ALLYX ONE
Private beta Phase 1a

Allyx Scrub

Strip metadata. See exactly what was removed.

A Mac app that strips metadata and redacts content from PDFs, images, and documents — entirely on-device, with a visible record of what it removed.

Join the beta Read the receipts spec

macOS 14.0+ · M1 or newer · No account required

Mac App Store · Direct (.dmg)

Built for

What it does

Every feature ships on-device. The trade-off — no cloud sync, no cross-device handoff — is the point.

PDFs, images, docs

PDF, HEIC, JPEG, PNG, TIFF, .docx, .pages, .xlsx, .pptx, .key, .numbers. One drop zone, every common format.

Shows you what it removed

A receipt: ‘Removed 14 metadata fields, 3 hidden text annotations, and GPS coordinates from 2 embedded photos.’ It feels like evidence, not marketing.

On-device, always

Apple Vision for OCR. No cloud, no SDK, no telemetry. Verifiable via the bundled Privacy Ledger that lists every network call the app ever makes.

Finder Quick Action + Share Extension

Right-click a file in Finder, or hit Share from Mail or Messages — clean files without ever opening the main app window.

Folder Watch

Point Scrub at ~/Downloads or any outbox folder. Anything you drop in is auto-cleaned, with a notification per batch.

True rasterisation redaction

Redacted regions are rasterised — not a black box drawn on top. The pixels are gone. They can't be reconstructed by selecting the area.

Every network call this app makes, listed.

Allyx Scrub ships with a signed network manifest. These are the only domains it is ever allowed to contact. Run it behind Little Snitch and check — if you see anything not on this list, that's a bug.

Rule Host Notes
license-refresh license.allyx.one
update-appcast updates.allyx.one Direct channel only
manifest-fetch manifests.allyx.one
crash-report crashes.allyx.one Opt-in only

Just this app

£39 / year

Single-app subscription

All Allyx apps

£79 / year

The whole suite, including Allyx Scrub and every app we ship next.

Trial

7 days free, full functionality. After that, 5 files / day until you subscribe.

What Allyx Scrub does not do
  • Editing PDFs (rearranging pages, adding annotations). Preview and PDF Expert own that.
  • Heavy multi-pass redaction workflows. Acrobat owns that.
  • Cloud storage or sharing. Save to disk; you take it from there.
  • Server-side processing — ever.

Questions

Does Scrub upload my files anywhere?

No. Files never leave your Mac. The only network calls Scrub makes are licence refresh and update checks — all listed in the signed network manifest you can inspect at any time from the Privacy Ledger pane.

How is this different from Preview's ‘Remove location info’?

Preview only strips GPS from images. Scrub strips metadata, edit history, embedded thumbnails, fonts, comments, revision marks, hidden text, and embedded files — across PDFs, images, and Office and iWork documents — and gives you a receipt for what was removed.

Is redaction reversible?

No. Scrub rasterises the affected region; it doesn't draw a black rectangle on top. The original pixels are gone. You can't select text behind a redaction box because there is no text behind it.

What happens if I drop in an encrypted PDF?

Scrub flags it and suggests opening it in Allyx Vault first. We won't try to bypass encryption — that's the wrong layer for that to live in.

Where can I download it?

Scrub is in private beta. Join the waitlist and you'll get a Direct .dmg before the public launch on the Mac App Store later in 2026.

Why a receipt matters

Most privacy tools ask you to trust them. Scrub asks you to verify it.

Every time Scrub cleans a file, it generates a receipt — a structured log of what was removed, what was kept, and where the residue lived. You can read it before you send the file. You can save it as an audit trail. You can compare against exiftool and pdfinfo and confirm the numbers match.

This sounds like a small thing. It isn’t. It’s the reason Scrub exists.

Why redaction by rasterisation

A black rectangle drawn on top of text isn’t redaction; it’s a sticker. The text is still there in the PDF. Anyone with Preview and a marquee selector can pull it out in five seconds.

Scrub rasterises the affected region — turns it back into pixels — so there’s nothing underneath. The same approach that Acrobat’s enterprise tier uses, applied to a tool that costs less than a single month of Acrobat.

The network manifest

Below the features grid on this page you’ll find Scrub’s full network manifest: every domain Scrub is ever allowed to talk to, what each rule does, and which channel it applies to. The list is short on purpose. We sign it. We publish it. We don’t change it without a release note.

If you’d like to verify it for yourself: run Scrub behind Little Snitch for a week and compare. If you see a connection that isn’t on the manifest, that’s a bug — file it and we’ll fix it.

Ready for Allyx Scrub?

Private beta. Public launch Q4 2026.

Join the beta Browse all Mac apps