openmates 0.12.0-alpha.7 → 0.12.0-alpha.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/{chunk-MCIGSMZ2.js → chunk-M5PZQEY2.js} +735 -732
  2. package/dist/cli.js +1 -1
  3. package/dist/index.js +1 -1
  4. package/package.json +1 -1
package/dist/{chunk-MCIGSMZ2.js → chunk-M5PZQEY2.js} RENAMED
@@ -26245,6 +26245,9 @@ Only output the final Markdown table. Do NOT include explanations, notes, or any
26245
26245
  }
26246
26246
  },
26247
26247
  chat: {
26248
+ generated_by_cost: {
26249
+ text: "Cost: {credits} credits"
26250
+ },
26248
26251
  new_chat: {
26249
26252
  text: "New chat"
26250
26253
  },
@@ -33037,1014 +33040,1014 @@ As of mid-2026, the severe supply shocks from the 2024\u20132025 avian flu have
33037
33040
  text: "Groq Privacy Policy"
33038
33041
  }
33039
33042
  },
33040
- revolut_business: {
33041
- heading: {
33042
- text: "3.15 Revolut Business (SEPA Bank Transfer)"
33043
- },
33044
- description: {
33045
- text: "We use Revolut Bank UAB (Lithuania, EU) as our receiving bank for SEPA bank transfers. When you choose to pay via bank transfer, we display our Revolut IBAN to you. Revolut notifies us via a cryptographically signed webhook when a transfer arrives. We do not send your personal data to Revolut \u2014 only the transaction reference, amount, and Revolut's own transaction ID are processed."
33046
- },
33047
- privacy_policy_link: {
33048
- text: "Revolut Privacy Policy"
33049
- }
33050
- },
33051
- flightradar24: {
33052
- heading: {
33053
- text: "3.16 Flightradar24"
33054
- },
33055
- description: {
33056
- text: 'When you request real flight track data using the "Get flight track" skill, we query Flightradar24 to retrieve historical GPS track data for completed flights. Flightradar24 receives the flight number and departure date. No personal data is shared.'
33057
- },
33058
- privacy_policy_link: {
33059
- text: "Flightradar24 Privacy Policy"
33060
- }
33061
- },
33062
- security_measures: {
33063
- heading: {
33064
- text: "4. Security Measures"
33065
- },
33066
- intro: {
33067
- text: "We implement various security measures to protect your account and data in the web application:"
33068
- },
33069
- device_fingerprinting: {
33070
- subheading: {
33071
- text: "Device Fingerprinting"
33043
+ providers: {
33044
+ payments: {
33045
+ revolut_business: {
33046
+ heading: {
33047
+ text: "3.15 Revolut Business (SEPA Bank Transfer)"
33048
+ },
33049
+ description: {
33050
+ text: "We use Revolut Bank UAB (Lithuania, EU) as our receiving bank for SEPA bank transfers. When you choose to pay via bank transfer, we display our Revolut IBAN to you. Revolut notifies us via a cryptographically signed webhook when a transfer arrives. We do not send your personal data to Revolut \u2014 only the transaction reference, amount, and Revolut's own transaction ID are processed."
33051
+ },
33052
+ privacy_policy_link: {
33053
+ text: "Revolut Privacy Policy"
33054
+ }
33072
33055
  },
33073
- purpose: {
33074
- text: "To enhance account security, prevent fraudulent access, and distinguish between new and recognized devices during login and session validation, we collect User-Agent strings (browser, OS, device type information) and IP addresses (used temporarily to derive approximate geo-location like country/city, then discarded from the device record)."
33056
+ heading: {
33057
+ text: "Payment providers (only when you purchase credits)"
33075
33058
  },
33076
- storage: {
33077
- text: "A unique, stable hash is generated based on a combination of the collected signals. This hash is the only value stored in the device record. Browser/OS type and derived country code may be used transiently for risk assessment and notifications but are not stored with the device record. Raw IP addresses are NOT stored as part of the device record itself."
33059
+ description: {
33060
+ text: "These providers are only used when you purchase credits, subscribe to monthly auto top-up, or receive a refund. If you never make a purchase, none of your data is shared with them."
33078
33061
  },
33079
- ip_logging: {
33080
- text: "For security monitoring and abuse prevention, IP addresses associated with failed login attempts (invalid password or 2FA code) may be logged with limited retention. In addition, certain security/compliance events (e.g., successful backup-code logins) may be logged with IP for audit purposes. IP addresses are also used for rate limiting login attempts."
33062
+ stripe: {
33063
+ heading: {
33064
+ text: "Stripe (primary payment processor)"
33065
+ },
33066
+ description: {
33067
+ text: "Stripe processes one-time credit purchases and monthly auto top-up subscriptions. We send Stripe your email address, a tokenized payment method (we never see your card number), billing address and VAT information when required for invoicing, and transaction metadata."
33068
+ }
33081
33069
  }
33082
- }
33083
- },
33084
- data_categories: {
33085
- heading: {
33086
- text: "5. Data Categories We Collect and Process"
33087
- },
33088
- intro: {
33089
- text: "We collect and process the following categories of data to operate and secure our services:"
33090
- },
33091
- account: {
33092
- text: "Account: Email address, username/display name, profile image, locale, and security settings (e.g., 2FA enabled). Email and username are encrypted with your key before storage. We also keep a separate server-side Vault-encrypted copy of your verified email address for mandatory account lifecycle notices, such as account verification, security alerts, and deletion reminders. Passwords are stored as salted hashes."
33093
33070
  },
33094
- usage: {
33095
- text: "Usage: Server logs, event timestamps, feature usage, error logs, and device recognition identifiers (hashed). IP addresses may be temporarily processed for security and rate limiting."
33096
- },
33097
- content: {
33098
- text: "Content: Chat messages, prompts, attachments, and uploaded images/videos necessary to deliver the service (subject to moderation where applicable)."
33099
- },
33100
- payments: {
33101
- text: "Payments: Payment method tokens, transaction IDs, billing address and VAT information as required for invoicing (processed primarily by Stripe). We do not store full card numbers."
33102
- },
33103
- newsletter: {
33104
- text: "Newsletter: If you choose to subscribe to our newsletter, we store your email address in encrypted form. Newsletter subscription is optional and separate from account creation \u2014 creating an account does not automatically subscribe you to the newsletter. If you are an OpenMates customer (i.e. you have completed a purchase), we may additionally send you occasional product announcements and service updates about OpenMates' own similar services under the existing-customer exception (\xA77 Abs. 3 UWG / ePrivacy Directive Art. 13(2)). You can object to this at any time in Settings \u2192 Newsletter or via the one-click unsubscribe link in any such email, without affecting your account."
33105
- },
33106
- stability_logs: {
33107
- text: "Stability Logs: To diagnose technical errors, anonymized browser console logs (error messages, component status, connection events) are collected from authenticated users and stored for up to 48 hours. If an error occurs, surrounding context is retained for up to 14 days. No message content, chat titles, names, email addresses, or other personally identifiable information is included. A random session identifier (generated per browser tab, not linked to your account) is used for log correlation. You can disable this at any time in Settings > Privacy > Stability Logs."
33108
- }
33109
- },
33110
- data_retention: {
33111
- heading: {
33112
- text: "6. Data Retention"
33113
- },
33114
- account: {
33115
- text: "Account data: Retained until account deletion and completion of related legal obligations."
33116
- },
33117
- usage_and_logs: {
33118
- text: "Usage and logs: Operational logs retained up to 12 months; IPs tied to failed logins up to 30 days for security."
33119
- },
33120
- device_fingerprints: {
33121
- text: "Device fingerprints: Retained until account deletion or manual removal from account settings (when available)."
33122
- },
33123
- content: {
33124
- text: "Content: Retained until the user deletes the content or closes the account, subject to backup cycles."
33125
- },
33126
- payments_and_invoices: {
33127
- text: "Payments and invoices: Retained up to 10 years where required by tax/commercial law."
33128
- },
33129
- compliance_logs: {
33130
- text: "**Compliance logs:** audit logs retained 2 years (BSI \xA734 BDSG); financial compliance logs retained 10 years (AO \xA7147 and HGB \xA7257)"
33131
- },
33132
- observability_traces: {
33133
- text: "**Observability traces:** up to 30 days; user IDs in traces use a hash that rotates every 24 hours, so older traces cannot be joined to a specific user"
33134
- },
33135
- user_data_backups: {
33136
- text: "**User data backups:** 60 days via S3 lifecycle; backups contain only ciphertext encrypted with your own key"
33137
- }
33138
- },
33139
- legal_basis: {
33140
- heading: {
33141
- text: "7. Legal Basis for Processing (GDPR)"
33142
- },
33143
- contract: {
33144
- text: "Contract: Processing necessary to perform our contract with you or to take steps at your request prior to entering into a contract (e.g., account creation, delivering web app features)."
33145
- },
33146
- consent: {
33147
- text: "Consent: Processing based on your consent, where applicable (e.g., optional communications, certain analytics or marketing where used). You can withdraw consent at any time."
33148
- },
33149
- legitimate_interests: {
33150
- text: "Legitimate interests: Processing necessary for our legitimate interests, such as service security, fraud prevention, abuse detection, and improving the service, provided these interests are not overridden by your rights and interests."
33151
- },
33152
- direct_marketing: {
33153
- text: "Direct marketing to existing customers: For existing OpenMates customers (users who have completed a purchase), we may rely on Art. 6(1)(f) GDPR (legitimate interests) in combination with \xA77 Abs. 3 UWG and ePrivacy Directive Art. 13(2) to send occasional product announcements, service updates, and marketing about OpenMates' own similar services. Each such email includes a clearly visible one-click unsubscribe link, and you can also manage these preferences at any time in Settings \u2192 Newsletter. You can object to this processing at any time without giving reasons (Art. 21 GDPR)."
33154
- },
33155
- legal_obligation: {
33156
- text: "Legal obligation: Processing necessary to comply with legal obligations (e.g., tax and accounting requirements for invoices and transaction records)."
33157
- }
33158
- },
33159
- legal_rights: {
33160
33071
  heading: {
33161
- text: "8. Your Privacy Rights"
33072
+ text: "When each provider is used"
33162
33073
  },
33163
33074
  intro: {
33164
- text: "Depending on your jurisdiction, you may have certain rights over your personal data. The following summarizes key rights under GDPR and CCPA/CPRA and how to exercise them:"
33075
+ text: "Most of the providers below are only reached when you use a specific feature \u2014 for example, image generation providers are only used when you invoke an image skill. The groups below tell you exactly which providers are involved for each feature, so you can opt in or out of data sharing by choosing which features to use."
33165
33076
  },
33166
- gdpr: {
33167
- subheading: {
33168
- text: "GDPR (EU/EEA)"
33169
- },
33170
- access: {
33171
- text: "Right of access"
33172
- },
33173
- rectification: {
33174
- text: "Right to rectification"
33077
+ always_active: {
33078
+ heading: {
33079
+ text: "Always active (used for every user)"
33175
33080
  },
33176
- erasure: {
33177
- text: "Right to erasure ('right to be forgotten')"
33081
+ description: {
33082
+ text: "These providers are used for every user, regardless of which features you use. Using OpenMates at all means your data passes through them."
33178
33083
  },
33179
- restriction: {
33180
- text: "Right to restriction of processing"
33084
+ vercel: {
33085
+ heading: {
33086
+ text: "Vercel (frontend hosting)"
33087
+ },
33088
+ description: {
33089
+ text: "We use Vercel to host the static frontend of our website and web app. Vercel receives page requests and serves static assets."
33090
+ }
33181
33091
  },
33182
- portability: {
33183
- text: "Right to data portability"
33092
+ hetzner: {
33093
+ heading: {
33094
+ text: "Hetzner (backend, database, storage, observability)"
33095
+ },
33096
+ description: {
33097
+ text: "We host all of our backend services \u2014 API servers, Directus CMS, Postgres database, Redis caches, S3-compatible object storage, and our self-hosted OpenObserve observability platform \u2014 on Hetzner infrastructure in the EU. OpenObserve runs on our own Hetzner servers and is not a third-party service; traces never leave the EU."
