Violet privacy policy
The short version
Violet is local-first. Your conversations, memories, and journal live on your device. If you turn on cloud sync, your content is encrypted on your device before it leaves, with a key derived from your passphrase that never leaves your device. Our server stores locked envelopes it cannot open. We can see that you have an account and how much you use the service; we cannot read what you and Violet talk about.
1. What Violet is
Violet is a personal AI partner. The product runs local-first: the core application stores your data on your own device. An optional cloud service (operated by us on Cloudflare's platform) provides accounts, cross-device sync, and managed AI inference.
2. Data that stays on your device
- Your conversations, memories, journal entries, settings, and personal context are stored on your device.
- If you never create a cloud account, none of this content is sent to us at all.
3. How cloud sync works (end-to-end encryption)
When cloud sync is on:
- Your content is sealed on your device with AES-GCM-256. The content key is derived from your passphrase on your device using PBKDF2-SHA256 (200,000 iterations) over a per-account salt.
- The content key is never sent to us and is never stored on our servers. The salt used to derive it is stored server-side but is not a secret and cannot recover the key without your passphrase.
- The server stores only an opaque envelope per record (a nonce and ciphertext) plus the minimal merge metadata sync needs: a version number, an updated-at timestamp, and a deleted flag. The server cannot decrypt any envelope.
- Your sign-in password is verified with a separate, independent hash. Verifying your password does not give the server your content key.
Consequence you should understand: if you lose your passphrase, we cannot recover your synced content. We cannot read it, so we cannot restore it in the clear.
4. What we CAN see
We are honest about the other side of the ledger. When you use the cloud service, we process and can see:
- Account email address and the timestamps of account creation and sign-ins.
- Session data: an authentication cookie (we store only a hash of the token) and short-lived session cache entries used for sign-in and rate limiting.
- Billing status via Stripe: whether you have an active plan, which plan, and the billing period. Payment card details go to Stripe, our payment processor; we never see or store card numbers. Stripe's own privacy policy applies to the data it processes.
- Usage metering counts: per-account, per-day token tallies for managed AI inference, used to enforce plan limits. These are counts, not content.
- Sync metadata: how many encrypted records you store, their sizes, collection names, and timestamps (not their contents).
- Waitlist email: if you join the pre-launch waitlist, the email address you submit and when you submitted it.
- Operational logs at our infrastructure provider (Cloudflare) such as request timestamps and status codes, used to keep the service running.
5. Managed AI inference
If you use managed inference (Violet's cloud reasoning), the messages you choose to send to the model are forwarded to our model provider to generate a reply, and the reply is streamed back to you. This is inherent to how large models work; a model cannot answer a message it cannot read. What we commit to:
- Inference requests are processed to produce your reply and to meter usage; we do not use your inference content to build advertising profiles.
- We record token counts for metering, not transcripts, in our billing records.
- The model provider processes the request under its own terms; the provider we use and its data handling commitments will be named here before publication. [OWNER: name the contracted model provider and its retention/no-training terms before this draft ships.]
- If managed inference is not configured or your allowance is exhausted, the service returns an honest error. It never fabricates a reply.
Power users can instead run Violet against their own local model or their own key, in which case inference content does not flow through our cloud at all.
6. What we do NOT do
- We do not sell your data. To anyone. Ever.
- We do not read, mine, or train on your encrypted content (we could not if we wanted to; we hold only ciphertext).
- We do not run third-party advertising or tracking in the product.
- We do not collect data we do not need for the service to work.
7. Retention
- Encrypted sync records: kept while your account is active so your devices can sync. Records you delete are tombstoned for sync convergence and then removed on our cleanup cycle. [OWNER: set the exact tombstone retention window before publication.]
- Sessions: expire automatically and are removable by signing out.
- Usage metering: per-day counters kept for billing accuracy and dispute resolution. [OWNER: set the retention period, e.g. the tax/audit minimum, with counsel.]
- Waitlist emails: kept until launch outreach completes or you ask to be removed.
- Billing records: kept as required by tax and accounting law.
8. Deletion
- You can delete individual synced records from your devices; deletion propagates through sync.
- You can request full account deletion at [OWNER: support email]. We will delete your account row, sessions, entitlement records, and all stored envelopes, subject only to billing records we are legally required to keep. Because content is end-to-end encrypted, deleting the ciphertext is final.
- Local data on your own devices is yours; deleting it is under your control and does not require us.
9. Where data lives
The cloud service runs on Cloudflare (Workers, D1, KV, R2), a global edge network. [OWNER with counsel: add data-location and international-transfer language, e.g. GDPR transfer mechanisms, before publication.]
10. Legal bases and your rights
[OWNER with counsel: complete for the launch jurisdictions. Expected contents: GDPR legal bases (contract for the service, legitimate interest for security, consent for the waitlist), CCPA/CPRA disclosures and the right to know/delete/correct, and the contact mechanism for exercising rights. The architecture above makes most access requests simple: for content, we hold only ciphertext we cannot open.]
11. Children
Violet is not directed at children. [OWNER with counsel: set the minimum age per jurisdiction, e.g. 16 in the EEA and 13 in the US, and align the terms.]
12. Changes
If we change this policy, we will post the new version with a new effective date and, for material changes, notify account holders by email before the change takes effect. We will never change the core promise silently: content is encrypted on your device and we cannot read it.
13. Contact
[OWNER: privacy contact email, and the legal entity name and address, before publication.]