Privacy
Last updated: 24 May 2026.
SuperDeDuper is open-source software you run locally on your own computer. By default it does not connect to the internet at all. The only data that ever leaves your machine is data you affirmatively opt in to send through the Leaderboard feature, described below in detail.
We publish the exact wire schema for every leaderboard submission at
api.superdeduper.io/api/v1/submit/schema.json. If
anything on this page conflicts with that schema, the schema wins —
file an issue and we'll fix the page.
The desktop app
The Windows app does not collect or transmit telemetry, analytics, or crash reports. Scan results, file paths, and any data about the files on your drive stay on your machine. We have no way to see what you scanned. Background checks for app updates are the only network traffic from a default install.
The leaderboard (opt-in only)
Opt-in is explicit: the first time you submit a scan, the app shows you the exact JSON document it's about to send, every field labeled. You can disable per-field sharing for sensitive items (GPU model, OS build) or opt out entirely. You can change your mind later from Settings → Privacy.
What's transmitted on every submission
- install_id — a random UUID generated on first opt-in and persisted in your user-config folder. Anonymous unless you later sign in to claim it.
- install_key — a random 256-bit key, transmitted once on first registration over HTTPS, after which it lives only on your machine and never traverses the network again. Used to cryptographically sign every subsequent submission so it can't be tampered with in transit.
- Hardware fields — CPU model string (e.g. "AMD Ryzen 9 9950X3D"), core and thread counts, ISA flag list, RAM bucket (rounded to nearest 4 / 8 / 16 / 32 / 64 / 128 / 256 / 512 / 1024 GB), drive class (NVMe-Gen3/4/5, SATA-SSD, HDD, network, mixed), filesystem, NTFS cluster size, volume size bucket. Optionally: GPU model and OS version + edition.
- Run shape — scan wall-clock seconds, total bytes scanned, total files scanned, hash algorithm name, walker variant, scan scope (whole-volume / subdirectory / selection / canonical bench), a feature-usage bitmap (which sd features your scan exercised), and a cache-hit-ratio number.
- Result summary — number of duplicate groups found, total reclaimable bytes, largest single duplicate group's size, a summary of actions you took (hardlink replaced, deleted to Recycle, left alone), and OneDrive placeholder skip counters (for the "Safety" achievement family).
- easter_egg_hits — if you opt in to playful client-evaluated achievements (e.g. "Recursive" for scanning a folder containing sd's own source code), the app sends a short list of the achievement IDs it locally detected as triggered. Just IDs; never the underlying path or filename data that triggered them.
- schema_version, client_version, timestamp — so we can correlate behavior with engine versions and reject replayed submissions.
- Cryptographic signature — an HMAC-SHA256 hash of the submission body, computed locally using your install_key. Lets the server reject submissions that were tampered with on the wire.
What we never transmit
- File paths, file names, directory names, or drive letters.
- File contents, or any hash of file contents that could be reversed via rainbow tables to identify a known file.
- Your computer hostname, Windows user account name, machine SID, or any other personally-identifying machine fingerprint beyond what's in the bucketed hardware fields above.
- The actual numeric value of your RAM size or volume size — only the bucket they fall into.
- Your IP address beyond what's needed at the load balancer to serve the request. Server-side access logs are purged after 14 days.
Sign-in identity (optional)
If you sign in with Google or Discord, we receive your provider's stable user ID, your verified email address (Google) or handle (Discord), and basic profile info (display name, profile picture) at the moment you sign in. We store only the stable user ID and a display name you choose; we do not retain your email after the verification step. You can sign out from the app's Settings panel and revoke our app's access at any time via your Google account settings (or Discord's app authorizations panel).
Pre-sign-in scans you've already submitted stay attached to your install_id, anonymously. Signing in links that install_id to your account so the achievements you've earned surface on a public profile. Signing in does not retroactively attach a real name to past anonymous submissions to anyone but you.
How we keep individuals from being identified
- Bucketed hardware — RAM and volume sizes are snapped to powers-of-two-ish buckets so a "32 GB RAM" submission is indistinguishable from any other in the same bucket.
- K-anonymity on public rows — any public leaderboard row is only shown if its hardware bracket (CPU class × storage class × filesystem) has at least 5 distinct active install_ids in the trailing 30 days. Rare-hardware users see their own rank, but it's omitted from the public leaderboard until enough peers join the bracket.
- Submission rate limits — capped at 12 per hour and 200 per day per install_id, so submission cadence can't be used as a fingerprint.
- No third-party trackers — no Google Analytics, no Facebook Pixel, no advertising scripts, no fingerprinting libraries. The leaderboard site is plain static HTML served from Cloudflare's edge.
- DNT respected — if your browser sends Do Not Track on a request to the API, the request is processed but no IP, user-agent, or referrer is recorded server-side beyond the load-balancer access log (which is purged at 14 days regardless).
Deleting your data
Send a deletion request to the contact email below. Include either
your install_id (if you can find it in
%LOCALAPPDATA%\superdeduper\install.json) or your
signed-in account email. We delete:
- The install row (install_id, install_key, registration info).
- Every submission attached to that install_id.
- Every achievement grant attached to that install_id.
- If you have an account: the account row and the install↔account link.
Deletion is irreversible. We'll confirm by email within 7 days. Once G3 ships, a self-service "Delete my account" button appears in the app's Settings panel; until then it's by email.
Where your data lives
Submissions and account records are stored in AWS DynamoDB in the
us-west-2 (Oregon, USA) region. Static frontend assets
are served by Cloudflare Pages from edge locations worldwide.
Cloudflare's WAF + rate-limit rulesets sit in front of the API
origin. Cloudflare and AWS each have their own privacy policies
that govern the network and storage layers they operate.
Open dataset (eventually)
We intend to publish periodic anonymized aggregates of the leaderboard dataset — hardware distribution across the sd user base, feature adoption rates, throughput-by-hardware-class curves — so independent researchers and security folks can audit how the system behaves and what trends are emerging. These aggregates have K-anonymity and differential-privacy noise applied to small buckets so individual users can't be recovered from them. Publication starts after the dataset has enough volume to be meaningful (target: first quarterly report when we have ≥1000 active installs).
Contact
Questions, deletion requests, or privacy concerns: mickfixesjunk@gmail.com. Security-sensitive reports: prefer signed email; key is on request.
Changes
The "Last updated" date at the top of this page changes whenever we revise the policy. Material changes (anything that expands what we collect, retain, or share) are announced in the app's release notes one release ahead of the change taking effect, giving you time to opt out before the new behavior turns on.