33098
+ }
33184
33099
  },
33185
- objection: {
33186
- text: "Right to object"
33100
+ brevo: {
33101
+ heading: {
33102
+ text: "Brevo (transactional email)"
33103
+ },
33104
+ description: {
33105
+ text: "We use Brevo to send transactional email \u2014 account verification, password reset links, payment receipts, and credit notes \u2014 and, if you opt in, the OpenMates newsletter. If you are an existing OpenMates customer (i.e. you have completed a purchase), we may also send you occasional product announcements and service updates about OpenMates' own similar services under the existing-customer exception (\xA77 Abs. 3 UWG / ePrivacy Directive Art. 13(2)); you can object in Settings \u2192 Newsletter or via the one-click unsubscribe link in any such email. Brevo sees recipient email addresses and the content of the emails we send you."
33106
+ }
33187
33107
  },
33188
- withdraw_consent: {
33189
- text: "Right to withdraw consent"
33108
+ ip_api: {
33109
+ heading: {
33110
+ text: "IP-API (IP geolocation)"
33111
+ },
33112
+ description: {
33113
+ text: "We use IP-API to resolve IP addresses to approximate geolocation for abuse prevention, rate limiting, and regional compliance. The resolved country and city are used transiently and are not stored against your account."
33114
+ }
33190
33115
  },
33191
- exercise: {
33192
- text: "To exercise your GDPR rights, contact us at contact@openmates.org or via the Imprint. We may need to verify your identity before fulfilling your request."
33116
+ sightengine: {
33117
+ heading: {
33118
+ text: "Sightengine (image and video moderation)"
33119
+ },
33120
+ description: {
33121
+ text: "Every image and video you upload is scanned by Sightengine for safety moderation before it is stored. Sightengine sees the image or video content."
33122
+ }
33193
33123
  },
33194
- manual_note: {
33195
- text: "The following rights are available on request (please contact us by email at contact@openmates.org and we will handle them manually):"
33124
+ api_video: {
33125
+ heading: {
33126
+ text: "api.video (product video hosting)"
33127
+ },
33128
+ description: {
33129
+ text: "We use api.video (EU company, France) to host and stream product demo and feature walkthrough videos shown on our website and web app. When you watch a video, your IP address and basic viewing data are processed by api.video. No user account identifiers are shared."
33130
+ }
33196
33131
  }
33197
33132
  },
33198
- ccpa_cpra: {
33199
- subheading: {
33200
- text: "CCPA/CPRA (California)"
33133
+ ai_models: {
33134
+ heading: {
33135
+ text: "AI model providers (only when you use a model that routes through them)"
33201
33136
  },
33202
- right_to_know: {
33203
- text: "Right to know/access"
33137
+ description: {
33138
+ text: 'OpenMates routes AI requests to different providers depending on which model you select. Before any message is sent to a provider in this group, your browser replaces real names, emails, and physical addresses with placeholders (see the "PII placeholder substitution" measure above). You can always see which provider a model uses in the model details panel in AI settings.'
33204
33139
  },
33205
- right_to_delete: {
33206
- text: "Right to delete"
33140
+ mistral: {
33141
+ heading: {
33142
+ text: "Mistral (EU direct)"
33143
+ },
33144
+ description: {
33145
+ text: "Mistral hosts its own family of models in the EU. Only used when you select a Mistral model. Mistral receives your chat messages with PII placeholders already substituted client-side."
33146
+ }
33207
33147
  },
33208
- right_to_correct: {
33209
- text: "Right to correct"
33148
+ aws_bedrock: {
33149
+ heading: {
33150
+ text: "AWS Bedrock (EU region, primary Claude path)"
33151
+ },
33152
+ description: {
33153
+ text: "AWS Bedrock hosts Anthropic Claude models in its Frankfurt EU region. This is the primary path for Claude requests. AWS receives your chat messages with PII placeholders already substituted client-side."
33154
+ }
33210
33155
  },
33211
- right_to_opt_out_of_sale_or_sharing: {
33212
- text: "Right to opt-out of sale or sharing"
33156
+ anthropic: {
33157
+ heading: {
33158
+ text: "Anthropic (US, fallback Claude path)"
33159
+ },
33160
+ description: {
33161
+ text: "Anthropic's direct API is used as a fallback path for Claude models when AWS Bedrock is unreachable. Anthropic is based in the US and receives your chat messages with PII placeholders already substituted client-side."
33162
+ }
33213
33163
  },
33214
- right_to_non_discrimination: {
33215
- text: "Right to non-discrimination"
33164
+ openai: {
33165
+ heading: {
33166
+ text: "OpenAI (US)"
33167
+ },
33168
+ description: {
33169
+ text: "OpenAI processes requests for GPT-family models when you select one. OpenAI receives your chat messages with PII placeholders already substituted client-side."
33170
+ }
33216
33171
  },
33217
- exercise: {
33218
- text: "California residents can exercise CCPA/CPRA rights by contacting us at contact@openmates.org. We do not sell personal information."
33219
- }
33220
- }
33221
- },
33222
- discord_integration: {
33223
- heading: {
33224
- text: "9. Discord Integration"
33225
- },
33226
- description: {
33227
- text: "If you choose to join our Discord community through links provided on this website, please note that Discord will collect and process your data according to their privacy policy. This includes account information, usage data, communication content, and other information as outlined in Discord's privacy policy."
33228
- },
33229
- admin_access: {
33230
- text: "As Discord server administrators, we have access to all public communications, member lists, and other information shared within our Discord community. However, this information is hosted and primarily processed by Discord. We do not extract, store, or process this data outside of Discord's platform. For more information about how Discord handles your data, please review Discord's Privacy Policy."
33231
- },
33232
- privacy_policy_link: {
33233
- text: "Discord Privacy Policy"
33234
- }
33235
- },
33236
- contact: {
33237
- heading: {
33238
- text: "10. Contact Information"
33239
- },
33240
- questions: {
33241
- text: "For questions about data protection:"
33242
- },
33243
- email: {
33244
- text: "Email"
33245
- },
33246
- postal: {
33247
- text: "Postal address: See Legal Notice (Imprint) for the current registered address."
33248
- },
33249
- controller: {
33250
- text: "Controller: OpenMates (see Imprint for legal representative details)."
33251
- }
33252
- },
33253
- aggregate_analytics: {
33254
- heading: {
33255
- text: "11. Anonymous Aggregate Analytics"
33256
- },
33257
- overview: {
33258
- text: "We collect anonymous, aggregate statistics about how our website and web application are used. This data is genuinely anonymous \u2014 it cannot be linked to any individual user, and no cookies or tracking identifiers are set. No consent banner is required because no personal data is collected."
33259
- },
33260
- what_we_collect: {
33261
- text: "What we collect (all aggregate, never individual):"
33262
- },
33263
- items: {
33264
- text: "Daily page load counts; approximate unique visit counts (probabilistic HyperLogLog, ~0.81% error); country distribution (GeoIP lookup \u2014 IP discarded immediately, never stored); device class (mobile/tablet/desktop); browser family and major version; OS family; referrer domain (domain only, never full URL); screen size class; session duration distribution (bucketed)"
33265
- },
33266
- no_pii: {
33267
- text: "IP addresses are used transiently for GeoIP lookup only and are never written to disk or any database. User-Agent strings are parsed to metadata only (browser name, OS) \u2014 the raw string is never stored. All data is stored as daily aggregate counters, not as individual records."
33268
- }
33269
- },
33270
- follow_up_1: {
33271
- text: "How is my chat content encrypted?"
33272
- },
33273
- follow_up_2: {
33274
- text: "How does client-side encryption work?"
33275
- },
33276
- follow_up_3: {
33277
- text: "What if I lose my encryption key?"
33278
- },
33279
- follow_up_4: {
33280
- text: "Do AI providers see my messages?"
33281
- },
33282
- follow_up_5: {
33283
- text: "How do I delete my account?"
33284
- },
33285
- follow_up_6: {
33286
- text: "What data do you share with third parties?"
33287
- },
33288
- provider_link_label: {
33289
- text: "Privacy policy"
33290
- },
33291
- overview: {
33292
- heading: {
33293
- text: "Overview"
33294
- },
33295
- summary: {
33296
- text: "OpenMates is designed so that most of your data is encrypted on your device before it reaches our servers. This is **not** end-to-end encryption: our servers briefly decrypt your content in memory to run AI responses, render invoices, and deliver reminders. But we never write decrypted content to disk, logs, or traces, and when you delete your account we destroy the encryption key that protects your data \u2014 cryptographically shredding every encrypted field we still hold."
33297
- }
33298
- },
33299
- protection: {
33300
- heading: {
33301
- text: "How we protect your data"
33302
- },
33303
- intro: {
33304
- text: "We rely on six technical measures to protect your data. Each is verifiable in our open-source code and maps to a specific GDPR obligation."
33305
- },
33306
- client_side_encryption: {
33307
- heading: {
33308
- text: "Client-side encryption of your content"
33172
+ openrouter: {
33173
+ heading: {
33174
+ text: "OpenRouter (US, routing aggregator)"
33175
+ },
33176
+ description: {
33177
+ text: "OpenRouter is used as a routing aggregator for several third-party models, including Cerebras-hosted models. OpenRouter sees your chat messages with PII placeholders substituted client-side and forwards them to the underlying model host."
33178
+ }
33309
33179
  },
33310
- description: {
33311
- text: "Your chat content, titles, summaries, tags, per-chat keys, app settings and memories, reminders, and sensitive profile fields (encrypted username, auto-top-up email, 2FA secrets) are encrypted in your browser before being sent to our servers. The browser uses a key derived from your login credential; our servers reject writes that contain anything but ciphertext. This is *not* end-to-end encryption \u2014 our servers can decrypt your content in memory when they need to (for AI responses, invoice rendering, reminder delivery). The difference from end-to-end encryption is that decryption happens transiently in process memory and the plaintext is never persisted to disk, logs, or traces."
33312
- }
33313
- },
33314
- pii_placeholder_substitution: {
33315
- heading: {
33316
- text: "PII placeholder substitution before AI calls"
33180
+ cerebras: {
33181
+ heading: {
33182
+ text: "Cerebras (US, via OpenRouter)"
33183
+ },
33184
+ description: {
33185
+ text: "Cerebras hosts some of the high-speed models routed through OpenRouter. Only used when you select a Cerebras-hosted model."
33186
+ }
33317
33187
  },
33318
- description: {
33319
- text: "Before any message is sent to a third-party AI model, your browser scans your message for real names, email addresses, and physical addresses that you have saved in your privacy settings (or that match common patterns) and replaces any matches with neutral placeholders (for example [USER_0]). The mapping back to your real values is stored encrypted with your key and is never decrypted on our servers. **Important limitation:** this substitution only protects personal data that our client-side detector actually recognizes \u2014 typically the values you have explicitly saved in your privacy settings and values highlighted in the message field before you send. Anything the detector does not recognize (typos of your own name, uncommon address formats, other people's personal data, sensitive topics that are not formally PII) will be transmitted as you typed it. Please treat every message as you would treat a note passed to a third-party AI provider and be cautious with personal data."
33320
- }
33321
- },
33322
- encrypted_at_rest: {
33323
- heading: {
33324
- text: "Encrypted at rest, decrypted only in memory"
33188
+ google_gemini: {
33189
+ heading: {
33190
+ text: "Google Gemini (US)"
33191
+ },
33192
+ description: {
33193
+ text: "Google Gemini processes requests for Gemini-family models when you select one. Google receives your chat messages with PII placeholders already substituted client-side."
33194
+ }
33325
33195
  },
33326
- description: {
33327
- text: "Our PostgreSQL database, Redis caches, S3 object storage, and backup snapshots hold only ciphertext for any field containing user content. When our servers need to read your content to run an AI response, render an invoice, or deliver a reminder, decryption happens transiently in process memory and is discarded immediately after. Key material is released on demand by HashiCorp Vault and never stored in raw form outside it."
