Version: v2 (current)

PanDev CLI Plugin (Windows) Privacy Policy

Version: 1.0
Effective Date: May 22, 2026
Rights Holder (Provider): PanDev Ltd

This Policy describes how PanDev command-line plugins for Windows and other compatible host environments handle data. The document aligns in meaning and terminology with the CLI Plugin EULA and the CLI Plugin ToS. Access to PanDev cloud services is governed by the Cloud Terms. Server software deployed at the Customer is governed by the Self-Managed EULA.

1. Scope and Purpose

1.1. The Policy applies only to PanDev CLI Plugins as a channel for transferring data — including Activity Data and Prompt Content — from a User's machine to the Server.
1.2. The Policy does not set processing rules inside the SaaS. For the cloud, the Cloud Terms and a separate SaaS privacy policy (to be published) apply.
1.3. For on-prem deployments, processing takes place within the Customer's infrastructure under the Self-Managed EULA. This Policy describes only what data the CLI Plugins transmit and how PanDev treats it.

2. Roles and Allocation of Responsibilities

2.1. SaaS. The Customer is the controller of personal data. PanDev acts as a processor for the cloud. The rules are captured in the Cloud Terms. A DPA may be signed upon request.
2.2. On-prem. Data is processed and controlled by the Customer in its infrastructure. PanDev is not a processor and does not receive access unless separately agreed.
2.3. CLI Plugin diagnostic telemetry. To improve quality PanDev may process anonymized telemetry about the CLI Plugins themselves. In on-prem mode diagnostic telemetry is not used.

3. Data Transmitted by the CLI Plugins

The CLI Plugins transmit two distinct streams of data to the Server, plus separate diagnostic telemetry. Customers and Users should read this section in full because, unlike PanDev IDE extensions, CLI Plugins transmit content that the User deliberately supplies as input.

3.1. Activity Data (metadata)

Metadata about CLI Plugin invocations, without Prompt Content:

Event time and sequence of invocations.
Command context: CLI Plugin command and subcommand names; argument shape (flag and subcommand names; flag values may be recorded as the User typed them — the CLI Plugin does not automatically redact secret values, so the Customer must ensure secrets are not passed as flag values); exit code; invocation duration.
Environment context: CLI Plugin version; operating system name, version, and Windows build identifier; shell or terminal name; CI runner identifier if applicable.
User and organizational context: User identifier in PanDev; tenant or organization identifier in PanDev; hostname hash.
System and network parameters: local timezone; device network attributes including IP address and country (resolved server-side). Hardware network identifiers are not collected by the CLI Plugin.
Short textual descriptors: for example a command label, without embedding Prompt Content or file contents.

3.2. Prompt Content (content the User deliberately submits)

Text and structured input that the User deliberately supplies to the CLI Plugin for processing, analysis, or transmission to the Server. This includes:

Command arguments where they form part of the User's intentional input.
Standard input (stdin) payloads piped or redirected into the CLI Plugin.
Prompt files explicitly passed as input via flags such as --prompt-file, positional path arguments, or equivalent.
AI prompts and other User-supplied text intended for processing by PanDev or PanDev-integrated models.
Server responses returned to the User by the CLI Plugin.

Prompt Content is content, not metadata. Users acknowledge that submitting text via the CLI Plugin transmits that text to the Server. The general statement that "file content is not transmitted" applies to ambient files in the working directory that the User has not explicitly referenced — it does not apply to material the User intentionally provides as Prompt Content.

In SaaS mode Prompt Content may, depending on the specific command and Customer configuration, be forwarded to third-party model providers integrated by PanDev. Where this occurs, the relevant subprocessor list and integration scope are documented in the Cloud Terms and the published subprocessor register.

3.3. Diagnostic Telemetry

Anonymized information about the CLI Plugins and the compatible environment: versions, crash reports (which do not include Prompt Content), performance counters. In on-prem mode diagnostic telemetry is not used.

3.4. Not transmitted

The CLI Plugin does not automatically harvest:

contents of files in the working directory that the User has not explicitly referenced as input;
environment variables other than those listed in the CLI Plugin documentation as required for operation;
secret stores, credential managers, or token vaults beyond what is required to authenticate to the Server;
source-code repositories or binary artifacts that the User has not explicitly passed as input;
passwords (which are not logged and are never included in Activity Data).

3.5. Authentication data

Credentials may be transmitted to sign in to the cloud or on-prem. Transmission uses secure channels over TLS 1.2 or higher; passwords are not logged and are not part of Activity Data. After authentication, short-lived tokens are used. The CLI Plugin stores tokens in a file within the User's profile directory under the access rights of the current operating-system user account; no additional at-rest encryption is applied beyond the operating system's filesystem access controls. The Customer is responsible for compensating controls at the device level (full-disk encryption, per-User operating-system accounts, sign-out hygiene).

3.6. No automatic secret redaction

The CLI Plugin does not automatically detect or remove secrets from command arguments, Prompt Content, stdin, or any other User-supplied input. Material that a User submits — including, by mistake, API tokens, passwords, or other credentials — is transmitted to the Server as is and stored alongside other Prompt Content under the regime described above. Customers must train Users not to paste secrets into AI prompts, stdin, or command arguments, and should configure shell and editor environments accordingly (for example, instructing Users to read secrets from environment variables or from secret managers and never to type them inline).

4. Data Sources

4.1. The primary source is the CLI Plugin running on the User's machine.
4.2. Additionally, data may come from the Customer during configuration (tenant ID, organizational policies) and from infrastructure logs in SaaS mode.

