Privacy Policy

Last updated: May 25, 2026

Reach ("the App") — comprising Reach Remote and Reach Host — is developed by Minjae Cho ("we", "us"). This policy explains how the App handles your data.

Data We Collect

Reach has no backend account system, no telemetry, and no analytics. We do not run any backend account system, analytics service, advertising system, or tracking service. Reach-operated rendezvous infrastructure may process temporary connection metadata, such as attempt identifiers and network endpoints, only to establish or secure a session. However, when you opt into CloudKit-based pairing, a small set of pairing metadata is stored in Apple's iCloud (see "CloudKit pairing metadata" below). We treat this as data that leaves your device, even though Apple operates the storage.

The App operates as a peer-to-peer remote desktop. Video, audio, and input data flows directly between Reach Remote and Reach Host over an authenticated, encrypted connection and never touches Reach-operated infrastructure.

CloudKit pairing metadata

When you choose to pair using CloudKit (so the viewer can find your host on the public internet without typing a 6-digit code each time), the host publishes a small CKRecord into the public CloudKit database of your Reach iCloud container. The record is keyed by your 6-digit pairing code, so it is not user-discoverable without that code, but the database scope itself is public — not your private container.

The record contains:

• Your host name (the device name macOS uses on the network)
• The host's TLS certificate fingerprint
• The host's external IP and port, when configured
• Direct connection candidates (LAN/WAN endpoints used to set up QUIC)
• Your iCloud user record name (a stable identifier inside the Reach iCloud container, used so the viewer can recognize hosts that belong to your Apple ID)

This data is used only to set up a connection between your devices. It is not used for advertising, profiling, or analytics, and it is never shared with parties other than Apple's CloudKit infrastructure.

Network Communication

• LAN (Local Network): Reach Remote discovers Reach Host via Bonjour/mDNS on the local network. Video, audio, and input are transmitted over a direct QUIC connection (TLS 1.3 with certificate pinning). No data leaves your network.
• Direct over the internet: Connects to the host over the public internet by QUIC using a direct IP and port you configured on the host (or auto-discovered via CloudKit pairing metadata above). The QUIC session itself is end-to-end encrypted with TLS 1.3 and protected by certificate pinning established during pairing. Some routers require UDP port forwarding for this path to work.
• Discover (auto-discovered direct): When you select "Discover" in the viewer, Reach asks a public discovery server (in networking terms, a "STUN" server) for your device's public IP and port so it can try to open a direct QUIC connection to the host without manual router setup. Your IP is briefly exposed to the discovery server during this lookup; no video, audio, or input ever passes through it. The connection itself is still direct between Reach Remote and Reach Host, end-to-end encrypted exactly like the LAN and Direct paths.
• Relay fallback (optional, you operate it): If a direct path cannot be opened (some mobile networks, CGNAT, restrictive firewalls), Reach can route the session through a relay server you operate yourself using your own Cloudflare account credentials (in networking terms, a "TURN" relay). Video, audio, and input remain end-to-end encrypted with TLS 1.3 over QUIC while passing through the relay — Cloudflare carries the bytes but cannot read them. We do not run any relay infrastructure. This path is off by default and only activates after you enter your own credentials in Reach Host.

Camera Access (iPad)

Reach Remote requests camera access only for QR-code scanning during first-time pairing (to fill in the pairing code). QR-code processing is done locally by iOS Vision frameworks. The camera feed is never recorded, stored, or transmitted.

Local Network Access (iPad)

Reach Remote uses local network access to discover hosts running Reach Host via Bonjour/mDNS. Required for LAN connectivity. Without it, only a manually configured direct WAN path can work.

Screen Recording & System Audio (Reach Host only)

Reach Host requests macOS Screen Recording permission to capture the selected display for streaming to your paired viewer. Optionally, it requests Microphone permission, which macOS uses to gate system audio capture on macOS 14+ via ScreenCaptureKit — no microphone input is actually recorded. Capture happens locally and is transmitted only to authenticated viewers.

Cursor Position Sharing

To power the cursor-handle UI in the viewer's Direct Touch mode, Reach Host can send the position of your Mac's cursor (a normalized coordinate, the display it belongs to, and a timestamp) to the connected, authenticated viewer. The data is end-to-end encrypted over the same QUIC session as video and input; only the paired viewer can read it. It is never logged, stored, or sent to any third party.

This feature is on by default. You can turn it off any time in Reach Host → Advanced → Cursor Telemetry → "Share cursor position with viewer". When turned off, the host stops sending cursor position and explicitly tells supported viewers to clear any cursor handle that may be on screen.

App Updates (Reach Host only)

Reach Host checks for new versions on launch and periodically while running, using the Sparkle update framework. Update checks make a standard HTTPS request to our update feed; your IP address and a User-Agent header are visible to that endpoint as with any HTTPS request, but no Reach account, telemetry, or identifying payload is sent. The viewer (Reach Remote) updates through the App Store and is governed by Apple's standard App Store policies.

Analytics & Tracking

The App does not include any analytics, tracking, advertising identifiers (IDFA), fingerprinting, cookies, or third-party SDKs that profile you. We do not use Crashlytics, Sentry, Google Analytics, or similar services.

Data Storage (on your devices only)

Reach stores the following locally on your devices:

• Connection preferences — selected display, resolution, codec, FPS, bitrate, scroll direction toggles, cursor telemetry on/off
• Trusted pairing records — cryptographic fingerprints of hosts you have paired with, and viewers your host has paired with (TOFU: trust-on-first-pair)
• Relay credentials, if you choose to enter them — stored in macOS Keychain, never sent to Reach
• Optional diagnostic logs — kept temporarily for troubleshooting, never uploaded

All local data is removed when you uninstall the respective app.

Third-Party Services

Reach does not share data with any third-party services for advertising, analytics, or profiling. The third-party services touched by Reach are limited and scoped:

• Apple CloudKit — pairing metadata only (see above).
• Discovery (STUN) server — public IP/port lookup only when you select the Discover route; no session content.
• Cloudflare (Relay), if you set it up — relays encrypted session bytes when you enable the optional fallback. Your own account, your own credentials, your own choice.
• Apple App Store — distribution channel for Reach Remote; subject to Apple's standard App Store policies.

Reach-operated infrastructure does not collect, store, or relay screen, audio, or input session content.

Children's Privacy

Reach is not directed at children under 13 and does not knowingly collect data from children. Pairing metadata is used only for connection setup and is not used for advertising, profiling, or tracking.

Security

Direct path: All traffic between Reach Remote and Reach Host on the direct LAN or WAN path is end-to-end encrypted with TLS 1.3 over QUIC and protected by certificate pinning established during pairing. A viewer can only connect to a host whose certificate fingerprint it has previously trusted (or which has been explicitly re-paired). We cannot decrypt this traffic.

Last updated: the date at the top of this page reflects the most recent change to this policy. We will update it whenever the trust model or data flow changes.

Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated date at the top.

Contact

If you have questions about this privacy policy, contact: [email protected].