33328
- }
33329
- },
33330
- hashed_identifiers: {
33331
- heading: {
33332
- text: "Hashed identifiers throughout"
33196
+ google_vertex_maas: {
33197
+ heading: {
33198
+ text: "Google Vertex AI Model-as-a-Service (US)"
33199
+ },
33200
+ description: {
33201
+ text: "Google Vertex AI Model-as-a-Service hosts third-party open models (such as DeepSeek) on Google infrastructure via an OpenAI-compatible endpoint. This is a separate service from Google Gemini: the model weights are third-party, but the inference runs on Google's servers. Only used when you select a MaaS-hosted model."
33202
+ }
33333
33203
  },
33334
- description: {
33335
- text: "Your user ID is stored in most database tables as a SHA-256 hash rather than as a direct reference. Login uses a zero-knowledge password verification flow: we verify that you know your password without ever learning it. API-key device records anonymize the IP address to its first two octets before encryption, so we can recognize a device without storing a precise location."
33336
- }
33337
- },
33338
- cryptographic_erasure: {
33339
- heading: {
33340
- text: "Cryptographically shredded on deletion"
33204
+ together: {
33205
+ heading: {
33206
+ text: "Together AI (US)"
33207
+ },
33208
+ description: {
33209
+ text: "Together AI hosts third-party models such as Kimi K2.6 on an OpenAI-compatible endpoint. Only used when you select a Together-hosted model. Together receives your chat messages with PII placeholders already substituted client-side."
33210
+ }
33341
33211
  },
33342
- description: {
33343
- text: "When you delete your account we destroy your HashiCorp Vault Transit key in addition to removing your rows from our database. Any encrypted field still sitting in a backup, cache, or running process becomes mathematically unrecoverable ciphertext at that moment \u2014 cryptographic erasure on top of row-level deletion."
33344
- }
33345
- },
33346
- observability_without_tracking: {
33347
- heading: {
33348
- text: "Observability without tracking"
33212
+ groq: {
33213
+ heading: {
33214
+ text: "Groq (US, content sanitization)"
33215
+ },
33216
+ description: {
33217
+ text: "Groq is used server-side to sanitize external content (search results and scraped web pages) before it is included in AI responses. Groq sees the external content we fetched on your behalf, not your chat messages, and never learns which user requested each piece of content."
33218
+ }
33349
33219
  },
33350
- description: {
33351
- text: "Our internal tracing pipeline (OpenTelemetry) replaces your user ID with a hash that rotates every 24 hours, strips authentication headers and cookies from every span, and redacts chat content before any trace leaves the backend. Our web analytics use a server-side beacon with no cookies and no stored individual identifiers. We do not use Google Analytics, Plausible, PostHog, or any third-party analytics platform."
33352
- }
33353
- }
33354
- },
33355
- promises: {
33356
- intro: {
33357
- text: "Below are the privacy promises we make to every user. Each one is backed by code in our open-source repository and verified by automated tests. When the enforcing code changes, a registry-linked check reminds us to rerun those tests before release."
33358
- },
33359
- client_side_chat_encryption: {
33360
- heading: {
33361
- text: "Client-side chat encryption"
33220
+ alibaba: {
33221
+ heading: {
33222
+ text: "Alibaba Cloud (Qwen models)"
33223
+ },
33224
+ description: {
33225
+ text: "Alibaba Cloud hosts Qwen-family models. Alibaba receives your chat messages with PII placeholders already substituted client-side only when you select an Alibaba-hosted model."
33226
+ }
33362
33227
  },
33363
- description: {
33364
- text: "Your chats, settings, and memories are encrypted on your device with AES-256-GCM before they leave your browser. The server stores only ciphertext on disk, in caches, and in backups. This is not end-to-end encryption: when a server-side task needs to read content (to run an AI response, render an invoice, or deliver a reminder), it decrypts in memory via HashiCorp Vault and discards the plaintext immediately after use."
33228
+ deepseek: {
33229
+ heading: {
33230
+ text: "DeepSeek (reasoning models)"
33231
+ },
33232
+ description: {
33233
+ text: "DeepSeek provides DeepSeek-family reasoning models. DeepSeek receives your chat messages with PII placeholders already substituted client-side only when you select a DeepSeek model."
33234
+ }
33235
+ },
33236
+ moonshot: {
33237
+ heading: {
33238
+ text: "Moonshot AI / Kimi (language models)"
33239
+ },
33240
+ description: {
33241
+ text: "Moonshot AI provides Kimi-family models. Moonshot receives your chat messages with PII placeholders already substituted client-side only when you select a Moonshot-hosted Kimi model."
33242
+ }
33243
+ },
33244
+ zai: {
33245
+ heading: {
33246
+ text: "Z.ai (GLM models)"
33247
+ },
33248
+ description: {
33249
+ text: "Z.ai provides GLM-family models. Z.ai receives your chat messages with PII placeholders already substituted client-side only when you select a Z.ai model."
33250
+ }
33365
33251
  }
33366
33252
  },
33367
- email_encryption_at_rest: {
33253
+ image_generation: {
33368
33254
  heading: {
33369
- text: "Email addresses encrypted at rest"
33255
+ text: "Image generation and editing (only when you use an image skill)"
33370
33256
  },
33371
33257
  description: {
33372
- text: "Your email address is stored only as ciphertext. The server decrypts it transiently in memory during login, billing, and notification delivery, and never writes plaintext to disk or logs."
33258
+ text: "These providers are only used when you invoke an image generation or editing skill. If you never use the images app, none of your data is shared with them."
33259
+ },
33260
+ fal: {
33261
+ heading: {
33262
+ text: "FAL (Flux models)"
33263
+ },
33264
+ description: {
33265
+ text: "FAL hosts Flux image generation models used by the images.generate_draft skill. FAL receives your image generation prompts and, when editing, the source images you supply."
33266
+ }
33267
+ },
33268
+ recraft: {
33269
+ heading: {
33270
+ text: "Recraft (vector and raster image generation)"
33271
+ },
33272
+ description: {
33273
+ text: "Recraft powers the images.generate and images.vectorize skills, producing vector and raster images and converting bitmaps to SVG. Recraft receives your prompts, style preferences, and \u2014 when vectorizing \u2014 your source images."
33274
+ }
33275
+ },
33276
+ bfl: {
33277
+ heading: {
33278
+ text: "Black Forest Labs (FLUX image models)"
33279
+ },
33280
+ description: {
33281
+ text: "Black Forest Labs powers draft image generation via FLUX models. BFL receives your image generation prompts and, when editing, the source images you provide."
33282
+ }
33373
33283
  }
33374
33284
  },
33375
- no_third_party_tracking: {
33285
+ music_generation: {
33376
33286
  heading: {
33377
- text: "No third-party tracking cookies or analytics"
33287
+ text: "Music generation (only when you use a music skill)"
33378
33288
  },
33379
33289
  description: {
33380
- text: "We do not use Google Analytics, Plausible, PostHog, Mixpanel, Amplitude, Segment, or any other third-party analytics platform. Our telemetry is server-side, cookie-free, and contains no individually stored identifiers. A pre-edit check in our repository blocks the introduction of analytics SDKs."
33290
+ text: "These providers are only used when you invoke a music generation skill. If you never use the music app, none of your data is shared with them."
33291
+ },
33292
+ google_vertex_ai: {
33293
+ heading: {
33294
+ text: "Google Vertex AI (Lyria music generation)"
33295
+ },
33296
+ description: {
33297
+ text: "Google Vertex AI hosts the Lyria models used by the music.generate skill. Google receives your music generation prompts, optional lyrics, style preferences, and generation settings only when you ask OpenMates to generate music or background music."
33298
+ }
33381
33299
  }
33382
33300
  },
33383
- pii_placeholder_substitution: {
33301
+ code_execution: {
33384
33302
  heading: {
33385
- text: "Personal information never reaches AI providers"
33303
+ text: "Code and developer tools (only when you use code skills)"
33386
33304
  },
33387
33305
  description: {
33388
- text: "Before any message is sent to an AI provider, your browser detects 32 categories of personal data \u2014 emails, phone numbers, credit card numbers, API keys, and more \u2014 and replaces them with placeholders like `[EMAIL_com]`. The substitution map is encrypted with your chat key so only your devices can restore the original values."
33389
- }
33390
- },
33391
- telemetry_privacy_filter: {
33392
- heading: {
33393
- text: "Telemetry stripped of sensitive data"
33394
- },
33395
- description: {
33396
- text: "Our internal tracing pipeline (OpenTelemetry) strips authentication headers, cookies, and database statements from every span, and pseudonymises your user ID with a salt that rotates every 24 hours. Regular users never have their raw identifiers in telemetry."
33397
- }
33398
- },
33399
- cryptographic_erasure: {
33400
- heading: {
33401
- text: "Deleted accounts are cryptographically erased"
33402
- },
33403
- description: {
33404
- text: "When you delete your account, the first step destroys your encryption keys. Any residual ciphertext in backups, caches, or audit logs is rendered permanently unreadable \u2014 no key, no content."
33405
- }
33406
- },
33407
- argon2_password_hashing: {
33408
- heading: {
33409
- text: "Passwords stored as Argon2 hashes"
33410
- },
33411
- description: {
33412
- text: "We store password and backup-code verifiers as Argon2 hashes. Plaintext passwords are never persisted to disk, never written to logs, and never recoverable \u2014 even by us."
33413
- }
33414
- },
33415
- payment_data_minimization: {
33416
- heading: {
33417
- text: "No card numbers ever touch our servers"
33418
- },
33419
- description: {
33420
- text: "Payments flow directly from your browser to Stripe. We store only provider tokens and customer identifiers. We never see, receive, or persist full card numbers, security codes, or bank account details."
33421
- }
33422
- },
33423
- logging_redaction: {
33424
- heading: {
33425
- text: "Logs are scrubbed of sensitive data"
33426
- },
33427
- description: {
33428
- text: "Every log line passes through a redaction filter that strips email addresses, IP addresses, bearer tokens, and password values. Compliance logs preserve pseudonymous user IDs but remove all other personal data."
33429
- }
33430
- },
33431
- prompt_injection_defense: {
33432
- heading: {
33433
- text: "Defense against prompt injection"
33434
- },
33435
- description: {
33436
- text: "Two layers protect your conversations from malicious content in web pages, files, and URLs you reference. Invisible Unicode characters are stripped first, then a dedicated safety model detects semantic injection attempts and blocks or replaces high-risk content before it reaches your assistant."
33437
- }
33438
- },
33439
- no_training_on_user_data: {
33440
- heading: {
33441
- text: "Your conversations are not used to train AI models"
33442
- },
33443
- description: {
33444
- text: "All AI chat providers we use (Anthropic, OpenAI, Mistral, Google Gemini, Google Vertex AI, Together AI, Groq, Cerebras, and OpenRouter) have explicit no-training clauses in their terms \u2014 your conversations are never used to fine-tune, evaluate, or otherwise train AI models. For image generation, Recraft has a training opt-out which we have activated. fal.ai (used for draft image generation) may use anonymized, aggregated derivatives of prompts for model improvement under their standard API terms; no full opt-out is available outside an enterprise contract. A per-provider audit with verbatim policy quotes and verification dates is published in our open-source repository."
33445
- }
33446
- },
33447
- no_external_resources: {
33448
- heading: {
33449
- text: "The web app never loads external images or scripts"
33450
- },
33451
- description: {
33452
- text: "Every external image, favicon, or preview shown in the app is fetched through our own preview.openmates.org proxy \u2014 the originating website never sees your IP address. The only third-party script the web app loads is the Stripe payment SDK needed to process a purchase, and only when you explicitly open the payment flow. There is no ad network, tag manager, CDN font loader, or third-party analytics library."
33453
- }
33454
- },
33455
- cli_no_credential_prompts: {
33456
- heading: {
33457
- text: "The command-line tool never asks for your password"
33458
- },
33459
- description: {
33460
- text: "The OpenMates CLI never prompts you for your email, password, 2FA code, or any other login credential. Authentication uses a browser-based pair-auth handshake: the CLI shows a QR code and URL, you approve the session in your logged-in web browser, and you type a short 6-character binding PIN back into the CLI to confirm. Your credentials never pass through the terminal."
