Privacy model

What data each Cordy product stores, where it lives, and how to erase it.

Cordy's privacy model is simple to state: there is no Cordy server in the request path, and there is no telemetry. This page explains what that means concretely — including the honest edges.

The core guarantees

  • No Cordy account. You never sign up; there is nothing to log into.
  • Local-first storage. Conversations, settings, and keys live on your device (or, for the gateway, in your own database).
  • Direct-to-provider requests. Your prompts go only to the model provider you configured. Cordy does not see, store, or proxy them.
  • No telemetry, no analytics, no tracking. Cordy products do not phone home.

What data exists, and where

ProductWhere data livesWhat leaves the device
ChromeEncrypted IndexedDB + chrome.storage.localOnly your prompts, to the provider you chose (after a one-time consent)
DesktopFiles under the app's user-data directory (projects, notes, layout)Nothing, except a manual, path-redacted diagnostics export you trigger
MobileOn-device SQLDelight database + Keystore/KeychainOnly your prompts, to the provider you chose
GatewayYour own PostgreSQL + RedisOnly what you send upstream; payloads are not captured by default

Where a product can reach a cloud provider, it asks first:

  • Chrome shows a one-time cloud-consent dialog before the first request to a cloud AI or TTS provider. On-device models (Chrome built-in AI, in-browser Gemma, local Kokoro TTS) never trigger it, because nothing leaves the device.
  • Mobile states plainly during onboarding that prompts are sent only to the provider you select.

Erasing your data

  • Chrome — Settings → Data & Privacy: export or delete all data; revoke cloud consent and optional site/history/bookmark permissions any time.
  • Mobile — one-tap Erase all wipes every local boundary: database, preferences, keychain, attachments, image caches, and temp files.
  • Desktop — everything is a local file; removing the user-data directory removes it all.
  • Gateway — you own the database; standard SQL and retention controls apply.

Honest edges

  • Your model provider has its own privacy policy for the prompts you send it. BYOK means you choose who that is.
  • Cordy Gateway records usage/cost metadata and audit logs (that is its job). It does not capture prompt/response payloads by default, and it claims no compliance certifications — see gateway security.