1. Our Commitment to Privacy
SayaiNow is a local-first application. Your data is stored on your device, not on our servers. We do not collect, sell, or share your personal information. This policy explains how your data is handled across the app.
2. Sovereign Protocol v1.0 & Local-First Architecture
SayaiNow operates under the Sovereign Protocol v1.0, a pioneer in local AI architecture. While we support cloud providers (BYOK), we also feature a built-in Local GPU Engine. Using WebGPU technology, you can run powerful AI models entirely on your device's hardware. In this mode, your prompts never leave your machine — providing the absolute highest level of privacy possible in modern AI.
All your persistent data — conversations, journal entries, memories, and settings — is stored locally in your browser using IndexedDB and encrypted at rest using AES-256-GCM with PBKDF2-derived keys. Your device is the primary and only source of your data.
3. What We Store Locally
The following data is stored on your device:
- AI Conversations: All messages and chat history across sessions.
- Personas: Custom AI persona configurations you create.
- Memories: Persistent facts and context stored for AI personalization.
- Journal Entries: Your daily reflections, mood logs, and activity tracking.
- Flow Hub Sessions: Detailed research decompositions and strategic blueprints.
- Goals: Personal and professional goals you set and track.
- Gmail Workspace Sessions & Privacy Shield: Live workspace actions, localized active database tracking, and Gmail API mutative actions (Starring, Trashing, Restoring). Integrates our Stealth Tracker Blocker (stripping UTM parameters, email tracking beacons, and pixel trackers), Phishing Link Scanner (auditing external links before click), On-Device AES-256 Encrypted Notes, Sovereign Shield Threat Filtering UI, Unread Filtering, Visual Volume Analytics, and AI Email Insights (summaries and smart auto-categorization running Cloud-first with downloaded local-model fallbacks). All sessions, notes, and audits are stored strictly on-device.
- YouTube Integration & Privacy Shield: YouTube integration allows you to search videos, access channel uploads, and retrieve transcripts. All transcript parsing, cognitive audits, and chaptering are executed client-side. A click-to-play Zero-Knowledge Consent Shield guards the video player, preventing any connections or cookie exchange with Google/YouTube servers until you explicitly click the stream button.
- Generated Media: Images and Kinetic Video content created through AI generation.
- Live News Stream & Audio Reader: Cached global feeds and current article context. Integrates a **Text-To-Speech Narration System** powered by browser-native Web Speech Synthesis. Audio processing, natural sentence chunking, and speech synthesis are executed 100% locally on your device's audio output.
- API Keys: Your AI provider keys, encrypted at rest using AES-256-GCM before being saved to IndexedDB.
- Full Database Encryption: All data stored in IndexedDB — including conversations, memories, goals, personas, generated media, and reasoning history — is encrypted at rest using AES-256-GCM. Encryption keys are derived on-device using PBKDF2 with 100,000 iterations (SHA-256) from a cryptographically random device seal. Only query indexes (record IDs, conversation references) remain in plaintext to enable database lookups. The actual payload content is unreadable without the device's unique encryption key.
4. Security Measures
We implement multiple layers of protection for your local data:
- Full At-Rest Encryption: All local data — including AI conversations, memories, goals, personas, generated images, and reasoning history — is encrypted using AES-256-GCM before being stored in IndexedDB. Encryption keys are derived using PBKDF2 with 100,000 iterations (SHA-256) from a cryptographically random 256-bit device seal unique to your browser. Only structural indexes (record IDs, conversation references) remain unencrypted to enable database query performance.
- Wire Security: All API calls to AI providers are made over HTTPS (TLS). A Content Security Policy restricts connections to only known, trusted domains.
- Zero Telemetry: We do not use analytics, tracking scripts, or crash reporting tools of any kind.
- Export Filtering: When exporting or backing up data, private cryptographic keys and OAuth tokens are automatically excluded.
5. Bring Your Own Key (BYOK)
SayaiNow uses a BYOK model. When you send a message, your browser communicates directly with the AI provider (e.g., OpenAI, Anthropic, Google) using your own API key. We do not proxy, intercept, or store these requests. Your prompts and responses travel directly between your device and the provider.
Please review the privacy policies of any AI providers whose keys you use, as their data handling policies apply to the content you send them.
