Privacy Policy
Last updated: 2026-06-25
1. Who is responsible
The controller for the processing described here is the operator of DeviceShelf named in the Imprint. Questions and data-subject requests: [email protected].
2. The short version
DeviceShelf is a local-first network scanner. Your scan results — the devices on your network, their addresses, open ports and any notes — are stored only on the device that ran the scan. There is no DeviceShelf account, no DeviceShelf cloud, and the app contains no analytics or telemetry. Personal data is only processed for the few things a paid product genuinely needs: selling a licence, delivering it by email, answering your messages, and serving the website and downloads. Those are described below.
3. The app: scan data & telemetry
Scan data stays on your device. It is never transmitted to us. You can export it (JSON, CSV, XML, HTML, PDF) or delete it at any time. Licence verification runs offline via an ed25519 signature — the app does not phone home to check your licence.
Telemetry: none. The app does not report what you scan, what it finds, or that you launched it.
Optional features that send data — only if you enable them. These are off by default and run on your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time by turning the feature off again; the data then goes straight to the third party you chose, never through us:
- AI features: if you add your own API key, the app asks for your permission before any cloud AI request. It identifies the recipient and endpoint, then sends your prompt and the relevant device or network signals directly from your device to the provider you chose — Anthropic, OpenAI, Azure OpenAI, OpenRouter, Mistral, Groq, Google Gemini, or a local Ollama model. Those signals may include IP addresses, pseudonymised MAC addresses, host/device names, vendors, open ports, service banners, certificate names, OS hints and security findings. We never see or proxy them; the provider's terms and privacy policy apply.
- Fingerbank lookup: if enabled, a device's DHCP fingerprint may be sent to fingerbank.org to help identify it.
- WAN-IP info & speed test: on demand (button press), a request goes to Cloudflare to determine your public IP or measure your connection speed; for the WAN view, your IP's network details (ISP/ASN, approximate location) are then looked up via the RIPE NCC's open data API (stat.ripe.net).
- Traceroute hop geolocation: only if you enable the clearly-labelled option in the traceroute panel, the public router IPs of your route are sent to the RIPE NCC's open data API (stat.ripe.net) to show each hop's network and location.
- Webhooks: if you configure a webhook URL, event data (device name, MAC, event type) is posted to that endpoint of your choice.
DNS fallback: when one of the features above is used and your system's DNS resolver is unreachable (e.g. a broken VPN), DeviceShelf falls back to DNS-over-HTTPS at Cloudflare (1.1.1.1) to resolve that feature's hostname. This happens only in the context of a feature you triggered — never on its own.
Don't trust us — verify it
With every opt-in feature turned off, DeviceShelf never connects to a DeviceShelf server on its own — no telemetry, no automatic update check, no license check, no analytics. License verification is offline (ed25519). The CVE hints and vendor names in the security report come from data bundled in the app (refreshed only when you update the app), so they make no network calls either.
The update check is the one exception — and it contacts our
own server, deviceshelf.app. It runs only when you
click "Check for updates" or enable the optional on-launch check
(off by default). Even then it just fetches a small static version file —
no identifier, no current-version report, no analytics — and we never
auto-download or auto-install; you're notified and download the signed
installer yourself.
What a packet capture will show — and what it means:
- Local scan traffic. DeviceShelf is a scanner, so it opens many connections to devices on your own network (ping/port sweeps, mDNS, SNMP…). That traffic stays within your LAN.
- DNS lookups go to whatever resolver your system is configured to use (possibly on the internet, e.g. your router or 1.1.1.1). That is your network's resolver, not a DeviceShelf endpoint.
- OS / WebView traffic. The app uses your operating system's built-in web view (WKWebView on macOS, WebView2 on Windows). The OS may make its own certificate/OCSP or vendor calls — that is macOS/Windows, not DeviceShelf.
- The only data that reaches the internet from DeviceShelf is from
an optional feature you switch on or trigger — AI device-ID
(to the provider whose key you supplied), Fingerbank, WAN-IP info / speed
test (Cloudflare), traceroute hop geolocation (stat.ripe.net), or a webhook
you configured — and it goes straight to that service, never through us.
The sole exception is the update check you run or enable,
which fetches a static version file from
deviceshelf.app.
Check it yourself with a per-app firewall (Little Snitch, or the free LuLu), or a capture filtered to non-local destinations:
sudo tcpdump -n 'not (net 192.168.0.0/16 or net 10.0.0.0/8 or net 172.16.0.0/12 or net 169.254.0.0/16 or net 224.0.0.0/4 or host 127.0.0.1)'
Launch DeviceShelf with opt-in features off — it starts a scan of your own
network automatically. Expected result: plenty of local LAN traffic, but
nothing to deviceshelf.app or any other
non-LAN destination beyond the OS/WebView/DNS noise above — unless you click
"Check for updates" or enabled the optional launch check. If
DeviceShelf otherwise phones home with opt-ins off, that is a bug — please
report it.
4. The website & downloads
Hosting & server logs. The website, our API endpoints and the download files are hosted on Cloudflare. To deliver content and defend against attacks, Cloudflare processes connection data (including IP address, request time and user-agent) in short-lived server/security logs. Legal basis: our legitimate interest in a secure, functioning service (Art. 6(1)(f) GDPR; Art. 31(1) Swiss FADP).
No tracking cookies, no cross-site tracking. deviceshelf.app
sets no advertising cookies and embeds no third-party trackers. The only
browser storage is a lang entry in localStorage (your chosen
interface language) and, if you arrive through a campaign link, a
short-lived utm_source tag kept in sessionStorage that is
erased when you close the tab — both strictly functional; neither is an
advertising, cross-site or visitor identifier.