33461
- }
33462
- },
33463
- open_source_transparency: {
33464
- heading: {
33465
- text: "Every claim on this page is independently auditable"
33466
- },
33467
- description: {
33468
- text: "OpenMates is open source. Every promise above is backed by code you can read, tests you can run, and architecture documents you can audit in our public repository. Our privacy-promises registry links each claim to the exact files that enforce it."
33469
- }
33470
- }
33471
- },
33472
- providers: {
33473
- heading: {
33474
- text: "When each provider is used"
33475
- },
33476
- intro: {
33477
- text: "Most of the providers below are only reached when you use a specific feature \u2014 for example, image generation providers are only used when you invoke an image skill. The groups below tell you exactly which providers are involved for each feature, so you can opt in or out of data sharing by choosing which features to use."
33478
- },
33479
- always_active: {
33480
- heading: {
33481
- text: "Always active (used for every user)"
33482
- },
33483
- description: {
33484
- text: "These providers are used for every user, regardless of which features you use. Using OpenMates at all means your data passes through them."
33306
+ text: "These providers are only used when you invoke a code app skill, such as searching public repositories, running code in an isolated sandbox, creating a generated application that auto-starts a short screenshot preview, or explicitly starting a generated application live preview. If you never use the code app, none of your data is shared with them."
33485
33307
  },
33486
- vercel: {
33308
+ github: {
33487
33309
  heading: {
33488
- text: "Vercel (frontend hosting)"
33310
+ text: "GitHub (public repository search)"
33489
33311
  },
33490
33312
  description: {
33491
- text: "We use Vercel to host the static frontend of our website and web app. Vercel receives page requests and serves static assets."
33313
+ text: "GitHub powers the code app's repository search skill. GitHub receives public repository search queries without an OpenMates user identifier."
33492
33314
  }
33493
33315
  },
33494
- hetzner: {
33316
+ context7: {
33495
33317
  heading: {
33496
- text: "Hetzner (backend, database, storage, observability)"
33318
+ text: "Context7 (programming documentation lookup)"
33497
33319
  },
33498
33320
  description: {
33499
- text: "We host all of our backend services \u2014 API servers, Directus CMS, Postgres database, Redis caches, S3-compatible object storage, and our self-hosted OpenObserve observability platform \u2014 on Hetzner infrastructure in the EU. OpenObserve runs on our own Hetzner servers and is not a third-party service; traces never leave the EU."
33321
+ text: "Context7 powers the code app's documentation lookup skill. Context7 receives library names and documentation questions without an OpenMates user identifier."
33500
33322
  }
33501
33323
  },
33502
- brevo: {
33324
+ e2b: {
33503
33325
  heading: {
33504
- text: "Brevo (transactional email)"
33326
+ text: "E2B (isolated code sandbox)"
33505
33327
  },
33506
33328
  description: {
33507
- text: "We use Brevo to send transactional email \u2014 account verification, password reset links, payment receipts, and credit notes \u2014 and, if you opt in, the OpenMates newsletter. If you are an existing OpenMates customer (i.e. you have completed a purchase), we may also send you occasional product announcements and service updates about OpenMates' own similar services under the existing-customer exception (\xA77 Abs. 3 UWG / ePrivacy Directive Art. 13(2)); you can object in Settings \u2192 Newsletter or via the one-click unsubscribe link in any such email. Brevo sees recipient email addresses and the content of the emails we send you."
33329
+ text: "E2B runs selected code embeds, generated application previews, and Remotion video renders inside isolated sandboxes. E2B receives the code or generated application/Remotion files and assets needed to run or render the result, runtime inputs, preview/render logs, and execution output needed to display the sandbox result. This sharing happens when you explicitly run code, create a generated application that auto-starts a short screenshot preview, start/resume an application live preview, or when a Remotion video render auto-starts after the assistant closes an explicit remotion code fence."
33508
33330
  }
33331
+ }
33332
+ },
33333
+ web_and_search: {
33334
+ heading: {
33335
+ text: "Web, search, and content retrieval (only when you use a web or search skill)"
33509
33336
  },
33510
- ip_api: {
33337
+ description: {
33338
+ text: "These providers are only used when you invoke a web, videos, news, or web-read skill. They see the content of what you search for or the URLs you ask to read, but no user identifier \u2014 they do not know which OpenMates user made each request."
33339
+ },
33340
+ brave: {
33511
33341
  heading: {
33512
- text: "IP-API (IP geolocation)"
33342
+ text: "Brave Search (web, videos, news)"
33513
33343
  },
33514
33344
  description: {
33515
- text: "We use IP-API to resolve IP addresses to approximate geolocation for abuse prevention, rate limiting, and regional compliance. The resolved country and city are used transiently and are not stored against your account."
33345
+ text: "Brave Search powers the web, videos, and news search skills. Brave sees the text of your search queries and your country and language preferences for localized results, but no user identifier."
33516
33346
  }
33517
33347
  },
33518
- sightengine: {
33348
+ firecrawl: {
33519
33349
  heading: {
33520
- text: "Sightengine (image and video moderation)"
33350
+ text: "Firecrawl (web page scraping)"
33521
33351
  },
33522
33352
  description: {
33523
- text: "Every image and video you upload is scanned by Sightengine for safety moderation before it is stored. Sightengine sees the image or video content."
33353
+ text: "Firecrawl powers the web read skill, scraping and extracting content from web pages you ask about. Firecrawl sees the URL you requested and the full content of the scraped page."
33524
33354
  }
33525
33355
  },
33526
- api_video: {
33356
+ webshare: {
33527
33357
  heading: {
33528
- text: "api.video (product video hosting)"
33358
+ text: "Webshare (rotating proxy)"
33529
33359
  },
33530
33360
  description: {
33531
- text: "We use api.video (EU company, France) to host and stream product demo and feature walkthrough videos shown on our website and web app. When you watch a video, your IP address and basic viewing data are processed by api.video. No user account identifiers are shared."
33361
+ text: "Webshare provides a rotating proxy for requests to services that would otherwise block us. We route YouTube transcript requests (for the videos get-transcript skill) and doctor appointment searches (for the health search-appointments skill \u2014 see Group H) through Webshare. Webshare sees the URLs we route through it."
33532
33362
  }
33533
- }
33534
- },
33535
- payments: {
33536
- heading: {
33537
- text: "Payment providers (only when you purchase credits)"
33538
33363
  },
33539
- description: {
33540
- text: "These providers are only used when you purchase credits, subscribe to monthly auto top-up, or receive a refund. If you never make a purchase, none of your data is shared with them."
33364
+ google_maps: {
33365
+ heading: {
33366
+ text: "Google Maps Platform (places search)"
33367
+ },
33368
+ description: {
33369
+ text: "Google Maps powers the places search skill. Google sees the text of your place queries and an approximate location for localized results, but no user identifier."
33370
+ }
33541
33371
  },
33542
- stripe: {
33372
+ youtube: {
33543
33373
  heading: {
33544
- text: "Stripe (primary payment processor)"
33374
+ text: "YouTube (video transcripts)"
33545
33375
  },
33546
33376
  description: {
33547
- text: "Stripe processes one-time credit purchases and monthly auto top-up subscriptions. We send Stripe your email address, a tokenized payment method (we never see your card number), billing address and VAT information when required for invoicing, and transaction metadata."
33377
+ text: "YouTube is queried when you ask OpenMates to retrieve a transcript for a YouTube video. YouTube receives video URLs and requested transcript language preferences without an OpenMates user identifier."
33548
33378
  }
33549
33379
  }
33550
33380
  },
33551
- ai_models: {
33381
+ travel: {
33552
33382
  heading: {
33553
- text: "AI model providers (only when you use a model that routes through them)"
33383
+ text: "Travel (only when you use a travel skill)"
33554
33384
  },
33555
33385
  description: {
33556
- text: 'OpenMates routes AI requests to different providers depending on which model you select. Before any message is sent to a provider in this group, your browser replaces real names, emails, and physical addresses with placeholders (see the "PII placeholder substitution" measure above). You can always see which provider a model uses in the model details panel in AI settings.'
33386
+ text: "These providers are only used when you invoke a travel skill \u2014 flight search, hotel search, or flight tracking. If you never use the travel app, none of your data is shared with them."
33557
33387
  },
33558
- mistral: {
33388
+ serpapi: {
33559
33389
  heading: {
33560
- text: "Mistral (EU direct)"
33390
+ text: "SerpAPI (flight and hotel search)"
33561
33391
  },
33562
33392
  description: {
33563
- text: "Mistral hosts its own family of models in the EU. Only used when you select a Mistral model. Mistral receives your chat messages with PII placeholders already substituted client-side."
33393
+ text: "SerpAPI powers flight and hotel search via its Google Flights and Google Hotels endpoints. SerpAPI receives your search queries \u2014 origin, destination, dates, and preferences \u2014 without a user identifier."
33564
33394
  }
33565
33395
  },
33566
- aws_bedrock: {
33396
+ flightradar24: {
33567
33397
  heading: {
33568
- text: "AWS Bedrock (EU region, primary Claude path)"
33398
+ text: "Flightradar24 (flight tracking)"
33569
33399
  },
33570
33400
  description: {
33571
- text: "AWS Bedrock hosts Anthropic Claude models in its Frankfurt EU region. This is the primary path for Claude requests. AWS receives your chat messages with PII placeholders already substituted client-side."
33401
+ text: "Flightradar24 provides real flight track data when you ask about a specific flight number. It receives IATA flight numbers and departure dates without a user identifier."
33572
33402
  }
33573
33403
  },
33574
- anthropic: {
33404
+ deutsche_bahn: {
33575
33405
  heading: {
33576
- text: "Anthropic (US, fallback Claude path)"
33406
+ text: "Deutsche Bahn (train connections)"
33577
33407
  },
33578
33408
  description: {
33579
- text: "Anthropic's direct API is used as a fallback path for Claude models when AWS Bedrock is unreachable. Anthropic is based in the US and receives your chat messages with PII placeholders already substituted client-side."
33409
+ text: "Deutsche Bahn provides train connection results when you search for rail routes. Deutsche Bahn receives origin, destination, and date search details without an OpenMates user identifier."
33580
33410
  }
33581
33411
  },
33582
- openai: {
33412
+ flix: {
33583
33413
  heading: {
33584
- text: "OpenAI (US)"
33414
+ text: "FlixBus / FlixTrain (bus and train connections)"
33585
33415
  },
33586
33416
  description: {
33587
- text: "OpenAI processes requests for GPT-family models when you select one. OpenAI receives your chat messages with PII placeholders already substituted client-side."
33417
+ text: "Flix provides intercity bus and rail connection results when you search for FlixBus or FlixTrain routes. Flix receives origin, destination, and date search details without an OpenMates user identifier."
33588
33418
  }
33419
+ }
33420
+ },
33421
+ events: {
33422
+ heading: {
33423
+ text: "Events (only when you use the events skill)"
33589
33424
  },
33590
- openrouter: {
33425
+ description: {
33426
+ text: "These providers are only used when you invoke the events search skill. The specific set of providers called depends on the city and event type you search for."
33427
+ },
33428
+ meetup: {
33591
33429
  heading: {
33592
- text: "OpenRouter (US, routing aggregator)"
33430
+ text: "Meetup"
33593
33431
  },
33594
33432
  description: {
33595
- text: "OpenRouter is used as a routing aggregator for several third-party models, including Cerebras-hosted models. OpenRouter sees your chat messages with PII placeholders substituted client-side and forwards them to the underlying model host."
33433
+ text: "Meetup powers event search for community events. Meetup receives your search queries \u2014 city, category, dates \u2014 without a user identifier."
33596
33434
  }
33597
33435
  },
33598
- cerebras: {
33436
+ luma: {
33599
33437
  heading: {
33600
- text: "Cerebras (US, via OpenRouter)"
33438
+ text: "Luma"
33601
33439
  },
33602
33440
  description: {
33603
- text: "Cerebras hosts some of the high-speed models routed through OpenRouter. Only used when you select a Cerebras-hosted model."
33441
+ text: "Luma powers event search for tech, creative, and community events. Luma receives your search queries without a user identifier."
