You locked down the cloud. Your Mac is still leaking.
Find credentials and customers personal data hiding on your Mac and get alerted when new issues appear.
~/Projects/api/.env.backup
~/Downloads/deployment-key.pem
~/Documents/expenses-2024.csv
~/old-projects/config.json
On-device by default
Scan locally—your files never leave your Mac
Real-time monitoring
Stays on watch as files change
Made for cleanup
Trash, ignore, or schedule deletion—stay compliant
Sensitive data has a way of sticking around
Not because of bad intent. Because life moves fast.
The everyday accumulation
CSV exports with customer emails. Old .env files with API keys. SSH keys in Downloads. They pile up in the folders you use most—and forget to clean.
The compliance blind spot
GDPR risk often comes from accidental retention, not bad actors. A forgotten spreadsheet with dates of birth. A log file with credit card numbers. Easy to overlook. Hard to explain.
The supply-chain threat
Infostealer malware knows exactly where to look: Downloads, Desktop, repos. They scan for secrets the same way you would—except they do it in seconds.
The cleanup gap
You know you should review old files. But when? Sensitive data lives in your filesystem until you decide to look. OysterCatcher can keep watch and surface new issues as they appear.
What OysterCatcher finds
Two categories of sensitive data. One unified approach.
Secrets
Cloud Provider Keys
AWS access keys, GCP service accounts, Azure credentials, and other cloud infrastructure credentials.
Why it matters: A single leaked key can lead to compromised databases, unauthorized charges, or data exfiltration.
How we help: Identifies key patterns across config files and lets you revoke or rotate with confidence.
API & Service Tokens
GitHub, Stripe, Slack webhooks, NPM, PyPI, and tokens from 50+ popular services.
Why it matters: Compromised tokens enable unauthorized access, supply-chain attacks, and fraudulent transactions.
How we help: Detects token formats and validates patterns across environment files and scripts.
SSH Private Keys
RSA, ECDSA, and Ed25519 private keys used for server access.
Why it matters: SSH keys provide direct shell access. Unprotected keys are high-value targets.
How we help: Finds keys in any directory, not just ~/.ssh.
Database Credentials
PostgreSQL, MySQL, MongoDB, Redis connection strings with embedded passwords.
Why it matters: Connection strings often contain plaintext passwords with direct database access.
How we help: Parses URI formats and detects credentials in .env files and config backups.
Plus many more: Azure credentials, Twilio keys, SendGrid tokens, JWT secrets, API keys from 50+ services, and custom patterns you define.
Personal Information
Credit Card Numbers
Valid card numbers with Luhn checksum verification.
Why it matters: PCI DSS requires strict handling. Accidental retention creates compliance liability.
How we help: Validates format and checksum to reduce false positives.
Email Addresses
Email addresses found across text files, CSV exports, and logs.
Why it matters: Emails are personal data under GDPR/UK GDPR. Forgotten exports and logs can quietly expand your retention scope.
How we help: Detects common formats and highlights context so you can remove, redact, or schedule deletion.
Dates of Birth
Birthdates in common formats within CSV and text files.
Why it matters: Combined with names or emails, DOB enables identity theft and violates GDPR.
How we help: Context-aware detection that understands file structure.
Coming soon: Passport numbers, national ID numbers, and custom patterns. We are building detection for the data that matters most to you.
How it works
Three steps. Complete control. No complexity.
Monitor
Point OysterCatcher at your folders. It scans locally for secrets and PII—and can keep monitoring so changes get re-checked automatically.
Review
See what was found, organized by severity and type. Preview snippets are generated on-device for review and aren’t persisted in the database.
Clean up
Take action fast: ignore false positives, move files to Trash, or schedule deletion to reduce accidental retention over time.
Your choices, your control
Ignore safely
Mark false positives. They won't appear in future scans.
Move to Trash
Delete with confidence. macOS Trash gives you a safety net.
Remind me later
Not ready to decide? Set a reminder and revisit.
Your data stays yours
We built OysterCatcher to protect your privacy, not compromise it.
Scans run locally
All analysis happens on your Mac. Your files are never uploaded, streamed, or shared.
No cloud upload
OysterCatcher works completely offline. Internet access is never required.
Designed for data minimisation
Findings are tracked as lightweight metadata. Sensitive snippets are kept in memory for display and not persisted.
Optional online validation
For tokens that can be verified (like AWS keys), you can enable live validation. Off by default.
Supports GDPR principles
Helps you practice data minimisation by identifying personal data you may have forgotten.
Built to reduce risk
We do not collect your data. We help you find and manage it. That is the entire product.
Coming soon
OysterCatcher is in development. Join the waitlist to be notified when it is ready.