Privacy — Backspace

TL;DR. Backspace is a desktop application that runs entirely on your computer. It has no server-side component of any kind. Nothing about your backups, your files, your usage patterns, your destinations, your OAuth tokens, or your existence ever leaves your machine — except the data you have explicitly asked Backspace to copy to the cloud storage destinations you configured, encrypted before it gets there.

What Backspace stores on your computer

All Backspace state lives under your operating system's per-user configuration directory (on Windows that's %APPDATA%\Backspace\; portable installs put it next to the executable instead). That directory contains:

Your config. The list of backups you created, the source folders, the destinations, the schedules, the filter rules. Plain JSON, human-readable. Edit it if you like — Backspace reloads on save.
An encrypted secrets vault. Cloud OAuth refresh tokens, S3 access keys, repository encryption passwords. On Windows the vault is wrapped with DPAPI so only the current Windows user account can read it; on macOS and Linux a per-installation key file lives alongside it with user-only file permissions.
Per-run logs. Each backup run writes a log file capturing what the underlying engine printed (file counts, durations, errors). These never leave your machine. You can delete them whenever you want.
The Backrest sidecar's data. Backspace bundles Backrest and drives it as a localhost-only RPC sidecar. Its state (operation history, scheduled-task records, cached repo metadata) lives under backrest/ in the same config directory. The sidecar binds to 127.0.0.1 only — it is not reachable from any other computer.

What Backspace sends out

Only the data you have explicitly told it to back up, to the destinations you configured. Three sub-cases:

Local destinations. No network traffic. Bytes go from your source folder to your external drive / NAS path.
S3 destinations. Restic's S3 driver talks directly to the bucket you configured, with the AWS credentials you supplied, over HTTPS.
Cloud destinations (Dropbox, OneDrive, Google Drive). Restic talks to rclone, which talks directly to the provider's API over HTTPS using the OAuth refresh token you authorised. The token stays on your machine; only your backup data crosses the wire, always encrypted client-side before it leaves your computer (AES-256, with a key derived from a password only you know).

What goes through Dropbox specifically

If you've authorised a Dropbox destination, Backspace requests an OAuth refresh token from Dropbox via their standard authorisation flow. The token is stored locally in the encrypted secrets vault described above and used only to upload your backup data to the folder you chose.

Backspace does not:

Send your Dropbox token to any Backspace-controlled server (there is no such server).
Read the contents of files outside the folder paths you're explicitly backing up.
Modify, share, or delete files in your Dropbox other than within the destination folder you picked.
Collect or log anything about your Dropbox account beyond the user-visible folder name where your backups land.

You can revoke Backspace's Dropbox access at any time from your Dropbox connected apps page. Backspace will stop being able to write new backups to that destination; backups already at the destination remain yours and untouched.

Telemetry, analytics, crash reporting

None. Backspace makes no outbound network calls of its own beyond:

The backup / restore traffic described above.
An optional Healthchecks.io ping after each run if you turned that feature on yourself. The ping carries the check ID you configured and the run status (ok / fail); no file paths, no file contents, no identifying user data.
An optional email via your own Resend or Mailgun account if you set that up yourself. Same scope as Healthchecks: status only, never file contents.
A one-time download of release binaries from GitHub (backrest, restic, rclone) the first time you build Backspace from source. Disabled by passing -p:SkipBackrestDownload=true.

Cookies, tracking, third-party scripts

This website (the page you're reading) is a static HTML page hosted on GitHub Pages. It has no analytics tags, no cookies, no third-party scripts, and no embedded advertising. GitHub's standard hosting access logs apply (per their privacy statement); we do not have access to those logs and do not request them.

Children's privacy

Backspace is a developer tool not directed at children. It does not knowingly collect any personal information from anyone — including children — because, as described above, it doesn't collect personal information from any user.

Changes to this policy

If Backspace ever starts collecting any data, this page will be updated to describe it, the "last updated" date at the top will change, and the release notes for that version will call it out prominently. The current intent is to never collect anything.

Contact

Questions, concerns, or "actually I think you're collecting something you didn't list here": open an issue on GitHub. Or, if you'd rather not do that in public, email the maintainer at the address in the LICENSE file.