What Multilo's telemetry sends
On first launch Multilo asks you to choose one of three options: Standard only (recommended), Standard + crash diagnostics, or No telemetry. This page documents exactly what each tier sends. If a category isn't documented here, the app doesn't collect it.
You can change your choice any time in Settings → Privacy, view the exact buffer that's about to be sent, or delete every row tied to your anonymous device id with one click.
What we NEVER send
- Document content, file names, project paths.
- AI prompts, AI completions, chat messages.
- Your email address or any account identifier.
- Your IP address (the server sees it via TCP but never logs it).
- Stack traces or crash dumps from your machine.
- Any free-text property the client could send by mistake — the server enforces an allow-list of property keys and drops anything else.
What we DO send (anonymous)
One anonymous identifier (deviceId): a random UUID generated on first use, persisted under your local userData directory. It is never linked to your account or any hardware identifier.
Device fingerprint (once, on changes)
| Field | Example |
|---|---|
| currentVersion | 2.0.53 |
| platform | windows / macos / linux |
| arch | x64 / arm64 |
| osLabel | Windows 11 / macOS 14 / Linux 6.5 |
| locale | en-US |
| screenWidth / screenHeight | 2560 / 1440 |
| installedVersion / installedAt | 2.0.50 / 2026-06-08 |
| totalSessions / totalSessionMs / totalActiveDays | 247 / 39,124,000 / 84 |
Daily counts
A single payload per day with how many times each named event happened. The dashboard charts these as feature-usage histograms.
Show the full event catalogue (~30 names)
- app.launched
- app.update.installed
- app.update.rollback
- session.started
- session.ended
- doc.opened
- doc.created
- doc.exported
- agent.run.started
- agent.run.succeeded
- agent.run.failed
- chat.message.sent
- inline.suggestion.accepted
- inline.suggestion.rejected
- ai.completion
- citation.searched
- citation.inserted
- update.nudge.shown
- update.nudge.accepted
- update.nudge.dismissed
- update.nudge.snoozed
- update.install.started
- update.install.succeeded
- update.install.failed
- update.hardwall.shown
- perf.startup
- perf.slow_ipc
- error.renderer.crashed
- error.main.uncaught
- error.update.failed
Tagged events (for funnels)
A short list of events also carry a small properties bag so the dashboard can answer questions like “did users on the BANNER surface accept more than users on the MODAL surface?”. The server enforces a strict allow-list of property keys; anything else is dropped before storage.
| Property | Example value |
|---|---|
| urgency | important / critical / mandatory |
| surface | banner / modal / hardwall |
| version / fromVersion / toVersion | 2.0.53 |
| modelId | gpt-5 / claude-opus-4-7 |
| costTier | cheap / balanced / flagship |
| latencyMs / tokensIn / tokensOut | numbers |
| success | true / false |
| p50 / p95 | numbers (performance percentiles) |
| reason | short string, max 64 chars (e.g. error message) |
Where it goes
- Sent over HTTPS to
https://www.multilo.comonly. - Stored in our Convex database for a maximum of 90 days for raw events, then automatically deleted. Aggregated daily snapshots (DAU/MAU, version distribution, etc.) are kept indefinitely for trends — these never contain per-device data.
- Per-device records (the fingerprint above) are kept for the lifetime of the device. When you toggle telemetry off, queued data is discarded on disk; we don't retroactively scrub the server. Reach out via the support form if you want a specific deviceId removed.
The two tiers
| Tier | Default | Includes |
|---|---|---|
| Standard | ON after consent | Everything in the “What we DO send” section above (device fingerprint, daily counts, tagged events with allow-listed properties). The main analytics surface. |
| Crash diagnostics | OFF unless opted in | Adds error messages and short reason strings to the error events we already fire. Sometimes includes file paths from your machine — that's why it's a separate opt-in. |
How to turn it off (or change tiers)
- Open Multilo on your desktop.
- Settings → Privacy.
- Toggle Anonymous usage telemetry and/or Crash diagnostics independently. Either off-state is instant — the in-memory queue is cleared and no further data leaves your machine until you turn it back on.
- From the same panel, you can also press View what was sent (transparency), Re-open consent prompt (rerun the first-launch dialog), or Delete my telemetry data (drops every row tied to your device id from Multilo's servers).
The toggle is also exposed via the desktop app's URI scheme: multilo://settings/privacy.
Last updated when v2.0.54 shipped. Any future additions to the allow-list above MUST update this page in the same release. If you spot a discrepancy, please tell us.