Privacy Policy — Inkfold

Short version. Inkfold offers three retention modes — Smart, Private, and Incognito. In Smart mode (the default), Inkfold stores your conversations on our servers, encrypted at rest with a server-managed key, so we can build a knowledge graph that improves your answers. In Private mode, your content is encrypted on your device with a key only you hold before it ever reaches our servers — we store only ciphertext. In Incognito mode, nothing is written anywhere. We do not sell data. We do not train external AI models on your content. All three modes are free. You set your default mode in Settings → Privacy and can override per session. You may opt out of crowd-wisdom routing telemetry at any time without changing your plan.

1. Who we are and how to contact us

Inkfold is a multi-vendor AI chat application that lets you carry memory and context across AI tools (ChatGPT, Claude, Gemini, and others). This policy covers the web application at app.inkfold.app, the fl command-line interface, the mobile application, the application programming interface at api.inkfold.app, and the marketing site at www.inkfold.app.

Data controller. Inkfold (entity in formation), operated from Israel. Postal address available on request to [email protected].

Data Protection Officer. [email protected].

European Union representative. Appointment is in progress; the address will be published here once registered. Until then, contact [email protected] for any request you would otherwise route through an Article 27 representative.

2. How your conversations reach Inkfold

Inkfold does not passively watch your browser and does not snoop on the AI sites you visit. Content only enters your memory when you take an explicit action:

Historical import — you export your conversation history from a vendor (ChatGPT, Claude, Gemini, Copilot, DeepSeek, Grok, Perplexity) and upload the archive to the web dashboard.
Chatting through Inkfold — messages you send via the fl command-line interface, the web chat, or the mobile application are saved to your memory as they happen.
Mobile share — you can share selected text or a conversation into the Inkfold mobile application via your device's share sheet.

How that content is then stored, and who can read it, depends on the retention mode you choose. See §3 for the per-mode reality.

3. What data we collect

Account data (plaintext, we can read it)

Email address — used to sign in and to send critical account alerts. Lawful basis: performance of the contract (GDPR Art. 6(1)(b)).
Authentication tokens. Lawful basis: performance of the contract.
Subscription and billing status if you purchase a paid plan. Payment itself is handled by our payment processor; we never see your card number. Lawful basis: performance of the contract; legal obligation for tax records.

User content — depends on retention mode

What Inkfold's servers store and can read depends on the mode you choose:

Mode	What the server stores	Can Inkfold read it?
Smart (default)	Conversation text encrypted at rest with AES-256-GCM under a server-managed key; extracted entity graph; indexed metadata	Yes — the server-managed key allows decryption for context retrieval, knowledge-graph extraction, and quality compounding. Inkfold staff do not read individual conversations; access is gated by role and audited.
Private	AES-256-GCM ciphertext blobs and opaque graph nodes — encrypted on your device before upload	No. The key is derived from your passphrase via Argon2id (64 MB memory, 3 iterations) and never leaves your device. We hold only ciphertext.
Incognito	Nothing — the session is ephemeral	Nothing to read

Smart mode is encrypted at rest but is not zero-knowledge. We hold the encryption key. We do not use Smart-mode content to train any model, we do not sell or share it, and access is internally restricted — but we are technically able to decrypt it, and you should treat it as such when deciding what to put into Smart mode.

Private mode is zero-knowledge at rest with respect to Inkfold. Because the key is derived from your passphrase, we cannot restore access if you lose your passphrase. Your local recovery key file (offered at setup) is the only fallback.

Lawful basis for processing conversation content: performance of the contract (GDPR Art. 6(1)(b)) in all modes. For users in the European Union, you may switch to Private mode at any time, which prevents content from ever being readable by us.

Operational data (minimal, time-bounded)

Request metadata. Internet Protocol address and user-agent of application programming interface requests for rate limiting and abuse prevention. Retained for up to 30 days in nginx access logs and not linked to your content store. Lawful basis: legitimate interests in operating a secure service (GDPR Art. 6(1)(f)).
Server-side error reports. Stack traces from the application programming interface server only, via Sentry — no user content, no prompts, no AI responses. The web application includes an optional client-side Sentry integration that only activates when a build-time data-source name is configured; no client-side data-source name is configured in the current production build, so no client-side error data is sent to Sentry. Lawful basis: legitimate interests in keeping the service stable.

Crowd-wisdom routing — how Inkfold routes AI calls

The short version. Inkfold's job is to pick the right AI model for every task you give it. That works because every user's experience teaches the router what to do for the next user. When you use Inkfold, your execution paths — not your conversations — contribute to that shared intelligence. In return, you get a router that already knows which model wins on which kind of task on day one.