33604
33442
  }
33605
33443
  },
33606
- google_gemini: {
33444
+ resident_advisor: {
33607
33445
  heading: {
33608
- text: "Google Gemini (US)"
33446
+ text: "Resident Advisor"
33609
33447
  },
33610
33448
  description: {
33611
- text: "Google Gemini processes requests for Gemini-family models when you select one. Google receives your chat messages with PII placeholders already substituted client-side."
33449
+ text: "Resident Advisor powers event search for electronic music events. RA receives your search queries without a user identifier."
33612
33450
  }
33451
+ }
33452
+ },
33453
+ health: {
33454
+ heading: {
33455
+ text: "Health appointment search (only when you use the health skill)"
33613
33456
  },
33614
- google_vertex_maas: {
33457
+ description: {
33458
+ text: `These upstream services are reached through the Webshare rotating proxy (see Group E) only when you invoke the health app's appointment search skill. The queries you send \u2014 for example "dermatologist in Berlin next Tuesday" \u2014 are transmitted without user identifiers, but the content of the query itself can imply a health concern. By invoking the skill you consent to this processing under GDPR Art. 9(2)(a) (explicit consent for special-category data).`
33459
+ },
33460
+ doctolib: {
33615
33461
  heading: {
33616
- text: "Google Vertex AI Model-as-a-Service (US)"
33462
+ text: "Doctolib (EU)"
33617
33463
  },
33618
33464
  description: {
33619
- text: "Google Vertex AI Model-as-a-Service hosts third-party open models (such as DeepSeek) on Google infrastructure via an OpenAI-compatible endpoint. This is a separate service from Google Gemini: the model weights are third-party, but the inference runs on Google's servers. Only used when you select a MaaS-hosted model."
33465
+ text: "Doctolib lists doctors and specialists across supported EU regions. We query Doctolib for available appointments matching your criteria, routed through the Webshare proxy, without a user identifier."
33620
33466
  }
33621
33467
  },
33622
- together: {
33468
+ jameda: {
33623
33469
  heading: {
33624
- text: "Together AI (US)"
33470
+ text: "Jameda (Germany)"
33625
33471
  },
33626
33472
  description: {
33627
- text: "Together AI hosts third-party models such as Kimi K2.6 on an OpenAI-compatible endpoint. Only used when you select a Together-hosted model. Together receives your chat messages with PII placeholders already substituted client-side."
33473
+ text: "Jameda lists doctors and specialists across Germany. We query Jameda for available appointments matching your criteria, routed through the Webshare proxy, without a user identifier."
33628
33474
  }
33475
+ }
33476
+ },
33477
+ shopping: {
33478
+ heading: {
33479
+ text: "Shopping (only when you use the shopping skill)"
33629
33480
  },
33630
- groq: {
33481
+ description: {
33482
+ text: "These providers are only used when you invoke the shopping search skill for live product and price lookups."
33483
+ },
33484
+ rewe: {
33631
33485
  heading: {
33632
- text: "Groq (US, content sanitization)"
33486
+ text: "REWE (German grocery)"
33633
33487
  },
33634
33488
  description: {
33635
- text: "Groq is used server-side to sanitize external content (search results and scraped web pages) before it is included in AI responses. Groq sees the external content we fetched on your behalf, not your chat messages, and never learns which user requested each piece of content."
33489
+ text: "REWE's product catalogue is queried for live product and price data when you search German grocery items. REWE receives your search queries without a user identifier."
33636
33490
  }
33637
33491
  },
33638
- alibaba: {
33492
+ amazon: {
33639
33493
  heading: {
33640
- text: "Alibaba Cloud (Qwen models)"
33494
+ text: "Amazon"
33641
33495
  },
33642
33496
  description: {
33643
- text: "Alibaba Cloud hosts Qwen-family models. Alibaba receives your chat messages with PII placeholders already substituted client-side only when you select an Alibaba-hosted model."
33497
+ text: "Amazon's product catalogue is queried for live product and price data. Amazon receives your search queries without a user identifier."
33644
33498
  }
33499
+ }
33500
+ },
33501
+ nutrition: {
33502
+ heading: {
33503
+ text: "Nutrition (only when you use the recipe search skill)"
33645
33504
  },
33646
- deepseek: {
33505
+ description: {
33506
+ text: "These providers are only used when you invoke the nutrition recipe search skill. They receive recipe search queries and selected dietary filters without a user identifier."
33507
+ },
33508
+ edamam: {
33647
33509
  heading: {
33648
- text: "DeepSeek (reasoning models)"
33510
+ text: "Edamam"
33649
33511
  },
33650
33512
  description: {
33651
- text: "DeepSeek provides DeepSeek-family reasoning models. DeepSeek receives your chat messages with PII placeholders already substituted client-side only when you select a DeepSeek model."
33513
+ text: "Edamam's Recipe Search API is queried when you search for recipes. Edamam receives the recipe query and selected dietary or nutrition filters without a user identifier."
33652
33514
  }
33515
+ }
33516
+ },
33517
+ electronics: {
33518
+ heading: {
33519
+ text: "Electronics (only when you use the electronics skill)"
33653
33520
  },
33654
- moonshot: {
33521
+ description: {
33522
+ text: "These providers are only used when you invoke the electronics component search skill for live component and reference-design lookups."
33523
+ },
33524
+ ti_webench: {
33655
33525
  heading: {
33656
- text: "Moonshot AI / Kimi (language models)"
33526
+ text: "Texas Instruments WEBENCH (US)"
33657
33527
  },
33658
33528
  description: {
33659
- text: "Moonshot AI provides Kimi-family models. Moonshot receives your chat messages with PII placeholders already substituted client-side only when you select a Moonshot-hosted Kimi model."
33529
+ text: "TI WEBENCH is queried for power converter component candidates and reference design summaries. Texas Instruments receives the electrical requirements you search for, such as input voltage, output voltage, output current, temperature, isolation, and optimization goal, without a user identifier."
33660
33530
  }
33531
+ }
33532
+ },
33533
+ mail: {
33534
+ heading: {
33535
+ text: "Mail (only when you use mail skills)"
33661
33536
  },
33662
- zai: {
33537
+ description: {
33538
+ text: "This provider is only used when you invoke mail skills against a connected mailbox. If you never use the mail app, none of your data is shared with it."
33539
+ },
33540
+ protonmail: {
33663
33541
  heading: {
33664
- text: "Z.ai (GLM models)"
33542
+ text: "Proton Mail (mail search)"
33665
33543
  },
33666
33544
  description: {
33667
- text: "Z.ai provides GLM-family models. Z.ai receives your chat messages with PII placeholders already substituted client-side only when you select a Z.ai model."
33545
+ text: "Proton Mail is queried when you search a connected Proton Mail mailbox. Proton receives the mail search query and mailbox data needed to return matching results."
33668
33546
  }
33669
33547
  }
33670
33548
  },
33671
- image_generation: {
33549
+ home: {
33672
33550
  heading: {
33673
- text: "Image generation and editing (only when you use an image skill)"
33551
+ text: "Home and housing (only when you use housing search)"
33674
33552
  },
33675
33553
  description: {
33676
- text: "These providers are only used when you invoke an image generation or editing skill. If you never use the images app, none of your data is shared with them."
33554
+ text: "These providers are only used when you invoke the home app's housing search skill. If you never search for housing, none of your data is shared with them."
33677
33555
  },
33678
- fal: {
33556
+ immoscout24: {
33679
33557
  heading: {
33680
- text: "FAL (Flux models)"
33558
+ text: "ImmoScout24 (German housing search)"
33681
33559
  },
33682
33560
  description: {
33683
- text: "FAL hosts Flux image generation models used by the images.generate_draft skill. FAL receives your image generation prompts and, when editing, the source images you supply."
33561
+ text: "ImmoScout24 is queried when you search German housing listings. ImmoScout24 receives housing search queries, locations, filters, and listing pages requested without an OpenMates user identifier."
33684
33562
  }
33685
33563
  },
33686
- recraft: {
33564
+ kleinanzeigen: {
33687
33565
  heading: {
33688
- text: "Recraft (vector and raster image generation)"
33566
+ text: "Kleinanzeigen (German classified housing search)"
33689
33567
  },
33690
33568
  description: {
33691
- text: "Recraft powers the images.generate and images.vectorize skills, producing vector and raster images and converting bitmaps to SVG. Recraft receives your prompts, style preferences, and \u2014 when vectorizing \u2014 your source images."
33569
+ text: "Kleinanzeigen is queried when you search German classified housing listings. Kleinanzeigen receives housing search queries, locations, filters, and listing pages requested without an OpenMates user identifier."
33692
33570
  }
33693
33571
  },
33694
- bfl: {
33572
+ wg_gesucht: {
33695
33573
  heading: {
33696
- text: "Black Forest Labs (FLUX image models)"
33574
+ text: "WG-Gesucht (German shared-apartment search)"
33697
33575
  },
33698
33576
  description: {
33699
- text: "Black Forest Labs powers draft image generation via FLUX models. BFL receives your image generation prompts and, when editing, the source images you provide."
33577
+ text: "WG-Gesucht is queried when you search German shared-apartment or rental listings. WG-Gesucht receives housing search queries, locations, filters, and listing pages requested without an OpenMates user identifier."
33700
33578
  }
33701
33579
  }
33702
33580
  },
33703
- music_generation: {
33581
+ community: {
33704
33582
  heading: {
33705
- text: "Music generation (only when you use a music skill)"
33583
+ text: "Community and developer channels (only if you choose to use them)"
33706
33584
  },
33707
33585
  description: {
33708
- text: "These providers are only used when you invoke a music generation skill. If you never use the music app, none of your data is shared with them."
33586
+ text: "These providers are only involved if you choose to join our community or developer channels. You can use OpenMates without ever touching them."
33709
33587
  },
33710
- google_vertex_ai: {
33588
+ discord: {
33711
33589
  heading: {
33712
- text: "Google Vertex AI (Lyria music generation)"
33590
+ text: "Discord (community server)"
33713
33591
  },
33714
33592
  description: {
33715
- text: "Google Vertex AI hosts the Lyria models used by the music.generate skill. Google receives your music generation prompts, optional lyrics, style preferences, and generation settings only when you ask OpenMates to generate music or background music."
33593
+ text: "If you join the OpenMates community Discord server, Discord will see anything you post on its platform, plus your Discord username and whatever data Discord itself collects per its own privacy policy. We have no control over what Discord does with that data."
33594
+ },
33595
+ admin_access: {
33596
+ text: "OpenMates administrators with Discord server admin rights can read all messages posted in the OpenMates Discord server. Do not share sensitive information on Discord."
33716
33597
  }
33717
33598
  }
33718
33599
  },
33719
- code_execution: {
33600
+ social_media: {
33720
33601
  heading: {
33721
- text: "Code and developer tools (only when you use code skills)"
33602
+ text: "Social media (only when you use social media skills)"
33722
33603
  },
33723
33604
  description: {
33724
- text: "These providers are only used when you invoke a code app skill, such as searching public repositories, running code in an isolated sandbox, creating a generated application that auto-starts a short screenshot preview, or explicitly starting a generated application live preview. If you never use the code app, none of your data is shared with them."
33605
+ text: "These providers are only used when you invoke the social media app's get-posts or search skills. They receive public profile, page, or search queries without an OpenMates user identifier."
33725
33606
  },
33726
- github: {
33607
+ reddit: {
33727
33608
  heading: {
33728
- text: "GitHub (public repository search)"
33609
+ text: "Reddit (public posts and discussions)"
33729
33610
  },
33730
33611
  description: {
33731
- text: "GitHub powers the code app's repository search skill. GitHub receives public repository search queries without an OpenMates user identifier."
33612
+ text: "Reddit is queried when you fetch or search public Reddit posts. Reddit receives subreddit names, public post URLs, and search queries without an OpenMates user identifier."
33732
33613
  }
33733
33614
  },
33734
- context7: {
33615
+ bluesky: {
33735
33616
  heading: {
33736
- text: "Context7 (programming documentation lookup)"
33617
+ text: "Bluesky (public posts and profile feeds)"
33737
33618
  },
33738
33619
  description: {
33739
- text: "Context7 powers the code app's documentation lookup skill. Context7 receives library names and documentation questions without an OpenMates user identifier."
