The privacy model

Be precise about who can see what#

"Private" is a word everyone abuses, so here is the exact model.

Local mode (CLI)#

When you run the CLI against a local model, nothing leaves your machine. The model, the browsing, the code execution — all of it runs on your hardware. The only thing that can see the session is you. There is no network call to us at all.

Sealed mode (room or CLI → API)#

When you use the web room, or point the CLI at our API, your prompt travels encrypted to a sealed enclave and is decrypted only inside it. We — the people who run the service — cannot read it. The operator of the machine cannot read it. It is not written to a log.

What the operator and admin can see#

We keep the minimum needed to meter usage and stop abuse:

• —That a wallet has a balance and spent some tokens — billing requires it.
• —Room identifiers and timestamps — to show you your own session list.

We do not store, and the admin dashboard does not show, the contents of your rooms — the prompts or the replies. The admin sees that room #4127 exists and cost X tokens, never what was said inside it.

What's on you#

An uncensored agent with real tools will do what you ask. We don't watch and we don't intervene, which means the responsibility for what you do with it is yours. The one technical line we hold: the agent's browser refuses private and internal network addresses. Read anything public, attack nothing private.