Crowd-wisdom telemetry is enabled by default. You can disable it at any time, at no cost, with no service penalty: in the web application, Settings → AI → "Help improve Inkfold routing for everyone" (toggle off); from the command line, fl telemetry opt-out. To delete previously contributed pre-aggregation records, run fl telemetry clear.

Lawful basis: legitimate interests in improving the routing engine for all users (GDPR Art. 6(1)(f)). Under Article 21 of the GDPR you have a right to object to processing on this basis; the opt-out controls above are the operational implementation of that right. The legitimate-interests balancing assessment is available on request to [email protected].

What we collect (the "execution path")

For each AI call Inkfold makes on your behalf, we record one fixed-shape record that describes what Inkfold did, not what you said:

A task-type label (for example "code", "writing", "analysis", "translation") produced by a classifier running on your device. Only the label leaves the device; the prompt that produced it does not.
Token counts — input, retrieved context, output, reasoning, and tool calls.
The vendor and model chosen (in the form {vendor} / {model-name}; actual vendor varies per request based on routing) and the routing strategy used (bandit, cache, override, etc.).
Estimated cost in United States dollars and end-to-end latency in milliseconds.
A success signal derived from your implicit reaction — thumbs up or down, whether you retried, whether you edited the answer, whether you continued the session.
Policy flags raised by on-device redaction (for example pii_detected) — the flag, not the content that triggered it.

What we cannot collect

The execution-path schema is enforced by a server-side allowlist (see packages/server/src/jobs/crowd-aggregator.js in the FusionLayer engine). Any record arriving at the server with a field outside the allowlist is rejected at ingestion. This is enforcement, not policy. As a direct consequence, the following cannot enter the crowd-wisdom pipeline even if something upstream were misconfigured:

The text of your prompts or the AI's answers.
Your user identifier, email, account identifier, or session identifier.
Your Internet Protocol address or device fingerprint.
The content or filenames of context documents.
Embeddings or hashes derived from any of the above.

We do not derive embeddings from your conversations for crowd-wisdom purposes. In Private and Incognito modes we technically cannot — the encryption model means we never hold the plaintext. In Smart mode we do index content for context retrieval (your benefit), but the crowd-wisdom pipeline rejects any field containing conversation content.

How aggregation works

Execution-path records are processed by a scheduled aggregator that groups them by (task_class, vendor, model) and computes win rates and sample counts over a rolling window, with a minimum-sample threshold of 50 before any model/task pair influences global routing. The output — the crowd_routing table — contains only model identifiers, task classes, win rates, and sample counts. No user-linked data survives aggregation. This is what the router reads when choosing a model for your next request.

Your rights over execution-path data

Opt-out (right to object). Settings → AI toggle, or fl telemetry opt-out. Future events are not collected.
Erasure (GDPR Art. 17). fl telemetry clear removes pre-aggregation records tied to your account. Post-aggregation statistics, which by construction identify no individual, are retained.
Account deletion. Removes all account-linked records, including any pre-aggregation execution-path records still tied to your user identifier.

3a. Two-tier vendor consent

Inkfold can route every conversation through two AI models — a primary (the helper) and a secondary (the answerer). You choose which vendors you trust for each role. This two-tier architecture minimizes what any single vendor sees.

Primary AI — reads your question plus relevant context from your memory. Produces a compact, context-rich prompt. It sees the most, so you should only allow vendors you trust here. Inkfold routes the primary through a privacy-safe paid application programming interface tier that does not train on your data.
Secondary AI — receives the reformulated prompt from the primary. It only sees the compact prompt, not your original question or history, and produces the final answer.

The effective privacy tier of a conversation is the weaker of the two vendors' tiers. Inkfold shows you the effective tier before every request.

Privacy tier labels

Each vendor is assigned one of four tiers, shown in the Vendors settings tab:

Zero-knowledge — processed on your own device only via the desktop tray application or the command-line interface. Nothing leaves your machine. Available when you install the Inkfold desktop application; the web version does not support this tier.
Single-party — one cloud vendor sees your prompt under their own privacy policy. The vendor is whichever your routing picks for this request — Inkfold does not prefer any single vendor.
Two-party — two different cloud vendors each see part of the conversation (primary sees context; secondary sees the reformulated prompt only).
Inkfold-hosted — Inkfold-managed inference. Inkfold processes the request on your behalf on our servers. Your conversation is encrypted in transit and at rest.

You can set a privacy floor (the weakest tier you allow). If a request can only be handled by a vendor weaker than your floor, Inkfold blocks it rather than sending.

4. What we do not collect or do

Smart mode only: we index conversation content to power context retrieval for you. In Private and Incognito modes we do not read or index your conversations.
We do not sell or share your data with data brokers, advertisers, or third parties for marketing — in any mode.
We do not use your content to train external AI models. Smart-mode entity extraction runs on Inkfold's own infrastructure for the sole purpose of improving your context retrieval quality.
We do not track your browsing. Inkfold has no browser-level trackers and does not observe the websites or AI tools you visit.

