Telemetry

Last updated: May 18, 2026

Overview

When you run npx nark, the scanner sends two kinds of data over the network:

  • Usage telemetry — anonymous scan results that help us improve our Profile library.
  • Crash reports — unexpected errors so we can fix bugs that affect real users.

Both are off by a single environment variable. Source code never leaves your machine — Nark's analysis happens locally; we only receive results.

Usage Telemetry

Each scan sends:

  • Which packages were scanned and their installed versions
  • Violation counts per package (used to reduce false positives in Profiles)
  • Packages without Profiles, ranked by usage (used to prioritize which Profiles to build next)
  • An anonymous device ID and a SHA-256 hash of your git remote URL — never the URL itself
  • Scan duration, Node version, OS, and architecture

See exactly what your machine would send with nark telemetry status.

We do not send: source code, file paths, function names, variable names, environment variables, or your git remote URL.

Crash Reports (Sentry)

Unexpected errors are sent to Sentry so we can find and fix bugs that show up only on real user machines. Before any event leaves your machine, the Nark SDK scrubs PII:

  • Your home directory is replaced with ~ in every file path
  • OS, runtime, and hostname fields are removed
  • User context, IP address, and request bodies are never collected
  • Stack frame file paths are scrubbed before transmission

We sample 25% of error events to keep volume reasonable. Performance traces are disabled. The data is hosted on Sentry's US infrastructure and retained for 30 days.

How to Opt Out

Several flags, in increasing scope:

Disable crash reports only:

export NARK_SENTRY=off

Disable usage telemetry only:

nark telemetry off
# or, per-command:
export NARK_TELEMETRY=off

Disable both (recommended industry standard):

export DO_NOT_TRACK=1

Settings persist in ~/.nark/telemetry.json when set via nark telemetry off. Environment variables override the config file every time.

Where the Data Goes

  • Usage telemetry: POSTed to app.nark.sh/api/telemetry/scan. Stored in our Postgres database.
  • Crash reports: Sent to Sentry (US region). 30-day retention.

We do not sell telemetry data. We do not share individual scan results. Aggregate statistics (e.g. “axios is in 60% of scanned repos”) may appear in our public content.

Self-Hosting

If you want full control, point telemetry at your own endpoint with NARK_API_URL, or disable both data streams with DO_NOT_TRACK=1. Nark is open source (AGPL-3.0) — you can audit every byte the CLI sends.

Questions

Privacy questions: see our Privacy Policy. Anything else: hello@nark.sh.