5. Processing Purposes

We use CLI Plugin-related data for the following purposes:

delivering Activity Data and Prompt Content to the Server and ensuring reliable delivery during outages;
executing the substantive CLI Plugin functionality requested by the User on the basis of Prompt Content (for example, returning AI-generated responses, executing analyses, producing artifacts);
maintaining integration functionality and version compatibility;
diagnosing and resolving incidents;
improving CLI Plugin quality and performance;
security and abuse prevention;
performing Customer contracts and meeting legal requirements.

PanDev does not use Prompt Content to train its own foundation models without the Customer's prior written consent.

6. Legal Bases

6.1. SaaS. The Customer determines legal bases as the controller. PanDev acts as a processor under the Cloud Terms and any applicable DPA.
6.2. On-prem. Processing is determined by the Customer. PanDev is not a processor.
6.3. CLI Plugin diagnostic telemetry. Processed by PanDev under its legitimate interest in product quality and security. Telemetry is not used for profiling Users and does not include Prompt Content.

7. Storage

7.1. CLI Plugin local cache. When the Server is unavailable, the CLI Plugin temporarily stores Activity Data and Prompt Content in a local cache and sends them once connectivity is restored. By default the cache is not limited in duration or volume and is not configurable inside the CLI Plugin. The cache is stored within the User's profile directory under the access rights of the current operating-system user account; no additional at-rest encryption is applied beyond the operating system's filesystem access controls. The Customer may limit storage through corporate device policies and operating system controls, and is responsible for compensating controls at the device level (full-disk encryption such as BitLocker on Windows, account isolation, sign-out hygiene).
7.2. SaaS. Cloud storage and deletion of Activity Data and Prompt Content are governed by the Cloud Terms and the Customer's settings.
7.3. On-prem. Storage is managed by the Customer.
7.4. Diagnostic telemetry. Retained for the minimum time needed for diagnostics and improvements, after which the data is deleted or aggregated and anonymized.

8. Security

8.1. Data transmission uses TLS 1.2 or higher with host verification.
8.2. Access tokens and the local cache are stored within the User's profile directory under the access rights of the current operating-system user account. The CLI Plugin does not apply additional at-rest encryption to tokens or to the cache beyond the operating system's filesystem access controls.
8.3. PanDev may publish checksums for distribution archives so that the Customer can verify integrity prior to installation. Distribution archives may not currently carry a code-signing certificate; the Customer's environment may therefore display platform warnings (for example Microsoft Defender SmartScreen on Windows) when running an unsigned binary, and the Customer is responsible for the installation and code-execution policies of its environment.
8.4. Because Prompt Content may include sensitive business logic and because tokens and cache are not additionally encrypted at rest, the Customer is responsible for device-level compensating controls: full-disk encryption (for example BitLocker on Windows), per-User operating-system accounts, screen lock, timely sign-out on shared workstations, endpoint security (anti-malware/EDR), and any application allow-listing required by Customer policy.

9.1. Subcontractors and subprocessors (SaaS). PanDev may engage vetted subcontractors for hosting and processing when operating the cloud, including, where applicable, third-party model providers that process Prompt Content for specific CLI Plugin commands. A list will be published or provided on request.
9.2. On-prem. PanDev does not receive data except for support under a separate written data access agreement.
9.3. Legal requirements. We disclose information when required by law and supported by proper legal grounds.
9.4. Cross-border transfers. In SaaS mode data may move across jurisdictions. PanDev applies organizational and technical measures to protect transferred data. For on-prem, data remains within the Customer's infrastructure.

10. Data Subject Rights

10.1. SaaS. Data subject requests (access, rectification, deletion, restriction, objection) should be addressed to the Customer as the controller. PanDev supports the Customer to the extent required under the Cloud Terms.
10.2. On-prem. Requests are handled by the Customer.
10.3. CLI Plugin telemetry. Requests may be sent directly to PanDev. We review and respond within a reasonable time.

11. Children and Consumers

PanDev CLI Plugin products are intended solely for business use. We do not target children and do not knowingly collect data about minors.

12. Changes to This Policy

We may update this Policy. A new version takes effect after publication and notification through the services or by email. Continued use signifies acceptance of the changes.

13. Contact Information

Rights Holder (Provider): PanDev Ltd
Office: 050057, Republic of Kazakhstan, Almaty, Bostandyk District, Gagarin Ave. 124, 4th floor
Support: privacy@pandev.io and support@pandev.io

Appendix A. Alignment with the EULA and ToS

A.1. This Policy does not amend or replace the CLI Plugin EULA or the CLI Plugin ToS.
A.2. For SaaS the Cloud Terms and, if needed, a DPA apply.
A.3. In on-prem mode PanDev is not a processor and does not access data without separate consent.
A.4. In on-prem mode CLI Plugin diagnostic telemetry is not used.
A.5. The composition of Activity Data, the scope of Prompt Content, and default exclusions match the appendices to the CLI Plugin EULA and ToS.
A.6. The "no content transmitted" assurances that appear in the IDE Extensions documents do not apply to Prompt Content in CLI Plugins. Prompt Content is content that Users deliberately submit and that the CLI Plugin transmits to the Server by design.

1. Scope and Purpose​

2. Roles and Allocation of Responsibilities​

3. Data Transmitted by the CLI Plugins​

3.1. Activity Data (metadata)​

3.2. Prompt Content (content the User deliberately submits)​

3.3. Diagnostic Telemetry​

3.4. Not transmitted​

3.5. Authentication data​

3.6. No automatic secret redaction​

4. Data Sources​

5. Processing Purposes​

6. Legal Bases​

7. Storage​

8. Security​

9. Disclosure and Sharing​

10. Data Subject Rights​

11. Children and Consumers​

12. Changes to This Policy​

13. Contact Information​

Appendix A. Alignment with the EULA and ToS​