4a. Analytics (marketing site and application)

The marketing site uses first-party self-hosted analytics (event data stored in our own Oracle Autonomous Database, Frankfurt European Union region) and, where you have given consent, Google Analytics 4. Google Analytics 4 data is sent to Google LLC (United States) under the European Union–United States Data Privacy Framework. Internet Protocol address anonymization is enabled; we do not share Google Analytics 4 data with any advertising network. You can opt out at any time via the consent banner, the browser Do Not Track header, or the Google Analytics opt-out browser plugin. We do not use Mixpanel, PostHog, or Cloudflare Insights.

Application surface (app.inkfold.app). Google Analytics 4 is also loaded on the logged-in application with your explicit consent. It fires only after you accept analytics cookies in the consent banner. If you have Private or Incognito mode active in Inkfold, Google Analytics 4 is automatically suppressed regardless of consent. You can revoke consent at any time by reopening the cookie preferences banner.

What we collect on the marketing site

A random session identifier stored in your browser's localStorage — not a cookie, not shared across sites.
The page path you viewed, hypertext transfer protocol referrer, and any utm_* uniform resource locator parameters.
Coarse device class (mobile / tablet / desktop / bot) and browser family, derived from the User-Agent header.
Country code derived from your Internet Protocol address at the edge (we never store the raw Internet Protocol address).
Click events on elements explicitly marked for tracking — primary calls-to-action like "Sign up" and "Read the docs".

What we do not do on the marketing site

No cookies, no fingerprinting, no cross-site identifiers in the first-party analytics path.
No advertising pixels, no remarketing, no data sold to anyone.
No session replay, no scroll heatmaps, no Document Object Model recording.
If your browser sends the Do Not Track header, the analytics script is a complete no-op.

Lawful basis for analytics with cookies: consent (GDPR Art. 6(1)(a), ePrivacy Directive Art. 5(3)). For server-side counters with no identifiers: legitimate interests (Art. 6(1)(f)).

5. Where data is stored

Smart-mode content: Oracle Autonomous Database (Frankfurt, European Union region) for structured data; Cloudflare R2 object storage for conversation blobs (server-side AES-256-GCM at rest under a server-managed key).
Private-mode content: Cloudflare R2 object storage holds AES-256-GCM ciphertext blobs encrypted on your device before upload. Account metadata in Oracle Autonomous Database (Frankfurt, European Union).
Incognito-mode content: nothing written to any persistent store.
Bring-your-own-storage (Pro tier and above): you can configure your own object storage bucket for Private-mode blobs. In that configuration, Inkfold's servers never store your conversation blobs.
Edge: Cloudflare provides the global content-delivery network, web-application firewall, transport-layer security termination, and bot mitigation. Cloudflare's edge is global; encrypted traffic in transit is processed at the nearest edge.

6. Sharing and disclosure

We disclose data only in these cases:

Sub-processors that help us operate (Cloudflare for edge and storage; Oracle for database; Lemon Squeezy for billing; Google Workspace for operational email; the underlying FusionLayer engine for orchestration; the AI vendors you have configured for inference). These providers process only what is strictly needed.
Legal requirements — valid court order, subpoena, or law-enforcement request. Because Private-mode content is encrypted client-side, we can only provide ciphertext and account metadata for that content, not readable content.
Business transfer — if Inkfold is acquired, data moves to the acquirer under the same terms or better. You will be notified before any change.

A current sub-processor list is available at /legal/subprocessors (in progress). Material additions are notified by email at least 30 days before they take effect, giving you time to object or terminate (GDPR Art. 28(2)). International transfers outside the European Economic Area rely on Standard Contractual Clauses where the recipient is not under an adequacy decision.

7. Your rights

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights set out in Articles 15 to 22 of the General Data Protection Regulation. If you are a California resident, you have parallel rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act. In plain language, you can:

Access the personal data we hold about you — from the dashboard or by emailing [email protected].
Rectify data that is inaccurate.
Erase your account — Settings → Account → Delete. This permanently erases all blobs (encrypted and unencrypted) and account-linked metadata within 30 days.
Restrict processing while a complaint or correction is pending.
Port your data — Settings → Data → Export downloads a Universal AI Context Protocol archive in an open, self-describing format.
Object to processing based on legitimate interests, including crowd-wisdom telemetry (Art. 21). The opt-out controls above are how you exercise this right.
Withdraw consent to any consent-based processing (for example, analytics cookies) at any time.
Revoke sync — the Inkfold application continues to work locally without sending anything to our servers.
Erase routing telemetry via fl telemetry clear.
Lodge a complaint with your national supervisory authority (Art. 77). In Israel: the Privacy Protection Authority. In the European Union: your national data-protection authority. In the United Kingdom: the Information Commissioner's Office.

