Privacy and Data: Your Data Is Yours

Caiioo is built for privacy. Your conversations, API keys, and files stay on your device. Period.

What We Know About You

Just a few things, tied to your verified identity and subscription:

  • Your email address
  • Your display name
  • Your profile picture
  • Your subscription status (plan, Stripe customer ID, active/cancelled state) — so we can route you to the right billing portal

That's all. You sign in with Google, Apple, or email—there's no license key to enter. Your verified identity is enough to use the app; your plan comes from your subscription.

What We Don't Know

  • Your conversations or chat history
  • Your API keys
  • Your files or documents
  • Your browsing history
  • Your settings or preferences
  • Your location (unless you explicitly allow it)
  • Anything you search for or create

We don't run analytics, telemetry, or tracking. We can't see what you're doing, and we don't try to.

How Your Data Flows

┌─────────────────────────────────────────────────────────────────────┐
│ You type → Caiioo (runs locally on your device)               │
│           ↓                                                         │
│     Runs AI, manages tools, handles documents                      │
│           ↓                                                         │
│     → Sends to AI Provider API (Claude, GPT, etc.)                │
│     → Provider processes → Returns response                        │
│     → Response stays on your device                                │
└─────────────────────────────────────────────────────────────────────┘

SEPARATE: Caiioo Auth Server
├─ Sees: Your email, name, avatar (for licensing)
├─ Doesn't see: Conversations, keys, files
└─ Only touches: Profile info for subscription checks

Bottom line: Conversations and API keys go directly to AI providers. Caiioo servers only see your email for licensing. Nothing else.

API Access vs Consumer Platforms

ChatGPT.com, Claude.ai, Gemini — these are consumer platforms:

  • You agree to their terms, which may retain conversations for training or safety
  • Your chat history lives in their cloud by default
  • You're using their infrastructure

Caiioo with API keys — you're using developer/API terms instead:

  • You pay the provider directly (OpenRouter, or any model accessed through it)
  • You're under their API agreement, not consumer terms
  • Conversations stay on your device unless you explicitly sync them
  • Many providers offer strict data handling: process your request, then delete it

OpenRouter's Zero Data Retention — available for Claude and other models routed through OpenRouter:

  • Provider sees the request, processes it, immediately discards everything
  • No retention, no logging, no training data
  • Like whispering to an AI that has amnesia the second you're done

The choice is yours. Different data governance for different comfort levels.

Your Personalization Follows You

Everything that makes Caiioo yours stays on your device:

  • System prompts — your custom instructions for each mode
  • Variables — location, time, user profile data you define
  • Modes — the AI personalities you've customized
  • Skills — your saved, reusable workflows
  • Memory — what the AI remembers about you between chats

Switch AI models anytime. Your setup doesn't change. No vendor lock-in.

Export anytime: Your customization isn't trapped in one provider's ecosystem. It travels with you.

Pseudonymizer

Personal-data filter that swaps names, emails, addresses, and other identifying information for realistic fakes before they reach the model. Runs on-device. See the Pseudonymizer page for details.

Remote AI Providers

When you deliberately pick a local chat model — Ollama or MLX running on your machine — you're making a privacy choice: your conversation stays on your device, away from any remote AI. Caiioo honors that. It won't quietly send your data to a remote AI just because a tool wants to.

Some tools are AI-powered themselves and can't run locally — image, video, and music generation, remote OCR, and AI web search route through a remote AI provider (OpenRouter, Google, Mistral, Perplexity). When a tool like that would send your data to a remote AI, Caiioo pauses instead of going ahead. It shows an in-chat Approve / Cancel card naming the tool and the provider it would reach — so you decide, with full knowledge of where your data is about to go. (Tools that only fetch public web content don't trip this — the boundary is about sending your data to a remote AI, not general network use.)

  • Approve remembers that provider, so you won't be prompted again for it. You then re-send your message to run the tool — there's no silent auto-retry.
  • Cancel leaves your chat entirely on your local model. Nothing is sent.

You can review and revoke any provider you've vetted under Settings → Personalization & Privacy → Remote AI Providers. Each granted provider has a Revoke button; revoking means the next tool call that needs that provider will prompt you again.

This boundary only applies when your chat model itself is local. If you're already chatting with a remote model, your data is already going to that provider, so there's no new boundary to cross and no prompt.

How Private Sync Encryption Works

Private sync (to Google Drive) uses strong encryption:

AES-256-GCM encryption — military-grade symmetric encryption

  • Your passphrase → PBKDF2 hashing (100,000 iterations) → encryption key
  • Your conversations and settings are encrypted locally before upload
  • The encrypted blob goes to Google Drive
  • Your passphrase never leaves your device

Even if someone accessed your Google Drive, they can't read your data without the passphrase. It's mathematically infeasible to decrypt. Learn more about Private Sync.

How Sign-In Works (OAuth Security)

Caiioo uses PKCE — a secure authentication flow designed for apps without the ability to keep secrets:

  1. You click Sign In
  2. Browser opens a login page (we don't see your password)
  3. You grant permission to Caiioo
  4. Provider sends back a token
  5. Token stays on your device

OAuth client secrets (like Google's or GitHub's) are not in the app code. They live on Cloudflare Workers:

  • Secrets never exposed to the browser or your device
  • Provider tokens go through a secure server proxy
  • You get a safe, encrypted connection

For iOS and local APIs: PKCE handles everything. No relay needed.

Where Your Data Lives

API Keys

  • Stored on your device only
  • Never sent to Caiioo servers
  • Sent directly to the AI provider when you make a request
  • We never see them, can't access them, don't store them

Conversations

  • Stored on your device by default
  • Optionally synced to your Google Drive via Private Sync
  • If synced, encrypted before leaving your device (we can't read it even if we wanted to)

Settings

  • Stored on your device
  • Synced with private sync if you enable it

Voice Data

  • Local options (Whisper, Kokoro, browser speech): Never leave your device
  • Cloud options (ElevenLabs, Resemble.ai): Sent to those services using your API keys (not through Caiioo)

Account Deletion

Want to delete your account? Go to the Account page on our website (also linked from the iOS app per Apple's requirement). Deletes your profile, sign-in credentials, AI credit balance, encrypted provisioned OpenRouter key. Minimal audit logs are retained for security.

Total Control

Mix and match however you want:

  • Use cloud AI with local voice ✓
  • Use local AI with cloud backup ✓
  • Go completely offline ✓
  • Use only cloud services ✓

It's your setup. You decide what's comfortable.

Full Transparency

Read our Privacy Policy for the complete technical details. See Terms of Use for usage terms and API key policies.

Questions? We're here to help — check Troubleshooting or reach out.

This guide is maintained by the Caiioo team using Slate, our built-in editor.