33620
+ text: "Bluesky is queried when you fetch or search public Bluesky posts. Bluesky receives handles and search queries without an OpenMates user identifier."
33740
33621
  }
33741
33622
  },
33742
- e2b: {
33623
+ mastodon: {
33743
33624
  heading: {
33744
- text: "E2B (isolated code sandbox)"
33625
+ text: "Mastodon (public profile posts)"
33745
33626
  },
33746
33627
  description: {
33747
- text: "E2B runs selected code embeds, generated application previews, and Remotion video renders inside isolated sandboxes. E2B receives the code or generated application/Remotion files and assets needed to run or render the result, runtime inputs, preview/render logs, and execution output needed to display the sandbox result. This sharing happens when you explicitly run code, create a generated application that auto-starts a short screenshot preview, start/resume an application live preview, or when a Remotion video render auto-starts after the assistant closes an explicit remotion code fence."
33628
+ text: "Mastodon is queried when you fetch public Mastodon profile posts. The relevant Mastodon server receives profile identifiers or public profile URLs without an OpenMates user identifier."
33748
33629
  }
33749
33630
  }
33631
+ }
33632
+ },
33633
+ flightradar24: {
33634
+ heading: {
33635
+ text: "3.16 Flightradar24"
33750
33636
  },
33751
- web_and_search: {
33752
- heading: {
33753
- text: "Web, search, and content retrieval (only when you use a web or search skill)"
33637
+ description: {
33638
+ text: 'When you request real flight track data using the "Get flight track" skill, we query Flightradar24 to retrieve historical GPS track data for completed flights. Flightradar24 receives the flight number and departure date. No personal data is shared.'
33639
+ },
33640
+ privacy_policy_link: {
33641
+ text: "Flightradar24 Privacy Policy"
33642
+ }
33643
+ },
33644
+ security_measures: {
33645
+ heading: {
33646
+ text: "4. Security Measures"
33647
+ },
33648
+ intro: {
33649
+ text: "We implement various security measures to protect your account and data in the web application:"
33650
+ },
33651
+ device_fingerprinting: {
33652
+ subheading: {
33653
+ text: "Device Fingerprinting"
33754
33654
  },
33755
- description: {
33756
- text: "These providers are only used when you invoke a web, videos, news, or web-read skill. They see the content of what you search for or the URLs you ask to read, but no user identifier \u2014 they do not know which OpenMates user made each request."
33655
+ purpose: {
33656
+ text: "To enhance account security, prevent fraudulent access, and distinguish between new and recognized devices during login and session validation, we collect User-Agent strings (browser, OS, device type information) and IP addresses (used temporarily to derive approximate geo-location like country/city, then discarded from the device record)."
33757
33657
  },
33758
- brave: {
33759
- heading: {
33760
- text: "Brave Search (web, videos, news)"
33761
- },
33762
- description: {
33763
- text: "Brave Search powers the web, videos, and news search skills. Brave sees the text of your search queries and your country and language preferences for localized results, but no user identifier."
33764
- }
33658
+ storage: {
33659
+ text: "A unique, stable hash is generated based on a combination of the collected signals. This hash is the only value stored in the device record. Browser/OS type and derived country code may be used transiently for risk assessment and notifications but are not stored with the device record. Raw IP addresses are NOT stored as part of the device record itself."
33765
33660
  },
33766
- firecrawl: {
33767
- heading: {
33768
- text: "Firecrawl (web page scraping)"
33769
- },
33770
- description: {
33771
- text: "Firecrawl powers the web read skill, scraping and extracting content from web pages you ask about. Firecrawl sees the URL you requested and the full content of the scraped page."
33772
- }
33661
+ ip_logging: {
33662
+ text: "For security monitoring and abuse prevention, IP addresses associated with failed login attempts (invalid password or 2FA code) may be logged with limited retention. In addition, certain security/compliance events (e.g., successful backup-code logins) may be logged with IP for audit purposes. IP addresses are also used for rate limiting login attempts."
33663
+ }
33664
+ }
33665
+ },
33666
+ data_categories: {
33667
+ heading: {
33668
+ text: "5. Data Categories We Collect and Process"
33669
+ },
33670
+ intro: {
33671
+ text: "We collect and process the following categories of data to operate and secure our services:"
33672
+ },
33673
+ account: {
33674
+ text: "Account: Email address, username/display name, profile image, locale, and security settings (e.g., 2FA enabled). Email and username are encrypted with your key before storage. We also keep a separate server-side Vault-encrypted copy of your verified email address for mandatory account lifecycle notices, such as account verification, security alerts, and deletion reminders. Passwords are stored as salted hashes."
33675
+ },
33676
+ usage: {
33677
+ text: "Usage: Server logs, event timestamps, feature usage, error logs, and device recognition identifiers (hashed). IP addresses may be temporarily processed for security and rate limiting."
33678
+ },
33679
+ content: {
33680
+ text: "Content: Chat messages, prompts, attachments, and uploaded images/videos necessary to deliver the service (subject to moderation where applicable)."
33681
+ },
33682
+ payments: {
33683
+ text: "Payments: Payment method tokens, transaction IDs, billing address and VAT information as required for invoicing (processed primarily by Stripe). We do not store full card numbers."
33684
+ },
33685
+ newsletter: {
33686
+ text: "Newsletter: If you choose to subscribe to our newsletter, we store your email address in encrypted form. Newsletter subscription is optional and separate from account creation \u2014 creating an account does not automatically subscribe you to the newsletter. If you are an OpenMates customer (i.e. you have completed a purchase), we may additionally send you occasional product announcements and service updates about OpenMates' own similar services under the existing-customer exception (\xA77 Abs. 3 UWG / ePrivacy Directive Art. 13(2)). You can object to this at any time in Settings \u2192 Newsletter or via the one-click unsubscribe link in any such email, without affecting your account."
33687
+ },
33688
+ stability_logs: {
33689
+ text: "Stability Logs: To diagnose technical errors, anonymized browser console logs (error messages, component status, connection events) are collected from authenticated users and stored for up to 48 hours. If an error occurs, surrounding context is retained for up to 14 days. No message content, chat titles, names, email addresses, or other personally identifiable information is included. A random session identifier (generated per browser tab, not linked to your account) is used for log correlation. You can disable this at any time in Settings > Privacy > Stability Logs."
33690
+ }
33691
+ },
33692
+ data_retention: {
33693
+ heading: {
33694
+ text: "6. Data Retention"
33695
+ },
33696
+ account: {
33697
+ text: "Account data: Retained until account deletion and completion of related legal obligations."
33698
+ },
33699
+ usage_and_logs: {
33700
+ text: "Usage and logs: Operational logs retained up to 12 months; IPs tied to failed logins up to 30 days for security."
33701
+ },
33702
+ device_fingerprints: {
33703
+ text: "Device fingerprints: Retained until account deletion or manual removal from account settings (when available)."
33704
+ },
33705
+ content: {
33706
+ text: "Content: Retained until the user deletes the content or closes the account, subject to backup cycles."
33707
+ },
33708
+ payments_and_invoices: {
33709
+ text: "Payments and invoices: Retained up to 10 years where required by tax/commercial law."
33710
+ },
33711
+ compliance_logs: {
33712
+ text: "**Compliance logs:** audit logs retained 2 years (BSI \xA734 BDSG); financial compliance logs retained 10 years (AO \xA7147 and HGB \xA7257)"
33713
+ },
33714
+ observability_traces: {
33715
+ text: "**Observability traces:** up to 30 days; user IDs in traces use a hash that rotates every 24 hours, so older traces cannot be joined to a specific user"
33716
+ },
33717
+ user_data_backups: {
33718
+ text: "**User data backups:** 60 days via S3 lifecycle; backups contain only ciphertext encrypted with your own key"
33719
+ }
33720
+ },
33721
+ legal_basis: {
33722
+ heading: {
33723
+ text: "7. Legal Basis for Processing (GDPR)"
33724
+ },
33725
+ contract: {
33726
+ text: "Contract: Processing necessary to perform our contract with you or to take steps at your request prior to entering into a contract (e.g., account creation, delivering web app features)."
33727
+ },
33728
+ consent: {
33729
+ text: "Consent: Processing based on your consent, where applicable (e.g., optional communications, certain analytics or marketing where used). You can withdraw consent at any time."
33730
+ },
33731
+ legitimate_interests: {
33732
+ text: "Legitimate interests: Processing necessary for our legitimate interests, such as service security, fraud prevention, abuse detection, and improving the service, provided these interests are not overridden by your rights and interests."
33733
+ },
33734
+ direct_marketing: {
33735
+ text: "Direct marketing to existing customers: For existing OpenMates customers (users who have completed a purchase), we may rely on Art. 6(1)(f) GDPR (legitimate interests) in combination with \xA77 Abs. 3 UWG and ePrivacy Directive Art. 13(2) to send occasional product announcements, service updates, and marketing about OpenMates' own similar services. Each such email includes a clearly visible one-click unsubscribe link, and you can also manage these preferences at any time in Settings \u2192 Newsletter. You can object to this processing at any time without giving reasons (Art. 21 GDPR)."
33736
+ },
33737
+ legal_obligation: {
33738
+ text: "Legal obligation: Processing necessary to comply with legal obligations (e.g., tax and accounting requirements for invoices and transaction records)."
33739
+ }
33740
+ },
33741
+ legal_rights: {
33742
+ heading: {
33743
+ text: "8. Your Privacy Rights"
33744
+ },
33745
+ intro: {
33746
+ text: "Depending on your jurisdiction, you may have certain rights over your personal data. The following summarizes key rights under GDPR and CCPA/CPRA and how to exercise them:"
33747
+ },
33748
+ gdpr: {
33749
+ subheading: {
33750
+ text: "GDPR (EU/EEA)"
33773
33751
  },
33774
- webshare: {
33775
- heading: {
33776
- text: "Webshare (rotating proxy)"
33777
- },
33778
- description: {
33779
- text: "Webshare provides a rotating proxy for requests to services that would otherwise block us. We route YouTube transcript requests (for the videos get-transcript skill) and doctor appointment searches (for the health search-appointments skill \u2014 see Group H) through Webshare. Webshare sees the URLs we route through it."
33780
- }
33752
+ access: {
33753
+ text: "Right of access"
33781
33754
  },
33782
- google_maps: {
33783
- heading: {
33784
- text: "Google Maps Platform (places search)"
33785
- },
33786
- description: {
33787
- text: "Google Maps powers the places search skill. Google sees the text of your place queries and an approximate location for localized results, but no user identifier."
33788
- }
33755
+ rectification: {
33756
+ text: "Right to rectification"
33789
33757
  },
33790
- youtube: {
33791
- heading: {
33792
- text: "YouTube (video transcripts)"
33793
- },
33794
- description: {
33795
- text: "YouTube is queried when you ask OpenMates to retrieve a transcript for a YouTube video. YouTube receives video URLs and requested transcript language preferences without an OpenMates user identifier."
33796
- }
33758
+ erasure: {
33759
+ text: "Right to erasure ('right to be forgotten')"
33760
+ },
33761
+ restriction: {
33762
+ text: "Right to restriction of processing"
33763
+ },
33764
+ portability: {
33765
+ text: "Right to data portability"
33766
+ },
33767
+ objection: {
33768
+ text: "Right to object"
33769
+ },
33770
+ withdraw_consent: {
33771
+ text: "Right to withdraw consent"
33772
+ },
33773
+ exercise: {
33774
+ text: "To exercise your GDPR rights, contact us at contact@openmates.org or via the Imprint. We may need to verify your identity before fulfilling your request."
33775
+ },
33776
+ manual_note: {
33777
+ text: "The following rights are available on request (please contact us by email at contact@openmates.org and we will handle them manually):"
33797
33778
  }
33798
33779
  },
33799
- travel: {
33800
- heading: {
33801
- text: "Travel (only when you use a travel skill)"
33780
+ ccpa_cpra: {
33781
+ subheading: {
33782
+ text: "CCPA/CPRA (California)"
33802
33783
  },
33803
- description: {
33804
- text: "These providers are only used when you invoke a travel skill \u2014 flight search, hotel search, or flight tracking. If you never use the travel app, none of your data is shared with them."
