Skip to content

Telemetry & Privacy

Velauth sends a small number of anonymous events to help understand which features are used and where improvements matter most. No Active Directory content, no usernames, and no machine-identifiable information is ever included.

Sending can be turned off at any time — see Opting out.

Every event is tagged with an anonymous installation ID constructed as follows:

  1. A random ID is generated the first time Velauth runs and stored in %AppData%\Velauth\telemetry-id.txt.
  2. That ID and the Windows machine GUID (from HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid) are combined and hashed with SHA-256.
  3. The result (anon-<64 hex characters>) is used as the event identifier.

The hash cannot be reversed. It does not contain your username, machine name, domain, or any other identifiable information. Deleting telemetry-id.txt resets it permanently.

Every event includes these envelope fields:

FieldValueNotes
distinct_idanon-<64 hex chars>Anonymous installation hash
timestampUTC ISO-8601When the event occurred
$libvelauthIdentifies the sending app
$lib_versione.g. 1.8.0App version string

Fired once each time the application finishes starting up. No additional fields.

Fired once per installation when the setup wizard is finished.

FieldValue
first_use_at_utcUTC timestamp of wizard completion

Fired when an unhandled fatal error is caught, immediately before the crash report window appears.

FieldValue
sourceWhich crash handler caught the error (dispatcher, thread, or domain)
stageThe last recorded startup stage at time of crash

No exception message, stack trace, or user data is included here. A separate crash report (with a sanitised stack trace) is sent to Sentry — see Crash reports.

Fired each time the user list is loaded or refreshed. Only the count of accounts returned is sent — no names, OUs, or attributes.

Fired each time a page is opened. Contains only the page name (e.g. Users, Audit, Settings).

Fired when the safety lock is turned on or off. Contains engaged: true/false.

Fired when an operation is successfully applied. Only the count of accounts affected is sent — never account names, OUs, or any attribute.

EventOperation
users.unlockAccount unlocked
users.enableAccount enabled
users.disableAccount disabled
users.reset_passwordPassword reset
users.force_reset_at_logon”Must change password at next logon” set
users.password_never_expiresPassword-never-expires enabled
users.password_expiresPassword expiry re-enabled

The first time each operation type is used per installation, an additional first_use_at_utc timestamp is also sent.

  • Usernames, SAMAccountNames, display names, or email addresses
  • Distinguished names or OU paths
  • Domain names or hostnames
  • Any password or credential
  • Any Active Directory attribute value
  • Audit log entries or report content
  • IP addresses

When a fatal error occurs, Velauth sends a crash report to Sentry (separately from PostHog). Before transmission, the report is scrubbed of:

  • Usernames and account names
  • Hostnames and Distinguished Names

The scrubbed stack trace and exception type are sent so the crash can be located and fixed. No AD data is included.

DataProcessorPrivacy policy
Usage eventsPostHog Cloud (https://app.posthog.com/capture/)posthog.com/privacy
Crash reportsSentry (https://sentry.io)sentry.io/privacy

Velauth does not operate any analytics infrastructure itself.

During setup: uncheck “Help improve Velauth by sending anonymous usage data” on the final step of the setup wizard. This prevents even the first app.launched event from being sent.

After setup: open Settings → Privacy and set “Share usage data” to Off. The change takes effect immediately.

The preference is stored in %AppData%\Velauth\preferences.json and persists across sessions and updates.