PERMISSIONS,
IN PLAIN ENGLISH.
time.md asks macOS for access only when a feature needs it. This page explains what each permission enables, what it does not do, how to revoke it, and which small network calls are used for trial and license validation.
What time.md needs and why
macOS protects screen time files, browser history databases, global keyboard/mouse streams, and system website-blocking files. time.md does not bypass those protections; you choose which access to grant.
| Access | Required? | Enables | Does not enable |
|---|---|---|---|
| Full Disk Access | Recommended / needed for complete data | Reading protected local Screen Time and browser history files. | Uploading your files or controlling your Mac. |
| Accessibility | Optional | Global event access on macOS versions/features that require Accessibility for Input Tracking. | Input Tracking unless you enable it in time.md settings. |
| Input Monitoring | Optional | Keyboard and mouse event capture for the Input Tracking screen. | Capture while the feature is off or while time.md is not running. |
| Website blocking helper | Optional | System-wide website blocking through time.md-managed hosts and pf rules. | Reading browser pages, passwords, or arbitrary system files. |
| Network access | Needed for trial/license | Stripe trial setup, trial verification, license activation, and update checks. | Sending screen time, browser history, exports, or input data. |
If a permission sounds too broad, it is because macOS grants broad categories. time.md uses each permission for the specific local feature described here.
Full Disk Access
Plain English: Full Disk Access lets time.md read files macOS normally hides from apps. It is the permission that most often fixes empty Screen Time or Web History views.
What it enables
- Reading Apple's local Screen Time/CoreDuet files when available.
- Reading Safari history at
~/Library/Safari/History.db. - Reading Chromium browser history under
~/Library/Application Support/.... - Reading Firefox profile history files such as
places.sqlite.
How to grant it
- Open System Settings → Privacy & Security → Full Disk Access.
- Add
/Applications/time.md.app. - Turn the switch on.
- Quit and reopen time.md.
If you downloaded time.md twice, permissions may be attached to the wrong copy. Remove stale time.md entries, move the app to /Applications, add that copy, then restart.
Accessibility
Plain English: Accessibility lets an app observe or control certain global UI events. time.md does not need Accessibility for the normal dashboard. It is relevant to optional input/event features on macOS configurations that require it.
Input Tracking support
Some global event taps require Accessibility in addition to Input Monitoring. If Input Tracking is enabled but no events appear, grant Accessibility and restart time.md.
Dashboards do not need it
Overview, Review, Details, Calendar, Trends, Reports, Web History, exports, CLI, and MCP do not require Accessibility by themselves.
You can turn it off
Go to System Settings → Privacy & Security → Accessibility, disable time.md, and restart the app.
Input Monitoring
Plain English: Input Monitoring allows time.md to listen for keyboard and mouse events across apps. It is off by default and only used if you enable Settings → Input Tracking.
| Input level | Stored locally | Use case |
|---|---|---|
| Activity only | Timestamps/counts, no key codes, no characters. | Typing-intensity charts. |
| Per-key counts | Timestamps and virtual key codes, no characters. | Most-pressed-key analytics. |
| Full content | Actual typed characters when macOS does not redact them. | Top typed words. Treat the database like sensitive content. |
| Cursor heatmap / clicks / trail | Mouse positions, optional clicks, optional scroll events. | Cursor heatmaps and raw mouse-event queries. |
time.md excludes common password managers and respects macOS Secure Input when apps enable it, but not every password or private field activates Secure Input. Only enable Full Content if you understand that typed characters are stored in your local input-tracking.db.
- Input Tracking is off by default.
- The pause shortcut is ⌥⌘P, which pauses capture for 30 minutes.
- Raw event retention is configurable from 1 to 30 days.
- The Settings screen includes a delete action for all input data.
Optional website-blocking helper and admin password
Plain English: Website blocking needs access to system networking files. time.md asks for administrator approval once to install or upgrade a small helper, then the helper can apply time.md-managed domain blocks without asking for your password on every rule change.
What the helper changes
- Only the marked time.md block inside
/etc/hosts. - Only the time.md pf anchor under
/etc/pf.anchors/. - Only domains that are active in your time.md Blocking rules.
What it does not do
- It does not inspect page contents.
- It does not read browser passwords or cookies.
- It does not manage unrelated hosts or firewall configuration.
You can skip helper setup during onboarding and configure it later from the Blocking screen. App blocking does not use this helper; it observes frontmost-app changes and hides or notifies when a blocked app opens.
Trial, license, and Stripe network calls
time.md has no account system and no in-app analytics. Network calls are limited to entitlement and update workflows.
| Call | When it happens | Data sent |
|---|---|---|
| Stripe Checkout trial setup | You click Start 14-Day Free Trial. | A request for a Checkout URL. Stripe collects card details in the browser. |
| Trial checkout verification | Stripe returns through timemd://activate-trial. |
Stripe Checkout session ID, then trial token verification fields. |
| Saved trial verification | On app launch or Verify Now while trialing. | Trial token, app version, random locally generated device ID. |
| Paid license activation | You paste a TMD-... activation key. |
Activation key, app version, random locally generated device ID. |
| Sparkle update check | The updater checks for a new app version. | Update-check metadata only; not your activity database. |
Screen time sessions, browser visits, exports, input-tracking rows, category mappings, blocking rules, and local SQL query results are not sent to time.md entitlement servers.
How to revoke access
Revoke file access
System Settings → Privacy & Security → Full Disk Access → turn off or remove time.md. Restart the app afterward.
Stop input capture
Turn off Settings → Input Tracking first. Then remove time.md from Input Monitoring and Accessibility in System Settings.
Clear blocks
In Blocking, turn off individual rules or use Turn off all blocks. Run diagnostics or repair if a website remains blocked.
Reset entitlement
In Settings → License & Trial, use Reset to remove saved trial/license state from this Mac. The app locks until reactivated.
Delete databases
Quit time.md and remove ~/Library/Application Support/time.md/, or delete specific exports from your chosen export folder.
Disable agent access
Use Settings → CLI Access to uninstall timemd, and Settings → MCP Integration to unregister agents or turn the server off.
Privacy implications
The important distinction is local access versus network upload. Full Disk Access and Input Monitoring let time.md read sensitive local data if you enable features that need it. They do not mean that data leaves your Mac.
Safer defaults
- No app account.
- No telemetry service.
- No advertising SDK.
- Input Tracking off by default.
- Web history persistence opt-in.
Higher-sensitivity choices
- Granting Full Disk Access exposes more local files to the app process.
- Input Tracking Full Content stores typed characters locally.
- Auto-export writes readable files to the destination you choose.
- MCP/CLI can expose local results to tools you run.