Understand security, privacy, permissions, and Keychain

The short version

Hindsight is designed around local capture and local recall. Screen capture, OCR, audio transcription, search, thumbnails, and compressed visual history are processed on your Mac. Your timeline is stored locally, encrypted at rest, and controlled by macOS permissions.

Hindsight still uses network access for product services that need a server. License activation and validation talk to Lemon Squeezy. Transcription model downloads fetch model files before they can run locally. App updates check the configured update feed. If diagnostics are enabled in a configured app build, they are configured to avoid screenshots, view hierarchy capture, raw Apple unified logs, automatic network breadcrumbs, default personal data, user identity, device host names, request and response bodies, headers, license keys, full URLs, transcripts, OCR text, window titles, browser URLs, search queries, and local history.

This article explains what each permission does, what is encrypted, where keys live, what Keychain protects, and what privacy controls are available.

What stays on your Mac

Hindsight’s core timeline is local.

• Screen snapshots are captured locally through macOS screen capture APIs.
• OCR runs locally over captured images.
• Visual history is written into local encrypted thumbnails and compressed encrypted segments.
• Search metadata is stored in a local encrypted database.
• Audio is transcribed locally on your Mac after a transcription model is downloaded.
• Search runs against local history on the Mac.

That means your history is not synced to a Hindsight cloud account. If you use multiple Macs, each Mac has its own local history.

What can use the network

Some product functions are separate from timeline processing and can use the network.

• License activation, validation, and deactivation talk to Lemon Squeezy.
• Transcription model downloads fetch model files before audio search can run locally.
• App updates use the configured Sparkle update feed.
• Crash, release health, app hang, performance, and sanitized diagnostic reporting can send diagnostic events when enabled in a configured app build.

Those networked functions do not mean Hindsight uploads your timeline for search. They support licensing, updates, model setup, and diagnostics.

Screen Recording permission

Screen Recording is the required permission for visual capture. Without it, Hindsight cannot capture the main display, run OCR on visible text, or build the visual timeline.

Hindsight checks Screen Recording through the macOS privacy permission system. It relies on a confirmed grant once access has been verified, because macOS can briefly report a stale denial immediately after you grant permission.

Screen Recording allows the app to receive screenshots of your display. Because that is a sensitive permission, use Hindsight’s privacy settings to decide what should be excluded before you leave capture running all day.

Accessibility permission

Accessibility is used for app and window context. It lets Hindsight inspect the frontmost app, focused window title, and supported browser UI so Hindsight can attach useful context to a captured moment.

Accessibility also improves private browsing protection. With Accessibility enabled, Hindsight can inspect supported browser windows for private browsing indicators and can read browser address fields in a normalized way.

If Accessibility is not enabled, Hindsight cannot reliably inspect supported browser windows. When private browsing skipping is enabled, Hindsight treats supported browser windows conservatively so private-window detection fails closed rather than assuming a browser window is safe to capture.

Microphone permission

Microphone permission is only needed if you enable microphone audio capture. Hindsight asks macOS for microphone access when microphone recording is enabled and permission is missing.

When microphone capture is running, Hindsight reads the selected input device and transcribes the audio locally. Hindsight persists the transcript and context, not a long-running raw audio archive.

If you do not want microphone audio in Hindsight, keep microphone recording disabled.

System audio capture

System audio capture depends on Screen Recording access, because macOS exposes system audio capture through the screen capture stack.

Hindsight captures short chunks of system audio and transcribes them locally with the downloaded model. If no transcription model is downloaded, audio capture does not start because there is no local model available to transcribe the audio.

Notifications permission

Notifications are not required for search. They help Hindsight communicate important status changes, such as permission problems, capture interruptions, or app state that needs attention.

If notifications are disabled, Hindsight can still run, but you may miss status alerts that would otherwise make setup and troubleshooting easier.

Private browsing protection

Hindsight includes a privacy setting called Skip Private Browsing Windows. When enabled, Hindsight attempts to avoid capturing private browser windows.

Private browsing detection supports Safari, Chrome, Chrome Canary, Brave, Edge, Arc, Firefox, and Vivaldi. The app checks window titles and Accessibility attributes for private browsing indicators such as Incognito, Private Browsing, Private Window, and localized equivalents.

Private browser windows that are detected on screen are also filtered out during capture, so they are excluded from the screenshot rather than captured and discarded later.

Private browsing detection is best-effort because browser UI and localization can change. For highly sensitive browsing, use the app exclusion controls too.

Excluded apps

Hindsight can exclude specific apps from capture. Excluded apps are filtered out before capture whenever macOS can identify the owning application.

Hindsight includes a default exclusion list for common password managers and credential apps, including Apple Passwords, 1Password, Bitwarden, Dashlane, Enpass, Keeper, LastPass, NordPass, Proton Pass, RoboForm, Secrets, Strongbox, and KeePassXC.

You can add or remove app exclusions in Hindsight settings. Excluding an app is the strongest built-in control when you never want a specific app to appear in local history.

Browser URLs and window titles

When Accessibility is enabled, Hindsight can attach app context, window titles, and normalized browser URLs to timeline entries. This makes search and recall more useful because a result can point back to the page or app context around that moment.

URL handling is conservative. Hindsight accepts only http and https URLs, strips user info and fragments, rejects values with whitespace or control characters, and checks that the host looks plausible.

This context is stored in local history. If you do not want browser URLs or window titles from a specific app, exclude that app from capture.

