent mode and use EyeGuard normally for a day. The outbound rule list for the EyeGuard process should remain empty.
System log filter. Open Console.app, filter process == EyeGuard, and search for http, upload, cdn, tcp. There will be no matches outside Apple system frameworks.
Offline run. Disconnect Wi-Fi and unplug Ethernet. Use EyeGuard for 24 hours. Every feature works identically.

6. Optional recording (developer mode)

For users (mostly developers) who want to validate the algorithm against external ground truth, Preferences → About → Developer mode exposes a switch that records the manual check sample to disk: a .mov video plus a synchronized .csv of per-frame metrics. Files land in recordings/ inside the same sandbox folder above. Default is OFF. Disabling it deletes nothing — you must remove existing files manually.

7. Children and special categories

EyeGuard is not directed at children under 13 and does not knowingly collect data from any user (we do not collect data from any user). It does not handle any special category of personal data under GDPR Article 9 — no health diagnoses, no biometric identification (we measure blink rates, not retinas), no political or religious metadata.

8. Updates to this policy

If EyeGuard ever introduces an opt-in feature that requires network access (e.g. an optional cloud sync between two of your own Macs), this whitepaper will be updated, the App Sandbox entitlement will change visibly, and the user-facing onboarding will explain the new permission before it is requested.

Contact: [email protected]

Publisher: Guangdong Mifeng Intelligent Technology Co., Ltd. (Apple Team ID PM6M3M34BA)

Last updated: 2026-04-27

中文摘要

EyeGuard 不收集、不传输、不远程存储、不出售、不分享、不分析你的数据。摄像头帧仅在 Apple Vision SDK 内处理后丢弃,只有聚合数值 (眨眼率/PERCLOS/姿态角度等) 写入本地 SQLite,90 天后自动清除。App Sandbox 不申请 com.apple.security.network.client,即使想上传也办不到 — 用任何防火墙工具可验证。零第三方 SDK,零遥测,零广告。详细技术细节见上方英文。联系: [email protected]。