Plain language. The shortest privacy policy we could write that still tells you everything that matters. Last updated 2026-05-29.
ConductorScore reads your Claude Code transcripts on your own machine and uploads only counts, hashes, and categorical labels (tool names, MCP server/tool names, plugin command names, model IDs, slash-command names, plan-signal names). Your prompts, code, file contents, file paths, and tool arguments never leave your machine. Everything else on this page is the long version of that sentence.
For each Claude Code session in your last 30 days, the client emits a structured record. Every field is either a number, a 16-character SHA-256 hash prefix, a boolean, or a categorical label:
uuid4, not derived from your hostname, username, or MAC address), the client and wire-schema versions, the 30-day window length, and the timestamp the scan ran. This is the small device block on every upload; it carries no personal dataCLAUDE.md files (the file contents are not sent)Bash, Edit), MCP server and tool names in plaintext (e.g. mcp__github__create_issue), plugin command names in plaintext (e.g. my-plugin:deploy), Anthropic model IDs (e.g. claude-opus-4-7), slash-command names from your user messages (e.g. /plan), and plan-signal names (e.g. EnterPlanMode, TodoWrite>=3). These are identifiers you (or your tooling) configured — we collect the names only, never their arguments, inputs, or outputsThe exact wire format is in our public client repo as a versioned schema document: WIRE_FORMAT.md. You can also inspect the live schema, field-by-field, at /inspector.
This is guarded by a privacy-invariant integration test that runs in CI on every push and pull request. It feeds synthetic transcripts seeded with planted secrets in every place content could leak — user prompts, file paths, tool inputs, slash-command arguments, assistant text, and inline Bash environment variables — through the real scanner, then fails the build if any planted secret appears in the upload payload. The client itself is open source, so anyone can audit what gets read locally and what gets emitted. Someone already did: Claude independently audited the client against this policy, traced every network egress path, and ran its own leak probe — confirming only counts, hashes, booleans, and categorical labels cross the wire.
The data is used for exactly one thing: to compute your ConductorScore — a 0–100 composite across five anchored components (Leverage, Craft, Customization, Output, Efficiency). Each sub-metric maps your raw numbers to points using documented thresholds, not a peer ranking. We don't sell it. We don't share it. We don't train models on it. We don't enrich it with third-party data.
read:user scope, uses the token to prove who you are, and never transmits any other GitHub credential (for example, a local gh CLI token) or ingests repository contents.Encrypted in transit (TLS) and at rest. We don't use third-party analytics, ad networks, or session-replay tools. No Google Analytics, no Mixpanel, no Hotjar.
We keep your computed scores for as long as your account exists. That's deliberate: your ConductorScore is a longitudinal signal, and keeping the full score history is what lets you see your trajectory over months and years and compare against your past self.
Your underlying session records are a 30-day rolling window — each upload overwrites the prior one, so what we hold at any moment is bounded to your recent activity. We never silently expire your account. When you're ready to be done, email us (see “Your rights” below) and everything goes.
Questions about privacy, security disclosures, or data requests: hello@conductorscore.com. We aim to respond within 3 business days.
ConductorScore is operated by Flatiron Consulting, a New Jersey limited liability company.