Git GUI telemetry compared: who's tracking you in 2026
Most desktop applications collect usage data. Git GUIs are no exception. This article compares the telemetry behavior of four popular Git clients — GitKraken, Fork, SourceTree, and GitSquid — based on observable network traffic. The numbers are from a 24-hour packet capture session on each app, with the same repository open and minimal user interaction.
Disclosure: this article is published on the GitSquid website. The methodology is described in detail so you can reproduce the numbers yourself.
Why this matters
"Telemetry" is a soft word for "your application sends data to its vendor without you actively asking it to". Often the data is genuinely benign: an anonymous usage counter, a crash report, a feature-flag check. Sometimes it is more: which buttons you click, which repositories you have open, which features you tried.
For most users this is a non-issue. For three categories of users, it is a hard constraint:
- Regulated industries. Healthcare, finance, defense, government. IT review processes routinely block any tool that phones home with identifiable data.
- NDA / proprietary work. If your repository names or branch names embed customer or product information, leaking those via telemetry is a real concern.
- Privacy-conscious developers. Some people simply do not want their workflow telemetry collected, regardless of how anonymized it claims to be.
Methodology
For each app:
- Fresh install on a Mac (M2, macOS 15) with no prior history.
- Configured with one local repository (the GitSquid source repo, a synthetic clone with no remote).
- Opened the repository in the app, then left the app focused but idle for 24 hours.
- Captured network traffic with mitmproxy in transparent mode, certificate trusted at the system level.
- Counted requests by destination domain. Excluded auto-update checks (we count them separately).
The repository had no remote configured, so any outbound traffic during the 24-hour window was either telemetry, license validation, or the auto-update check. Distinguishing the three is straightforward: license validation hits a single license server endpoint once; auto-updater hits a known release manifest URL once or twice; everything else is telemetry.
Results
| Tool | Telemetry requests / 24h | Auto-update checks | License validation | Total outbound |
|---|---|---|---|---|
| GitSquid | 0 | 1 | 1 (Pro only) / 0 (Free) | 1-2 on launch, then 0 |
| Fork | 0 | 2 (manifest poll) | 0 | 2 |
| SourceTree | ~80 | 2 | 1 (Atlassian sign-in) | ~83 |
| GitKraken | ~140 | 2 | ~24 (hourly heartbeat) | ~166 |
Two of the four apps send essentially nothing. Two send dozens to hundreds of requests per day, even with no user interaction.
Where the requests go
GitKraken
Observed destinations during the 24-hour window:
api.gitkraken.com— license heartbeat, account session refresh, and feature flag checks.analytics.gitkraken.com— usage analytics. Each navigation, panel open, and Git operation generates an event.sentry.io— error reporting (also fires on warnings, not just crashes).statsig.com— feature flag and A/B test evaluation.logrocket.comon some sessions — session replay, when enabled.
SourceTree
id.atlassian.com— account session refresh, called periodically.sourcetree.atlassian.com— feature usage analytics.sentry.io— error reporting.analytics.atlassian.com— cross-product Atlassian analytics.
Fork
git-fork.com/sparkle— auto-update manifest. Two checks in the 24h window. No telemetry endpoints contacted.
GitSquid
github.com/TheMax98000/gitsquid-releases— auto-update manifest (`latest.json`). One fetch on launch. As of v2.7, this check is mandatory and not user-disableable (a settings toggle is on the roadmap).gitsquid.dev/api/validate-license— license validation. One request on launch only for Pro users (Free users do not hit this endpoint). The request body contains only the license key as a query parameter — no machine ID, no usage data, no telemetry. If the API is unreachable, the app falls back to a recent cached result, then to local checksum verification of the key. So a Pro license keeps working offline, but the online check is the default path when network is available.- No telemetry endpoints contacted at any point. No analytics, no event tracking, no crash reporting service, no feature-flag service.
What the data looks like
The number of requests is one thing. The content of each request is another. We sampled a handful of GitKraken analytics POSTs:
- Repository path (full local path, hashed but reversible if you have the salt).
- Branch names of currently checked-out branch.
- Number of commits in the repository.
- Which Git operations were performed and how often.
- Which UI panels were opened.
- Operating system, app version, screen resolution.
None of this is malicious, and GitKraken's privacy policy discloses it. But for a user under NDA, "branch names of the currently checked-out branch" can leak `feature/customer-acme-bug-fix` to a third-party server, which is exactly what NDAs typically prohibit.
SourceTree's payloads are smaller and more anonymized but still include repository fingerprint and feature usage events.
Can you turn it off?
| Tool | Opt-out available? |
|---|---|
| GitKraken | Partial — you can disable some analytics but not all (license heartbeat is mandatory). |
| SourceTree | Partial — analytics opt-out exists, account session refresh is mandatory. |
| Fork | N/A — no telemetry to opt out of. Auto-update can be disabled. |
| GitSquid | N/A — no telemetry to opt out of. Auto-update check and license validation both happen once on launch and cannot currently be disabled from settings. A toggle for both is on the roadmap. |
For GitKraken and SourceTree, "telemetry off" is not the same as "no outbound traffic". The license / account session refresh continues regardless.
For IT reviews
Many enterprise IT departments review desktop tools before approving them. The questions they ask:
- Does it require an account? — No for GitSquid and Fork. Yes for GitKraken and SourceTree.
- Does it phone home? — For GitSquid: yes, but only at launch (1 update check + 1 license validation for Pro). No analytics, no recurring background traffic. For Fork: only the auto-update manifest. For GitKraken and SourceTree: yes, recurring throughout the session.
- Is license validation offline-capable? — For GitSquid: tries online first (Pro only), falls back to a recent cached result, then to local checksum if both fail. A Pro key keeps working without internet; the online check is the default when network is available. For Fork: one-time license, no validation needed. For GitKraken: online required.
- Does it leak repository / branch names? — No for GitSquid and Fork. Yes for GitKraken (in analytics payloads), partial for SourceTree.
For an air-gapped environment, GitSquid's auto-update check and license validation will simply fail silently and fall back to the cached / offline path. The app continues to function, but IT may want to know about those two outbound requests at launch. A future settings toggle to skip both will simplify deployments in strict environments.
For a strictly regulated environment, GitSquid and Fork are the easiest to clear — the only outbound traffic is bounded (launch only, for GitSquid) or update-only (Fork). GitKraken and SourceTree usually do not pass without negotiated data processing agreements.
Reproducing this
The numbers above were measured with mitmproxy in transparent proxy mode. To reproduce on your own machine:
- Install mitmproxy:
brew install mitmproxyon Mac, package manager equivalent on Linux. - Configure your system to route HTTPS through `localhost:8080`.
- Trust the mitmproxy CA at the system level.
- Launch your Git client, open a local repository, leave focused.
- Watch the live request log in mitmproxy's UI.
You will see the request count climb in real time for the telemetry-heavy clients, and stay flat for the others.
The honest take
Telemetry is not evil by itself. Software vendors use it to fix bugs, prioritize features, and understand who their users are. GitKraken's privacy policy is transparent about what is collected, and the data does help them build a better product.
The choice is whether you want that trade-off. For consumer tools (browsers, music players), most people accept it. For developer tools running over potentially sensitive code, more developers say no — especially as the no-telemetry alternatives become as capable as the tracked ones.
If "minimal outbound, no analytics, no third-party trackers" is on your requirements list, download GitSquid. The launch fires 1-2 requests (update check + license validation for Pro), then nothing for the rest of the session. The same constraint roughly applies to Fork ($59 one-time, no Linux). Both pass IT review where GitKraken and SourceTree usually do not.