Local history encryption

Hindsight encrypts local history at rest in multiple layers.

• The local database is encrypted with a locally generated key.
• Thumbnail files are encrypted before they are written to disk.
• Compressed visual segment files are encrypted before they are stored.
• Storage folders are created with private file permissions.
• Encrypted files are written with owner-only file permissions.

The database stores timeline metadata, OCR text, search indexes, frame references, audio transcript records, app names, window titles, browser URLs, and related local history data. Database encryption protects that file on disk.

Thumbnails and compressed segments are stored as separate encrypted files because they are larger binary assets.

Keychain keys

Hindsight generates its encryption material locally and stores it in the macOS Keychain. There are separate Keychain entries for separate jobs, including the keys used to encrypt local history and a separate entry that stores your local license information.

The encryption entries are stored so that the key material is tied to this Mac and is not meant to migrate to another device through normal Keychain syncing. If you copy encrypted local history files to a different Mac without the matching Keychain keys, the copied files should not be readable by Hindsight.

Authenticated encryption

Hindsight’s encrypted files use authenticated encryption. In practical terms, this both encrypts the data and lets Hindsight detect when an encrypted file has been changed or does not match the record it belongs to.

If a file is moved, tampered with, or mixed with the wrong record, decryption should fail instead of silently opening the wrong content. Encrypted files also carry a small version marker so Hindsight can reject unsupported formats cleanly.

Database encryption

The local history database is encrypted using a key that Hindsight retrieves from the Keychain when it opens the database.

After applying the key, Hindsight verifies that the database can be read. If the key is rejected, Hindsight treats the local store as unreadable rather than continuing with the wrong key against encrypted data.

File permissions

Hindsight creates private storage directories with owner-only access, and encrypted files are written with owner-only file permissions.

File permissions are not a replacement for encryption. They are an additional local boundary. Permissions help normal macOS user separation, while encryption protects copied or offline files that do not have the matching Keychain keys.

What encryption protects against

Encryption at rest helps protect local history if someone copies the history files without the matching Keychain items. It also reduces exposure if local storage files are viewed outside the running app.

Encryption does not mean the app cannot read your history. Hindsight must decrypt local history while it is running so it can show previews, search results, and transcript matches.

Encryption also does not protect against every local threat. A user account with full control of the Mac, malware running with your privileges, screen capture tools you approve, or someone using your unlocked Mac can still see sensitive information. macOS account security, FileVault, a strong login password, and careful app permissions still matter.

License data in Keychain

License activation data is stored separately from the timeline encryption keys. Hindsight keeps a local snapshot of your Lemon Squeezy license in the Keychain.

That snapshot can include the license key, license status, plan tier, activation limit and usage, the customer email when returned by Lemon Squeezy, and the dates the license was activated and last validated.

License validation uses Lemon Squeezy. If validation cannot reach Lemon Squeezy, Hindsight can keep working from the last successful validation for a limited offline grace period. If Lemon Squeezy reports the key is invalid, expired, disabled, or for the wrong product, new capture is disabled.

Existing local history remains on disk when licensing changes. License state controls product access. It does not erase your local timeline.

Transcription models

Hindsight transcribes audio on your Mac using a model you download once. The model download is the networked part. Once a model is present, transcription runs locally on your Mac.

Larger models use more disk space and can improve language coverage or accuracy, but they still run locally after download. You can remove downloaded transcription models from settings. Removing a model disables audio search for that model until you download it again.

Diagnostics and logs

Hindsight writes operational logs through Apple’s unified logging system. Logs help diagnose permission failures, storage errors, compression problems, model downloads, licensing problems, and capture state.

Be careful when sharing diagnostic logs. Logs can include operational context, app names, error messages, and in some cases transcript-related details. Review logs before sending them anywhere.

Configured app builds can use Sentry for crash reporting, release health, app hang reporting, limited performance diagnostics, sanitized nonfatal error reports, manual diagnostic breadcrumbs, and sanitized diagnostic logs. Hindsight configures Sentry with default personal data disabled, automatic network breadcrumbs disabled, automatic network tracking disabled, screenshot capture disabled, view hierarchy capture disabled, and user and server name fields stripped before sending.

What to check if something feels wrong

Start with permissions and privacy settings before deleting files.

1. Open Hindsight Settings.
2. Confirm Screen Recording is enabled if visual capture should run.
3. Confirm Accessibility is enabled if you rely on app context, browser URLs, or private browsing detection.
4. Confirm Microphone is enabled only if you want microphone audio search.
5. Review Skip Private Browsing Windows.
6. Review Apps Excluded from Capture.
7. Check Storage settings if local history size looks unexpected.
8. Remove unused transcription models if audio search is no longer needed.

If the app reports a Keychain or encryption error, note the exact message before changing anything. Keychain errors can make encrypted local history unreadable until the underlying Keychain access problem is fixed.

Before contacting support

Include these details when asking for help:

• Your macOS version.
• Your Hindsight version.
• Which permission is enabled or missing.
• Whether FileVault is enabled on the Mac.
• Whether you recently migrated to a new Mac or restored from backup.
• Whether the error mentions Keychain, encryption, local history, permissions, or licensing.
• Whether the affected feature is screen capture, audio transcription, search, private browsing exclusion, license activation, or updates.

Those details make it easier to separate a macOS permission issue from a Keychain issue, a corrupted local store, a licensing problem, or normal privacy filtering.