33784
+ right_to_know: {
33785
+ text: "Right to know/access"
33805
33786
  },
33806
- serpapi: {
33807
- heading: {
33808
- text: "SerpAPI (flight and hotel search)"
33809
- },
33810
- description: {
33811
- text: "SerpAPI powers flight and hotel search via its Google Flights and Google Hotels endpoints. SerpAPI receives your search queries \u2014 origin, destination, dates, and preferences \u2014 without a user identifier."
33812
- }
33787
+ right_to_delete: {
33788
+ text: "Right to delete"
33813
33789
  },
33814
- flightradar24: {
33815
- heading: {
33816
- text: "Flightradar24 (flight tracking)"
33817
- },
33818
- description: {
33819
- text: "Flightradar24 provides real flight track data when you ask about a specific flight number. It receives IATA flight numbers and departure dates without a user identifier."
33820
- }
33790
+ right_to_correct: {
33791
+ text: "Right to correct"
33821
33792
  },
33822
- deutsche_bahn: {
33823
- heading: {
33824
- text: "Deutsche Bahn (train connections)"
33825
- },
33826
- description: {
33827
- text: "Deutsche Bahn provides train connection results when you search for rail routes. Deutsche Bahn receives origin, destination, and date search details without an OpenMates user identifier."
33828
- }
33793
+ right_to_opt_out_of_sale_or_sharing: {
33794
+ text: "Right to opt-out of sale or sharing"
33829
33795
  },
33830
- flix: {
33831
- heading: {
33832
- text: "FlixBus / FlixTrain (bus and train connections)"
33833
- },
33834
- description: {
33835
- text: "Flix provides intercity bus and rail connection results when you search for FlixBus or FlixTrain routes. Flix receives origin, destination, and date search details without an OpenMates user identifier."
33836
- }
33796
+ right_to_non_discrimination: {
33797
+ text: "Right to non-discrimination"
33798
+ },
33799
+ exercise: {
33800
+ text: "California residents can exercise CCPA/CPRA rights by contacting us at contact@openmates.org. We do not sell personal information."
33801
+ }
33802
+ }
33803
+ },
33804
+ discord_integration: {
33805
+ heading: {
33806
+ text: "9. Discord Integration"
33807
+ },
33808
+ description: {
33809
+ text: "If you choose to join our Discord community through links provided on this website, please note that Discord will collect and process your data according to their privacy policy. This includes account information, usage data, communication content, and other information as outlined in Discord's privacy policy."
33810
+ },
33811
+ admin_access: {
33812
+ text: "As Discord server administrators, we have access to all public communications, member lists, and other information shared within our Discord community. However, this information is hosted and primarily processed by Discord. We do not extract, store, or process this data outside of Discord's platform. For more information about how Discord handles your data, please review Discord's Privacy Policy."
33813
+ },
33814
+ privacy_policy_link: {
33815
+ text: "Discord Privacy Policy"
33816
+ }
33817
+ },
33818
+ contact: {
33819
+ heading: {
33820
+ text: "10. Contact Information"
33821
+ },
33822
+ questions: {
33823
+ text: "For questions about data protection:"
33824
+ },
33825
+ email: {
33826
+ text: "Email"
33827
+ },
33828
+ postal: {
33829
+ text: "Postal address: See Legal Notice (Imprint) for the current registered address."
33830
+ },
33831
+ controller: {
33832
+ text: "Controller: OpenMates (see Imprint for legal representative details)."
33833
+ }
33834
+ },
33835
+ aggregate_analytics: {
33836
+ heading: {
33837
+ text: "11. Anonymous Aggregate Analytics"
33838
+ },
33839
+ overview: {
33840
+ text: "We collect anonymous, aggregate statistics about how our website and web application are used. This data is genuinely anonymous \u2014 it cannot be linked to any individual user, and no cookies or tracking identifiers are set. No consent banner is required because no personal data is collected."
33841
+ },
33842
+ what_we_collect: {
33843
+ text: "What we collect (all aggregate, never individual):"
33844
+ },
33845
+ items: {
33846
+ text: "Daily page load counts; approximate unique visit counts (probabilistic HyperLogLog, ~0.81% error); country distribution (GeoIP lookup \u2014 IP discarded immediately, never stored); device class (mobile/tablet/desktop); browser family and major version; OS family; referrer domain (domain only, never full URL); screen size class; session duration distribution (bucketed)"
33847
+ },
33848
+ no_pii: {
33849
+ text: "IP addresses are used transiently for GeoIP lookup only and are never written to disk or any database. User-Agent strings are parsed to metadata only (browser name, OS) \u2014 the raw string is never stored. All data is stored as daily aggregate counters, not as individual records."
33850
+ }
33851
+ },
33852
+ follow_up_1: {
33853
+ text: "How is my chat content encrypted?"
33854
+ },
33855
+ follow_up_2: {
33856
+ text: "How does client-side encryption work?"
33857
+ },
33858
+ follow_up_3: {
33859
+ text: "What if I lose my encryption key?"
33860
+ },
33861
+ follow_up_4: {
33862
+ text: "Do AI providers see my messages?"
33863
+ },
33864
+ follow_up_5: {
33865
+ text: "How do I delete my account?"
33866
+ },
33867
+ follow_up_6: {
33868
+ text: "What data do you share with third parties?"
33869
+ },
33870
+ provider_link_label: {
33871
+ text: "Privacy policy"
33872
+ },
33873
+ overview: {
33874
+ heading: {
33875
+ text: "Overview"
33876
+ },
33877
+ summary: {
33878
+ text: "OpenMates is designed so that most of your data is encrypted on your device before it reaches our servers. This is **not** end-to-end encryption: our servers briefly decrypt your content in memory to run AI responses, render invoices, and deliver reminders. But we never write decrypted content to disk, logs, or traces, and when you delete your account we destroy the encryption key that protects your data \u2014 cryptographically shredding every encrypted field we still hold."
33879
+ }
33880
+ },
33881
+ protection: {
33882
+ heading: {
33883
+ text: "How we protect your data"
33884
+ },
33885
+ intro: {
33886
+ text: "We rely on six technical measures to protect your data. Each is verifiable in our open-source code and maps to a specific GDPR obligation."
33887
+ },
33888
+ client_side_encryption: {
33889
+ heading: {
33890
+ text: "Client-side encryption of your content"
33891
+ },
33892
+ description: {
33893
+ text: "Your chat content, titles, summaries, tags, per-chat keys, app settings and memories, reminders, and sensitive profile fields (encrypted username, auto-top-up email, 2FA secrets) are encrypted in your browser before being sent to our servers. The browser uses a key derived from your login credential; our servers reject writes that contain anything but ciphertext. This is *not* end-to-end encryption \u2014 our servers can decrypt your content in memory when they need to (for AI responses, invoice rendering, reminder delivery). The difference from end-to-end encryption is that decryption happens transiently in process memory and the plaintext is never persisted to disk, logs, or traces."
33894
+ }
33895
+ },
33896
+ pii_placeholder_substitution: {
33897
+ heading: {
33898
+ text: "PII placeholder substitution before AI calls"
33899
+ },
33900
+ description: {
33901
+ text: "Before any message is sent to a third-party AI model, your browser scans your message for real names, email addresses, and physical addresses that you have saved in your privacy settings (or that match common patterns) and replaces any matches with neutral placeholders (for example [USER_0]). The mapping back to your real values is stored encrypted with your key and is never decrypted on our servers. **Important limitation:** this substitution only protects personal data that our client-side detector actually recognizes \u2014 typically the values you have explicitly saved in your privacy settings and values highlighted in the message field before you send. Anything the detector does not recognize (typos of your own name, uncommon address formats, other people's personal data, sensitive topics that are not formally PII) will be transmitted as you typed it. Please treat every message as you would treat a note passed to a third-party AI provider and be cautious with personal data."
33837
33902
  }
33838
33903
  },
33839
- events: {
33904
+ encrypted_at_rest: {
33840
33905
  heading: {
33841
- text: "Events (only when you use the events skill)"
33906
+ text: "Encrypted at rest, decrypted only in memory"
33842
33907
  },
33843
33908
  description: {
33844
- text: "These providers are only used when you invoke the events search skill. The specific set of providers called depends on the city and event type you search for."
33845
- },
33846
- meetup: {
33847
- heading: {
33848
- text: "Meetup"
33849
- },
33850
- description: {
33851
- text: "Meetup powers event search for community events. Meetup receives your search queries \u2014 city, category, dates \u2014 without a user identifier."
33852
- }
33853
- },
33854
- luma: {
33855
- heading: {
33856
- text: "Luma"
33857
- },
33858
- description: {
33859
- text: "Luma powers event search for tech, creative, and community events. Luma receives your search queries without a user identifier."
33860
- }
33861
- },
33862
- resident_advisor: {
33863
- heading: {
33864
- text: "Resident Advisor"
33865
- },
33866
- description: {
33867
- text: "Resident Advisor powers event search for electronic music events. RA receives your search queries without a user identifier."
33868
- }
33909
+ text: "Our PostgreSQL database, Redis caches, S3 object storage, and backup snapshots hold only ciphertext for any field containing user content. When our servers need to read your content to run an AI response, render an invoice, or deliver a reminder, decryption happens transiently in process memory and is discarded immediately after. Key material is released on demand by HashiCorp Vault and never stored in raw form outside it."
33869
33910
  }
33870
33911
  },
33871
- health: {
33912
+ hashed_identifiers: {
33872
33913
  heading: {
33873
- text: "Health appointment search (only when you use the health skill)"
33914
+ text: "Hashed identifiers throughout"
33874
33915
  },
33875
33916
  description: {
33876
- text: `These upstream services are reached through the Webshare rotating proxy (see Group E) only when you invoke the health app's appointment search skill. The queries you send \u2014 for example "dermatologist in Berlin next Tuesday" \u2014 are transmitted without user identifiers, but the content of the query itself can imply a health concern. By invoking the skill you consent to this processing under GDPR Art. 9(2)(a) (explicit consent for special-category data).`
33877
- },
33878
- doctolib: {
33879
- heading: {
33880
- text: "Doctolib (EU)"
33881
- },
33882
- description: {
33883
- text: "Doctolib lists doctors and specialists across supported EU regions. We query Doctolib for available appointments matching your criteria, routed through the Webshare proxy, without a user identifier."
33884
- }
33885
- },
33886
- jameda: {
33887
- heading: {
33888
- text: "Jameda (Germany)"
33889
- },
33890
- description: {
33891
- text: "Jameda lists doctors and specialists across Germany. We query Jameda for available appointments matching your criteria, routed through the Webshare proxy, without a user identifier."
33892
- }
33917
+ text: "Your user ID is stored in most database tables as a SHA-256 hash rather than as a direct reference. Login uses a zero-knowledge password verification flow: we verify that you know your password without ever learning it. API-key device records anonymize the IP address to its first two octets before encryption, so we can recognize a device without storing a precise location."
33893
33918
  }
33894
33919
  },
33895
- shopping: {
33920
+ cryptographic_erasure: {
33896
33921
  heading: {
33897
- text: "Shopping (only when you use the shopping skill)"
33922
+ text: "Cryptographically shredded on deletion"
33898
33923
  },
33899
33924
  description: {
33900
- text: "These providers are only used when you invoke the shopping search skill for live product and price lookups."
33901
- },
33902
- rewe: {
33903
- heading: {
33904
- text: "REWE (German grocery)"
33905
- },
33906
- description: {
33907
- text: "REWE's product catalogue is queried for live product and price data when you search German grocery items. REWE receives your search queries without a user identifier."
33908
- }
33909
- },
33910
- amazon: {
33911
- heading: {
33912
- text: "Amazon"
33913
- },
33914
- description: {
33915
- text: "Amazon's product catalogue is queried for live product and price data. Amazon receives your search queries without a user identifier."
33916
- }
33925
+ text: "When you delete your account we destroy your HashiCorp Vault Transit key in addition to removing your rows from our database. Any encrypted field still sitting in a backup, cache, or running process becomes mathematically unrecoverable ciphertext at that moment \u2014 cryptographic erasure on top of row-level deletion."