We respond to verified requests within 30 days. We will not discriminate against you for exercising any of these rights (CCPA §1798.125).

8. Children and minors

8.1 Under 13 — verifiable parental consent

Inkfold does not knowingly collect personal data from children under 13 without verifiable parental consent. When a user provides a date of birth indicating they are under 13, we require a parent or legal guardian to approve the account before any data is stored. The consent flow collects the parent's email address, consent timestamp, Internet Protocol address, and the version of this policy they consented to. This record is retained as a legal audit trail.

What we collect from child accounts (under 13):

Email address (for sign-in only).
Date of birth (to enforce age-appropriate restrictions).
Conversation content, default Private mode (we have no technical ability to read it without your device key).

What we do not do with child accounts:

No advertising or behavioral profiling.
No model training on child data.
No crowd-wisdom contribution (telemetry from child accounts is excluded from the aggregation pipeline).
No conversation persistence by default — session data is cleared after 24 hours unless a parent explicitly enables history.

Parent and guardian rights. A parent or legal guardian may, at any time, (a) review the data held for their child's account, (b) request deletion of that data, or (c) revoke consent, which will immediately suspend the account and queue data deletion. Contact us at [email protected].

If you believe a child under 13 has created an account without parental consent, contact us at [email protected] and we will delete the account within 5 business days.

8.2 Minors aged 13 to 17

Inkfold permits registration for users aged 13 and over, subject to any higher minimum digital-consent age that applies in your jurisdiction. Accounts held by users under 18 are subject to these additional restrictions:

No behavioral advertising — we do not use usage data for ad targeting.
No urgency-based or manipulative upsell techniques directed at minor accounts.
Model training is opt-out by default; if we ever use conversation data to train any model (we currently do not), minor accounts will be excluded by default.
Any telemetry from teen accounts that does participate in the crowd-wisdom pipeline is anonymized with k-anonymity threshold no lower than 50.

8.3 Inkfold for Schools (future)

When the Inkfold for Schools product is launched, it will be governed by a separate Data Processing Agreement with the institution. Student data will not be used for advertising or model training. Until that product ships, Inkfold should not be used as a primary educational tool in K-12 environments and we do not represent the consumer product as compliant with the United States Family Educational Rights and Privacy Act.

9. International transfers

Inkfold is operated from Israel. The European Commission has issued an adequacy decision for Israel under Article 45 of the General Data Protection Regulation, which permits transfers from the European Economic Area to Israel without additional safeguards. Servers used for storage are hosted in the European Union (Frankfurt) and at Cloudflare's global edge. Transfers to United States sub-processors (for example, Google Analytics 4 and Google Workspace) rely on the European Union–United States Data Privacy Framework where applicable, and otherwise on Standard Contractual Clauses with supplementary measures appropriate to the data category.

9a. Marketplace publishing

The Inkfold Marketplace lets you share Universal AI Context Protocol primitives (policies, guidelines, skills, strategies, and routines) with the community. Publishing is entirely opt-in.

What you publish becomes public

The YAML source of any primitive you publish is stored unencrypted in Cloudflare R2 and served publicly. Do not include secrets, personal data, or proprietary information in published primitives.
Your author identity (your account username or handle) is attached to the published item.
Download counts and community ratings are publicly visible.

What we moderate

Every submission is scanned for prompt-injection patterns before it enters the review queue.
Staff review each item before it is published. We may reject items for safety, legal, or quality reasons.
Published items may be removed at any time if they violate our Terms of Service.

Private publishing

You can publish a primitive with visibility: private (or fl publish --private). Private items are stored but not listed publicly and cannot be installed by other users.

10. Federated differential-privacy mode — roadmap, not currently available

We are designing a federated differential-privacy contribution mode in which raw telemetry is replaced by a locally computed, calibrated-noise gradient submitted on a daily schedule via secure aggregation. This feature is not currently available. We will not enable it without first updating this policy and notifying account holders by email at least 30 days before it takes effect, with an explicit choice to opt in. Until then, the only contribution path is the opt-outable execution-path telemetry described in §3.

11. Changes to this policy

We may update this policy. Material changes will be announced by email to account holders and in a banner on this page at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision. We keep a public change log so you can see what changed and when. If a material change is substantively prejudicial to you and your local law requires affirmative consent, we will obtain it.

12. Contact

Privacy questions, data-subject requests, or concerns:

Privacy: [email protected]
Data Protection Officer: [email protected]
Security incidents: [email protected]
Support: [email protected]