> ## Documentation Index > Fetch the complete documentation index at: https://docs.fallow.tools/llms.txt > Use this file to discover all available pages before exploring further. # Telemetry & privacy > What fallow's opt-in telemetry collects and, more importantly, what it never collects. Off by default, no identifiers, inspect it before you consent. Fallow telemetry is **opt-in** and **off by default**. It exists to improve agent, CI, JSON, MCP, and editor workflows, not to track individuals or codebases. For the commands and environment controls, see [`fallow telemetry`](/cli/telemetry). To keep telemetry off everywhere, set `FALLOW_TELEMETRY_DISABLED=1` or `DO_NOT_TRACK=1`. See [Disabling everywhere](#disabling-everywhere). ## What is never collected Fallow telemetry never includes: * repository, organization, project, branch, or git remote names * file paths, import specifiers, source snippets, or stack traces * package, dependency, workspace, or framework package names * raw command-line arguments * config contents or config values * environment variable names or values * raw errors, logs, or serialized exceptions * stable machine, user, project, or repository identifiers Hashing these values is not used as a workaround. ## Inspect what is sent Do not take the list on trust. You can print the exact payload any real command would send, without sending it: ```bash theme={null} FALLOW_TELEMETRY=inspect fallow audit --format json --quiet ``` The payload prints to stderr; your command's normal output is untouched. ## What is collected When you enable telemetry, Fallow sends one small, high-level event per analysis run: ```json theme={null} { "schema_version": 1, "event": "workflow_completed", "fallow_version": "2.85.0", "workflow": "audit", "integration_surface": "mcp", "invocation_context": "agent", "agent_source": "codex", "output_format": "json", "quiet": true, "ci": false, "tty": false, "os": "linux", "arch": "x86_64", "duration_bucket_ms": "500-2000", "outcome": "issues_found", "exit_code_bucket": "1", "findings_present": true, "mcp_tool": "find_dupes", "parent_run": "tmp_8x7p4k" } ``` `agent_source`, `findings_present`, `mcp_tool`, and `parent_run` are optional. `agent_source` appears only on agent-driven runs. `findings_present` is omitted by commands that run no analysis (and by older binaries). `mcp_tool` appears only when a run came through the MCP server. `parent_run` appears only when a run is explicitly correlated to a previous one. All are omitted otherwise. | Field | Purpose | | :----------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `workflow` | Prioritize the audit, dead-code, health, duplication, CI, runtime-coverage setup, impact, security, fix, and explain workflows. | | `integration_surface` | Understand whether Fallow is used through human CLI, CLI JSON, MCP, CI, editor, or as a library. | | `invocation_context` | Separate human, CI, editor, and agent-driven use without uploading detection evidence. | | `agent_source` | Improve compatibility with specific agent integrations using a documented allowlist. | | `output_format` / `quiet` | Protect the output contracts that users and agents rely on most. | | `duration_bucket_ms` | Find slow workflow classes without collecting exact timings. | | `outcome` / `exit_code_bucket` | Measure clean runs, findings, and failures without uploading raw error text. | | `findings_present` | Whether the analysis surfaced any findings, decoupled from the exit-code gate (so informational analyses like default-config `dupes`, which never exits non-zero, are still measurable). | | `mcp_tool` | Attribute MCP usage to a specific tool, from a fixed allowlist of tool names. | | `parent_run` | Link explicit agent follow-up runs using a short allowlisted token, never a path or free-form string. | When Fallow runs through the MCP server, the server tags the CLI process it invokes so the single emitted event is attributed to the `mcp` surface and the specific tool, instead of looking like a plain `cli_json` run. No extra event is sent and the privacy posture is unchanged. The LSP server, editor extension, and library embeddings run in-process and currently emit no telemetry. The `schema_version` field increments if the collected fields ever change, and this page is updated before any new field ships. ## Agent source When telemetry is enabled and a run is classified as agent-driven, Fallow may emit one normalized `agent_source` value from a fixed allowlist: ```text theme={null} none codex claude_code cursor copilot opencode aider roo windsurf gemini cline continue zed goose other_known unknown ``` `none` appears in the list because it is the internal default before a run is classified, but it is never sent: Fallow only sends `agent_source` for runs it identifies as agent-driven, and those are never `none`. Agents not on the list (for example enterprise IDE assistants) are grouped under `other_known`. Hyphen aliases such as `claude-code`, and CLI aliases such as `gemini_cli` and `antigravity` (both map to `gemini`), are normalized. Fallow does not upload raw MCP client info, process names, parent process paths, editor or extension identifiers, environment variable names, model names, account or organization IDs, prompts, versions, or free-form vendor strings. Agent wrappers should set `FALLOW_AGENT_SOURCE=`; ambiguous sources emit `unknown`. **Setting `FALLOW_AGENT_SOURCE` never enables telemetry by itself and uploads no codebase content.** When more than one agent environment is present at once, attribution is best-effort and can depend on check order; set `FALLOW_AGENT_SOURCE` to name the agent yourself. ## Transport and server privacy * requests are HTTPS POST JSON to `https://api.fallow.cloud/v1/telemetry/events` (override the host with `FALLOW_API_URL`) * no cookies are used and no authentication token is sent * the upload runs on a background thread, so it does not slow down your command * Fallow does not wait for the upload, so the fastest runs and runs on slow networks often drop their event; counts are a rough, biased sample, not an exact usage count * network errors are ignored and never affect command output or exit code * telemetry is never written to stdout * server-side handling does not enrich telemetry with customer, repository, organization, git, package-registry, or license data * IP addresses are dropped or truncated as early as practical * raw events are retained only for a short window, then deleted Public reporting uses only coarse aggregate trends after privacy review. ## Disabling everywhere The `DO_NOT_TRACK` and `FALLOW_TELEMETRY_DISABLED` environment variables are top-precedence kill switches: when either is truthy, telemetry stays off and `fallow telemetry enable` is refused. Use `FALLOW_TELEMETRY_DISABLED=1` as the fleet-wide switch in managed and CI environments.