ScroogeLLM
Privacy Policy
The short version. ScroogeLLM is built local-first. The extension and proxy run on your own machine and use your own LLM provider API keys — your prompts, code, and LLM history are not sent to Audit&Fix. This website collects only the email address you choose to give us through an early-access signup form.
1. Who we are
This policy is issued by Audit&Fix, a registered business name of a sole trader
(ABN 19 429 399 114) based in New South Wales, Australia ("we", "us"). We publish
the ScroogeLLM website (scroogellm.com), the ScroogeLLM Visual Studio Code
extension, and the local LLM proxy it installs.
- Business: Audit&Fix — a registered business name of a sole trader based in New South Wales, Australia.
- ABN: 19 429 399 114 (not registered for GST).
- Privacy contact: via our contact form (no public email address). Select a privacy / data-rights option where available.
2. Scope of this policy
This policy explains how personal information is handled across two very different surfaces:
- The website (
scroogellm.com) — a marketing site that offers an "early access" email signup. - The software — the ScroogeLLM VS Code extension and the local proxy it runs on your computer.
We treat your privacy in line with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). Because the website is publicly accessible, we also describe how we approach the EU General Data Protection Regulation (GDPR) and UK GDPR for visitors in those regions (see Section 9).
3. The ScroogeLLM software — local-first by design
ScroogeLLM is a VS Code extension plus a local LLM proxy. The proxy binds to localhost on your own machine. It sits between your editor and the third-party LLM provider APIs you already use (for example Anthropic or OpenAI-compatible endpoints) and runs a local pipeline that may compress, anonymize, cache, route, log, and audit your requests before forwarding them.
What stays on your machine
- Your prompts, source code, and LLM request/response content.
- Your local cache, logs, and audit records produced by the proxy.
- Your LLM provider API keys (stored in your operating system's native keychain).
Where your requests go
When you use the proxy, your (optionally compressed/anonymized) requests are forwarded directly from your machine to the third-party LLM provider you have configured, using your own API key. That provider's own privacy terms govern what they do with the request. Audit&Fix is not in that path and does not receive your prompts or LLM history.
Status of the extension. The ScroogeLLM extension is in development and not yet released. The behaviour described above is its intended local-first design — it is not a statement about software that is currently shipping, and we make no definitive "collects nothing" claim about the unreleased extension. Before the extension is published, any telemetry, crash-report, update-check, or licence/activation behaviour will be verified against the actual build and documented in this policy with its purpose and legal basis. Until then, this policy governs the website (the early-access email signup) — and the website privacy commitments stated below are definite.
4. The website — what we collect
(a) Email addresses you give us
The website offers an early-access signup. When you sign up, we collect the email address you enter (and any other field you choose to complete). We use it to:
- notify you about ScroogeLLM availability, early access, and product updates; and
- send you occasional related announcements about the product you have expressed interest in.
Signup emails are processed and delivered using Amazon Web Services (AWS) Simple Email Service (SES), which acts as a sub-processor on our behalf (see Section 8).
(b) Server logs (Cloudflare)
The website is a static site hosted on Cloudflare Pages. As part of delivering and protecting the site, Cloudflare's infrastructure may log standard request metadata such as your IP address, user agent, and the resources requested, under its own retention periods. This processing occurs at the hosting/CDN layer. Cloudflare acts as a sub-processor (see Section 8). See Cloudflare's privacy policy and its data processing addendum for details.
(c) Cookies and analytics
The website uses zero analytics and zero non-essential cookies. We run no analytics scripts and set no tracking or advertising cookies. If this ever changes, we will update this section and add a cookie notice and consent mechanism (including for EU/UK visitors) before any such cookies or analytics are introduced.
5. Legal bases for processing
Under the APPs we collect personal information by lawful and fair means and only as needed. For EU/UK visitors, our legal bases are:
- Consent — for the early-access email signup (you opt in by submitting the form). You may withdraw consent at any time (see Section 7).
- Legitimate interests — for the security and reliable delivery of the website (e.g. Cloudflare request logs).
6. Retention
| Data | Retention |
|---|---|
| Early-access email address | Kept until you unsubscribe or request deletion via our contact form. |
| Cloudflare request logs | Retained by Cloudflare under its own retention periods (see Cloudflare's privacy policy); not separately stored by us. |
We keep personal information only as long as needed for the purpose it was collected, or as required by law.
7. Your rights and choices
Everyone: you can ask us to access, correct, or delete the email address you gave us, and you can unsubscribe at any time using the link in our emails or by contacting us through our contact form.
Australia (APPs): you may request access to and correction of your personal information, and complain about a breach of the APPs. If we cannot resolve your complaint, you may contact the Office of the Australian Information Commissioner (OAIC).
EU/UK (GDPR / UK GDPR): you have rights of access, rectification, erasure, restriction, objection, and data portability, and the right to lodge a complaint with your local supervisory authority.
We will respond to access, correction, deletion, and other data-rights requests within 30 days.
8. Sharing and sub-processors
We do not sell your personal information. We share it only with the following sub-processors and recipients:
- Cloudflare — static website hosting and delivery (Cloudflare Pages); may log request metadata/IP under its own retention. See Cloudflare's privacy policy and DPA.
- Amazon Web Services (AWS) — Simple Email Service (SES), used to process and deliver early-access signup emails.
- PayPal — payment processing, only if and when a paid tier launches (see Section 8a). PayPal would handle card/account data as the payment processor; Audit&Fix does not store card numbers.
- authorities, where required by law.
(8a) Payments
ScroogeLLM has no paid tier yet. When a paid tier launches, payments will be processed by PayPal, which will act as the payment processor and handle card and account data; Audit&Fix does not store card numbers. Pricing, billing, and refund terms will be published before any paid tier becomes available.
Note: the LLM providers you configure in the software receive your requests directly from your machine under your own account — that is not a disclosure by Audit&Fix, because we never hold that data.
9. International data transfers
Our website and service providers may process data outside Australia (and outside the EU/UK), including in the United States. Where we transfer personal information overseas we take reasonable steps to ensure it is handled consistently with this policy and applicable law. In particular, the international transfer of early-access signup emails to AWS relies on the Standard Contractual Clauses incorporated into AWS's data processing terms; transfers via Cloudflare are likewise governed by Cloudflare's data processing addendum.
10. Security
We take reasonable technical and organisational measures to protect the personal information we hold, including access controls and encryption of data in transit. The software's local-first design also means most sensitive data (prompts, code, keys) never leaves your machine and is not in our custody.
11. Children
The Service is not directed at children. You must be at least 18 years old to use the Service or to submit personal information (including the early-access signup) to us. We do not knowingly collect personal information from anyone under 18.
12. Changes to this policy
We may update this policy from time to time. We will post the updated version here and change the effective date. Material changes will be notified on the website, and to early-access subscribers by email where applicable.
13. Contact us
Privacy questions or data-rights requests: use our contact form. We do not publish a contact email address.
Audit&Fix, a registered business name of a sole trader (ABN 19 429 399 114) based in New South Wales, Australia. Not registered for GST.