6. Google Drive Backup (Optional)
SayaiNow offers optional backup to your Google Drive. When enabled, your data is stored in a private App Data folder within your Google Drive account. This folder is accessible only by SayaiNow and is not visible in your regular Drive files. When available, backup data is encrypted using AES-256-GCM before upload. We do not have access to your Google Drive or your backed-up data.
7. Firebase Authentication
If you choose to sign in, SayaiNow uses Firebase Authentication (by Google). This processes only the minimum information required for sign-in (such as your email). We do not use this data for marketing or profiling.
8. Google User Data Policy & Disclosures
SayaiNow accesses, collects, uses, and shares Google user data in strict compliance with Google's API User Data Policy, including Limited Use requirements:
8.1 Google API Services User Data Policy Compliance Statement:
SayaiNow's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
8.2 What Google User Data is Accessed (Detailed Scopes):
- Gmail Data (https://www.googleapis.com/auth/gmail.modify): We access your email inbox, messages, threads, labels, and metadata to let you read, search, organize, star, trash, or restore emails inside the workspace.
- Google Drive AppData (https://www.googleapis.com/auth/drive.appdata): We access a private configuration and storage folder within your Google Drive (inaccessible to other apps or normal Drive users) to upload and sync your locally encrypted database backups.
- YouTube Read-Only (https://www.googleapis.com/auth/youtube.readonly): We access YouTube video search results, channel uploads list, and closed captions (transcripts) of public videos.
- Google Profile Data (Google Sign-In): We access your basic account credentials, including your email address, full name, and profile picture url via Firebase Authentication.
8.3 How We Use Google User Data (Purpose of Access):
- Gmail Workspace & AI Summaries: Your email data is loaded to render the workspace panel. For AI summaries, Gmail data is parsed directly on your device. When using a custom cloud API key (OpenAI/Anthropic/Google), the email content is transmitted directly to that provider for summarization. If local models are selected, processing runs 100% locally. We do not inspect or save your emails.
- Google Drive Syncing: Your journal entries, chat logs, goals, and settings are compiled, encrypted on-device using AES-256-GCM, and uploaded directly to your private Google Drive appDataFolder to keep your workspace synced across multiple devices.
- YouTube Summarization & Chapters: YouTube closed captions/transcripts are fetched to generate AI-driven summaries, index key chapters, and audit video logic locally or via your custom API keys.
- Account Authentication: Basic profile credentials are used solely to sign you into the application and maintain your active user session.
8.4 Data Storage, Sharing, and Transfer Restrictions:
- No Server Collection: We do not operate any backend servers that collect, store, or monitor your Gmail content, Drive backups, or YouTube interactions. All data belongs strictly to your local storage or your personal Google account.
- No Commercial or Advertising Sharing: We never share, sell, lease, or transfer your Google user data to data brokers, advertising platforms, or third-party marketing companies.
- No Human Access: No developers, administrators, or human beings have access to review, inspect, or read your Google user data.
- Model Training Restriction: We do not use your Google user data to train or fine-tune any AI models.
9. YouTube API Services & Third-Party Terms
By using SayaiNow's YouTube integration, you agree to be bound by the YouTube Terms of Service. Google data practices are governed by the Google Privacy Policy.
All third-party trademarks, service marks, logos, and brand names (including Gmail, YouTube, Google Drive, OpenAI, Anthropic, Gemini, DeepSeek, Together AI, etc.) used in this application are the property of their respective owners. Their use does not imply any affiliation, endorsement, or sponsorship by these trademark holders.
10. Analytics & Tracking
We do not use analytics tools, tracking scripts, or crash reporting services. We do not collect usage data, IP addresses, or device information.
11. Your Rights
- Access: View all stored data via the Export/Backup feature in Settings.
- Portability: Export your data as JSON or CSV at any time.
- Erasure: Use "Delete All Data" in Settings to permanently remove all local data.
12. Children's Privacy
SayaiNow is not intended for use by children under the age of 13 (or 16 in certain jurisdictions). We do not knowingly collect, store, or process any information from children.
13. Changes to This Policy
We may update this policy as new features are added. Changes will be reflected in the "Last Updated" date above. Our commitment to local-first, privacy-respecting design will not change.
14. Contact
For privacy-related questions, reach out at: sayainow.support@gmail.com