Privacy model
What data each Cordy product stores, where it lives, and how to erase it.
Cordy's privacy model is simple to state: there is no Cordy server in the request path, and there is no telemetry. This page explains what that means concretely — including the honest edges.
The core guarantees
- No Cordy account. You never sign up; there is nothing to log into.
- Local-first storage. Conversations, settings, and keys live on your device (or, for the gateway, in your own database).
- Direct-to-provider requests. Your prompts go only to the model provider you configured. Cordy does not see, store, or proxy them.
- No telemetry, no analytics, no tracking. Cordy products do not phone home.
What data exists, and where
| Product | Where data lives | What leaves the device |
|---|---|---|
| Chrome | Encrypted IndexedDB + chrome.storage.local | Only your prompts, to the provider you chose (after a one-time consent) |
| Desktop | Files under the app's user-data directory (projects, notes, layout) | Nothing, except a manual, path-redacted diagnostics export you trigger |
| Mobile | On-device SQLDelight database + Keystore/Keychain | Only your prompts, to the provider you chose |
| Gateway | Your own PostgreSQL + Redis | Only what you send upstream; payloads are not captured by default |
Consent before anything leaves
Where a product can reach a cloud provider, it asks first:
- Chrome shows a one-time cloud-consent dialog before the first request to a cloud AI or TTS provider. On-device models (Chrome built-in AI, in-browser Gemma, local Kokoro TTS) never trigger it, because nothing leaves the device.
- Mobile states plainly during onboarding that prompts are sent only to the provider you select.
Erasing your data
- Chrome — Settings → Data & Privacy: export or delete all data; revoke cloud consent and optional site/history/bookmark permissions any time.
- Mobile — one-tap Erase all wipes every local boundary: database, preferences, keychain, attachments, image caches, and temp files.
- Desktop — everything is a local file; removing the user-data directory removes it all.
- Gateway — you own the database; standard SQL and retention controls apply.
Honest edges
- Your model provider has its own privacy policy for the prompts you send it. BYOK means you choose who that is.
- Cordy Gateway records usage/cost metadata and audit logs (that is its job). It does not capture prompt/response payloads by default, and it claims no compliance certifications — see gateway security.