Telemetry

Name: Archgate CLI
Author: Archgate

Archgate collects anonymous usage data to help us understand how the CLI is used, prioritize features, and fix crashes. This page explains exactly what is collected, what is not, and how to opt out.

What we collect

Usage analytics (PostHog)

When you run an Archgate command, we record:

Command name and which flags were used (e.g., check --json — only flag presence, never flag values)
Exit code (0, 1, 2, or 130) and execution duration (milliseconds), plus a short outcome tag (success, user_error, internal_error, cancelled)
Environment: OS, architecture, Bun version, Archgate version, CI detection (including provider: GitHub Actions / GitLab CI / CircleCI / etc.), TTY detection, WSL detection, shell (bash, zsh, pwsh…), and locale
Install context: how the CLI was installed (binary, proto, local dev dependency, or global package manager)
Project context: whether an Archgate project exists in the current directory, how many ADRs it has, how many have automated rules, and how many distinct ADR domains are used
Repo context (non-identifying): whether the current directory is a git repository, the host bucket (github / gitlab / bitbucket / azure-devops / other), a hashed repo_id (SHA-256 of the normalized remote URL, truncated to 16 hex characters — not reversible), and the default branch name
Coarse location: country and region (resolved server-side from your IP, then the IP is discarded — see IP anonymization)
Anonymous install ID: a random UUID generated on first run — not derived from any personal data

In addition to the general command lifecycle events (command_executed / command_completed), specific commands send enriched outcome events:

check: aggregate rule counts (total, passed, failed, warnings, errors), output format used, whether filters were applied, files scanned, load duration, check duration — no file paths or violation content
init: editor choice, whether the plugin was installed, whether the project already existed. A separate one-time project_initialized event is emitted with the repo host bucket, repo_is_git, and a repo_public flag. For repos confirmed public on GitHub / GitLab / Bitbucket, this event also carries the remote URL, owner, and repo name — see Repo identity. Private and self-hosted repos never have identity shared.
upgrade: version transition (from → to), install method, success/failure, and an optional failure reason
login: subcommand used (login, logout, refresh, status), success/failure, and a failure bucket (network, tls, denied, other) when it fails
telemetry_preference_changed: fires once when you enable or disable telemetry, so we can understand opt-out rates

Repo identity

Archgate sends a hashed repo_id with every event so we can count distinct repositories using the CLI without learning their names. The raw remote URL, owner, and repository name are not included in the common event stream.

On archgate init, a one-time project_initialized event is emitted. If — and only if — the repository is confirmed public on GitHub, GitLab, Bitbucket, or Azure DevOps (via an unauthenticated API probe against the host), that event additionally includes remote_url, repo_owner, and repo_name. This lets us see which public repositories are adopting Archgate without ever exposing private ones.

What’s never shared:

Private repositories (API probe returns 404, 401, or private: true)
Self-hosted Git hosts (the probe skips these entirely)
Repositories where the probe times out, is rate-limited, or otherwise fails to return a definitive public answer

Don’t want the event at all? Disable telemetry entirely — the whole project_initialized event is then suppressed along with everything else:

# Per-shell / per-invocation
export ARCHGATE_TELEMETRY=0

# Or persistently
archgate telemetry disable

See How to opt out below for the full details.

Error tracking (Sentry)

When the CLI crashes (exit code 2), we send:

Error type, message, and stack trace (file paths are stripped to relative paths like src/cli.ts)
Runtime context: OS, architecture, Bun version, Archgate version
Anonymous install ID (same random UUID as analytics)

What we do NOT collect

No personal information: no usernames, emails, or IP addresses. GitHub / GitLab / Bitbucket owner/repository names are only sent on the one-time project_initialized event for repositories that are confirmed public by their host — see Repo identity. Private and self-hosted repos never have identity shared.
No file content: no ADR content, source code, or file paths
No prompt or AI context: nothing from agent interactions, prompts, or AI-generated content
No flag values: we record that --json was used, not what the JSON output contained
No network activity: no URLs, API keys, or tokens

IP anonymization

Archgate uses PostHog’s built-in IP anonymization:

Your CLI sends an event to PostHog with $ip: null
PostHog resolves your IP to a country and region (e.g., “US”, “California”) server-side
The IP address is then discarded — it is never stored in PostHog

For Sentry error tracking, the project has “Prevent Storing of IP Addresses” enabled, so IPs are stripped before storage.

How to opt out

You can disable all telemetry (both analytics and error tracking) in two ways:

Environment variable

export ARCHGATE_TELEMETRY=0

Accepted values: 0, false, no, off (case-insensitive).

Add this to your shell profile (.bashrc, .zshrc, etc.) to disable permanently.

CLI command

archgate telemetry disable

To re-enable:

archgate telemetry enable

To check current status:

archgate telemetry status

The environment variable takes precedence over the CLI setting. If ARCHGATE_TELEMETRY=0 is set, telemetry is disabled regardless of the CLI config.

Legal basis

Archgate CLI telemetry operates on an opt-out basis under GDPR Article 6(1)(f) and LGPD Article 7, IX c/c Article 10 — legitimate interests of the controller. We have published a formal Legitimate Interest Assessment documenting why this is proportionate and lawful.

In summary: the data is anonymous (random UUID, no PII), the impact on users is minimal, robust safeguards are in place (IP anonymization, EU storage, limited retention, transparency), and users retain full control via an easy, permanent opt-out.

Where data is stored

Service	Data	Region	Retention
PostHog Cloud	Anonymous usage analytics	EU (Frankfurt)	1 year
Sentry Cloud	Crash reports	EU (Frankfurt)	90 days
Local config	Telemetry preference + install ID	Your machine	Until you delete it

Analytics events are routed through n.archgate.dev and error reports through s.archgate.dev. These are transparent reverse proxies operated by Dasolve AS on Cloudflare infrastructure — they forward requests without logging, storing, or inspecting payloads.

Your rights

Right of access: Request a copy of all data associated with your install ID. Email privacy@archgate.dev with your install ID (found via archgate telemetry status or in ~/.archgate/config.json). Response within 30 days.
Right to erasure: Request deletion of historical analytics and crash data. Disabling telemetry stops future collection but does not delete past events. Email privacy@archgate.dev with your install ID for deletion.
Right to object: Disable telemetry at any time via archgate telemetry disable or ARCHGATE_TELEMETRY=0.
Right to lodge a complaint: Contact the Norwegian Data Protection Authority (Datatilsynet) or, for Brazilian users, the ANPD (www.gov.br/anpd).

Data controller: Dasolve AS (Org.nr 936 035 019), Lillogata 5P, 0484 Oslo, Norway. Contact: privacy@archgate.dev.

Brazilian users (LGPD): For LGPD-specific rights (Art. 18), international transfer details (Art. 33), and ANPD contact information, see the Portuguese privacy policy.

Open source

The telemetry implementation is fully open source. You can inspect exactly what data is collected by reading:

src/helpers/telemetry.ts — PostHog event tracking
src/helpers/sentry.ts — Sentry error capture
src/helpers/telemetry-config.ts — Config and opt-out logic