Privacy-friendly analytics. To see how many people visit the site and which pages are useful, we use Cloudflare Web Analytics — a cookieless measurement tool. It sets no cookies, stores nothing on your device, does not fingerprint you and does not track you across other websites. It reports only aggregated figures (page views, referrers, an approximate country and the browser/user-agent). Your IP address is processed only transiently to derive these aggregates and is not stored as an identifier. Legal basis: our legitimate interest in understanding and improving the site (Art. 6(1)(f) GDPR; Art. 31(1) Swiss FADP). Because it is cookieless and stores nothing on your device, no consent banner is required.
Download statistics. When you download an installer we record an anonymous, aggregate entry — date, platform, version and a coarse country — to understand demand. We deliberately store no IP address, no user-agent and no other identifier, so this is not personal data. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
Conversion analytics (cookieless). To understand whether the site actually works — how many visitors reach the pricing page, start a checkout and complete a purchase — we record a handful of anonymous, aggregate events (a page view, a trial-download click, a buy click and a checkout start) and send them to our own Cloudflare Worker. We store no cookies, no IP address, no user-agent, no fingerprint and no persistent visitor identifier — only a coarse count per day, page, language and country. To measure how many started checkouts are actually paid, a random reference token (not derived from any personal data, and stored only as a hash) links a checkout start to the completed order; the completed-purchase event is generated on our server from the payment webhook, never in your browser. We honour Do-Not-Track and Global Privacy Control — if either is enabled, nothing is sent. Legal basis: our legitimate interest in operating and improving the service (Art. 6(1)(f) GDPR; Art. 31(1) Swiss FADP). Because it is cookieless and stores nothing identifying, no consent banner is required.
5. Contact form
If you use the contact form we process the name, email address, topic and message you enter, in order to receive and answer your request. Spam is filtered by a simple server-side method (a hidden “honeypot” field) — there is no CAPTCHA, no third-party anti-spam service and no tracking. Your message is relayed to our support inbox via our email provider (Resend); we do not store it in a database. Legal basis: steps prior to / performance of a contract and our legitimate interest in answering enquiries (Art. 6(1)(b) and (f) GDPR; Art. 31 Swiss FADP). We keep the correspondence only as long as needed to handle your request and any follow-up.
6. Newsletter, blog & feature polls
If you subscribe to our update list on the blog, we process your email address to send you product news (new releases, features and the occasional poll). We use double opt-in: after you enter your address we email you a confirmation link, and you are only added once you click it — an unconfirmed address is discarded automatically. The subscriber list is stored by Cloudflare (Workers KV); emails are sent via Resend. Every email contains a one-click unsubscribe link, and you can opt out at any time. Legal basis: your consent (Art. 6(1)(a) GDPR; Art. 6 Swiss FADP), which you can withdraw at any time with effect for the future. We keep your address only until you unsubscribe.
Blog feature polls let you vote with a single click and no account. To stop one person voting many times we store a one-way hash of your IP address together with the poll id (so we can recognise a repeat vote without ever storing your IP itself); we keep only anonymous per-option tallies. Legal basis: our legitimate interest in a usable, non-stuffable poll (Art. 6(1)(f) GDPR).
7. Buying a licence
Checkout and payment are handled by Polar as our Merchant of Record (see Imprint). Polar collects the data needed to process the order and issue an invoice (e.g. email, billing and payment details) under its own privacy policy. We receive your email address and licence key, which our licence service (a Cloudflare Worker) uses to generate and email your licence via Resend. Legal basis: performance of a contract (Art. 6(1)(b) GDPR). We retain purchase email and licence records as required for accounting and warranty purposes.
8. Processors & recipients
We use the following service providers, acting as our processors under Art. 28 GDPR where applicable. Where a provider is based outside Switzerland/the EEA, the transfer is safeguarded by the EU Standard Contractual Clauses and, where the provider is certified, the EU-US Data Privacy Framework. You can request a copy of the relevant safeguards from [email protected].
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Website & download hosting, API/licence/contact workers, anonymous download stats, cookieless web analytics, inbound email routing, security logs; in-app (on demand only): WAN-IP lookup, speed test, DNS-over-HTTPS fallback | USA (EU edge) |
| Resend | Sending licence and contact emails | USA |
| Polar | Checkout, payment & invoicing (Merchant of Record) | USA |
| fingerbank.org | Optional, in-app device identification (only if you enable it) | Canada |
| RIPE NCC (stat.ripe.net) | Optional, in-app IP geolocation for WAN info and traceroute hops (only on demand / if enabled) | Netherlands (EU) |
9. Retention
We keep personal data only as long as necessary for the purpose it was collected, or as long as statutory retention periods (e.g. for invoices) require. Anonymous download statistics contain no personal data and are kept indefinitely in aggregate.
10. Your rights
Under the EU GDPR and the Swiss Federal Act on Data Protection (FADP) you have the right to access, rectification, erasure, restriction, data portability and to object to processing based on legitimate interests. Where processing is based on your consent, you may withdraw it at any time with effect for the future, without affecting the lawfulness of prior processing. To exercise any of these, email [email protected].
You also have the right to lodge a complaint with a supervisory authority — in Switzerland the Federal Data Protection and Information Commissioner (FDPIC/EDÖB), or your local EU/EEA data-protection authority.
11. Automated decisions & profiling
We do not carry out automated decision-making producing legal or similarly significant effects (Art. 22 GDPR), and we do not create personality or behaviour profiles. The optional in-app AI features identify devices, not people. The service is not directed at children.
12. Changes
We may update this policy as the product evolves. The date at the top reflects the latest version.
Contact
See the Imprint for legal contact details.