33917
33926
  }
33918
33927
  },
33919
- nutrition: {
33928
+ observability_without_tracking: {
33920
33929
  heading: {
33921
- text: "Nutrition (only when you use the recipe search skill)"
33930
+ text: "Observability without tracking"
33922
33931
  },
33923
33932
  description: {
33924
- text: "These providers are only used when you invoke the nutrition recipe search skill. They receive recipe search queries and selected dietary filters without a user identifier."
33925
- },
33926
- edamam: {
33927
- heading: {
33928
- text: "Edamam"
33929
- },
33930
- description: {
33931
- text: "Edamam's Recipe Search API is queried when you search for recipes. Edamam receives the recipe query and selected dietary or nutrition filters without a user identifier."
33932
- }
33933
+ text: "Our internal tracing pipeline (OpenTelemetry) replaces your user ID with a hash that rotates every 24 hours, strips authentication headers and cookies from every span, and redacts chat content before any trace leaves the backend. Our web analytics use a server-side beacon with no cookies and no stored individual identifiers. We do not use Google Analytics, Plausible, PostHog, or any third-party analytics platform."
33933
33934
  }
33935
+ }
33936
+ },
33937
+ promises: {
33938
+ intro: {
33939
+ text: "Below are the privacy promises we make to every user. Each one is backed by code in our open-source repository and verified by automated tests. When the enforcing code changes, a registry-linked check reminds us to rerun those tests before release."
33934
33940
  },
33935
- electronics: {
33941
+ client_side_chat_encryption: {
33936
33942
  heading: {
33937
- text: "Electronics (only when you use the electronics skill)"
33943
+ text: "Client-side chat encryption"
33938
33944
  },
33939
33945
  description: {
33940
- text: "These providers are only used when you invoke the electronics component search skill for live component and reference-design lookups."
33946
+ text: "Your chats, settings, and memories are encrypted on your device with AES-256-GCM before they leave your browser. The server stores only ciphertext on disk, in caches, and in backups. This is not end-to-end encryption: when a server-side task needs to read content (to run an AI response, render an invoice, or deliver a reminder), it decrypts in memory via HashiCorp Vault and discards the plaintext immediately after use."
33947
+ }
33948
+ },
33949
+ email_encryption_at_rest: {
33950
+ heading: {
33951
+ text: "Email addresses encrypted at rest"
33941
33952
  },
33942
- ti_webench: {
33943
- heading: {
33944
- text: "Texas Instruments WEBENCH (US)"
33945
- },
33946
- description: {
33947
- text: "TI WEBENCH is queried for power converter component candidates and reference design summaries. Texas Instruments receives the electrical requirements you search for, such as input voltage, output voltage, output current, temperature, isolation, and optimization goal, without a user identifier."
33948
- }
33953
+ description: {
33954
+ text: "Your email address is stored only as ciphertext. The server decrypts it transiently in memory during login, billing, and notification delivery, and never writes plaintext to disk or logs."
33949
33955
  }
33950
33956
  },
33951
- mail: {
33957
+ no_third_party_tracking: {
33952
33958
  heading: {
33953
- text: "Mail (only when you use mail skills)"
33959
+ text: "No third-party tracking cookies or analytics"
33954
33960
  },
33955
33961
  description: {
33956
- text: "This provider is only used when you invoke mail skills against a connected mailbox. If you never use the mail app, none of your data is shared with it."
33962
+ text: "We do not use Google Analytics, Plausible, PostHog, Mixpanel, Amplitude, Segment, or any other third-party analytics platform. Our telemetry is server-side, cookie-free, and contains no individually stored identifiers. A pre-edit check in our repository blocks the introduction of analytics SDKs."
33963
+ }
33964
+ },
33965
+ pii_placeholder_substitution: {
33966
+ heading: {
33967
+ text: "Personal information never reaches AI providers"
33957
33968
  },
33958
- protonmail: {
33959
- heading: {
33960
- text: "Proton Mail (mail search)"
33961
- },
33962
- description: {
33963
- text: "Proton Mail is queried when you search a connected Proton Mail mailbox. Proton receives the mail search query and mailbox data needed to return matching results."
33964
- }
33969
+ description: {
33970
+ text: "Before any message is sent to an AI provider, your browser detects 32 categories of personal data \u2014 emails, phone numbers, credit card numbers, API keys, and more \u2014 and replaces them with placeholders like `[EMAIL_com]`. The substitution map is encrypted with your chat key so only your devices can restore the original values."
33965
33971
  }
33966
33972
  },
33967
- home: {
33973
+ telemetry_privacy_filter: {
33968
33974
  heading: {
33969
- text: "Home and housing (only when you use housing search)"
33975
+ text: "Telemetry stripped of sensitive data"
33970
33976
  },
33971
33977
  description: {
33972
- text: "These providers are only used when you invoke the home app's housing search skill. If you never search for housing, none of your data is shared with them."
33978
+ text: "Our internal tracing pipeline (OpenTelemetry) strips authentication headers, cookies, and database statements from every span, and pseudonymises your user ID with a salt that rotates every 24 hours. Regular users never have their raw identifiers in telemetry."
33979
+ }
33980
+ },
33981
+ cryptographic_erasure: {
33982
+ heading: {
33983
+ text: "Deleted accounts are cryptographically erased"
33973
33984
  },
33974
- immoscout24: {
33975
- heading: {
33976
- text: "ImmoScout24 (German housing search)"
33977
- },
33978
- description: {
33979
- text: "ImmoScout24 is queried when you search German housing listings. ImmoScout24 receives housing search queries, locations, filters, and listing pages requested without an OpenMates user identifier."
33980
- }
33985
+ description: {
33986
+ text: "When you delete your account, the first step destroys your encryption keys. Any residual ciphertext in backups, caches, or audit logs is rendered permanently unreadable \u2014 no key, no content."
33987
+ }
33988
+ },
33989
+ argon2_password_hashing: {
33990
+ heading: {
33991
+ text: "Passwords stored as Argon2 hashes"
33981
33992
  },
33982
- kleinanzeigen: {
33983
- heading: {
33984
- text: "Kleinanzeigen (German classified housing search)"
33985
- },
33986
- description: {
33987
- text: "Kleinanzeigen is queried when you search German classified housing listings. Kleinanzeigen receives housing search queries, locations, filters, and listing pages requested without an OpenMates user identifier."
33988
- }
33993
+ description: {
33994
+ text: "We store password and backup-code verifiers as Argon2 hashes. Plaintext passwords are never persisted to disk, never written to logs, and never recoverable \u2014 even by us."
33995
+ }
33996
+ },
33997
+ payment_data_minimization: {
33998
+ heading: {
33999
+ text: "No card numbers ever touch our servers"
33989
34000
  },
33990
- wg_gesucht: {
33991
- heading: {
33992
- text: "WG-Gesucht (German shared-apartment search)"
33993
- },
33994
- description: {
33995
- text: "WG-Gesucht is queried when you search German shared-apartment or rental listings. WG-Gesucht receives housing search queries, locations, filters, and listing pages requested without an OpenMates user identifier."
33996
- }
34001
+ description: {
34002
+ text: "Payments flow directly from your browser to Stripe. We store only provider tokens and customer identifiers. We never see, receive, or persist full card numbers, security codes, or bank account details."
33997
34003
  }
33998
34004
  },
33999
- community: {
34005
+ logging_redaction: {
34000
34006
  heading: {
34001
- text: "Community and developer channels (only if you choose to use them)"
34007
+ text: "Logs are scrubbed of sensitive data"
34002
34008
  },
34003
34009
  description: {
34004
- text: "These providers are only involved if you choose to join our community or developer channels. You can use OpenMates without ever touching them."
34010
+ text: "Every log line passes through a redaction filter that strips email addresses, IP addresses, bearer tokens, and password values. Compliance logs preserve pseudonymous user IDs but remove all other personal data."
34011
+ }
34012
+ },
34013
+ prompt_injection_defense: {
34014
+ heading: {
34015
+ text: "Defense against prompt injection"
34005
34016
  },
34006
- discord: {
34007
- heading: {
34008
- text: "Discord (community server)"
34009
- },
34010
- description: {
34011
- text: "If you join the OpenMates community Discord server, Discord will see anything you post on its platform, plus your Discord username and whatever data Discord itself collects per its own privacy policy. We have no control over what Discord does with that data."
34012
- },
34013
- admin_access: {
34014
- text: "OpenMates administrators with Discord server admin rights can read all messages posted in the OpenMates Discord server. Do not share sensitive information on Discord."
34015
- }
34017
+ description: {
34018
+ text: "Two layers protect your conversations from malicious content in web pages, files, and URLs you reference. Invisible Unicode characters are stripped first, then a dedicated safety model detects semantic injection attempts and blocks or replaces high-risk content before it reaches your assistant."
34016
34019
  }
34017
34020
  },
34018
- social_media: {
34021
+ no_training_on_user_data: {
34019
34022
  heading: {
34020
- text: "Social media (only when you use social media skills)"
34023
+ text: "Your conversations are not used to train AI models"
34021
34024
  },
34022
34025
  description: {
34023
- text: "These providers are only used when you invoke the social media app's get-posts or search skills. They receive public profile, page, or search queries without an OpenMates user identifier."
34026
+ text: "All AI chat providers we use (Anthropic, OpenAI, Mistral, Google Gemini, Google Vertex AI, Together AI, Groq, Cerebras, and OpenRouter) have explicit no-training clauses in their terms \u2014 your conversations are never used to fine-tune, evaluate, or otherwise train AI models. For image generation, Recraft has a training opt-out which we have activated. fal.ai (used for draft image generation) may use anonymized, aggregated derivatives of prompts for model improvement under their standard API terms; no full opt-out is available outside an enterprise contract. A per-provider audit with verbatim policy quotes and verification dates is published in our open-source repository."
34027
+ }
34028
+ },
34029
+ no_external_resources: {
34030
+ heading: {
34031
+ text: "The web app never loads external images or scripts"
34024
34032
  },
34025
- reddit: {
34026
- heading: {
34027
- text: "Reddit (public posts and discussions)"
34028
- },
34029
- description: {
34030
- text: "Reddit is queried when you fetch or search public Reddit posts. Reddit receives subreddit names, public post URLs, and search queries without an OpenMates user identifier."
34031
- }
34033
+ description: {
34034
+ text: "Every external image, favicon, or preview shown in the app is fetched through our own preview.openmates.org proxy \u2014 the originating website never sees your IP address. The only third-party script the web app loads is the Stripe payment SDK needed to process a purchase, and only when you explicitly open the payment flow. There is no ad network, tag manager, CDN font loader, or third-party analytics library."
34035
+ }
34036
+ },
34037
+ cli_no_credential_prompts: {
34038
+ heading: {
34039
+ text: "The command-line tool never asks for your password"
34032
34040
  },
34033
- bluesky: {
34034
- heading: {
34035
- text: "Bluesky (public posts and profile feeds)"
34036
- },
34037
- description: {
34038
- text: "Bluesky is queried when you fetch or search public Bluesky posts. Bluesky receives handles and search queries without an OpenMates user identifier."
34039
- }
34041
+ description: {
34042
+ text: "The OpenMates CLI never prompts you for your email, password, 2FA code, or any other login credential. Authentication uses a browser-based pair-auth handshake: the CLI shows a QR code and URL, you approve the session in your logged-in web browser, and you type a short 6-character binding PIN back into the CLI to confirm. Your credentials never pass through the terminal."
34043
+ }
34044
+ },
34045
+ open_source_transparency: {
34046
+ heading: {
34047
+ text: "Every claim on this page is independently auditable"
34040
34048
  },
34041
- mastodon: {
34042
- heading: {
34043
- text: "Mastodon (public profile posts)"
34044
- },
34045
- description: {
34046
- text: "Mastodon is queried when you fetch public Mastodon profile posts. The relevant Mastodon server receives profile identifiers or public profile URLs without an OpenMates user identifier."
34047
- }
34049
+ description: {
34050
+ text: "OpenMates is open source. Every promise above is backed by code you can read, tests you can run, and architecture documents you can audit in our public repository. Our privacy-promises registry links each claim to the exact files that enforce it."
34048
34051
  }
34049
34052
  }
34050
34053
  },