Privacy Policy
Last updated: March 1, 2026
Our Privacy Commitment
Cavendra does not store your conversations on our servers. Messages are processed transiently to generate AI responses and are not retained. If you enable Encrypted Mode, your chat history is stored locally using a key that only you hold — we cannot read it.
What We Collect
- Account identifier: A randomly generated UUID. No name, no email, no phone number. This ID is stored in an encrypted browser cookie.
- Pulse balance and transactions: The number of tokens you have purchased and used, without any link to your real identity.
- Passkey credential (optional): A cryptographic public key bound to your device. No biometric data leaves your device.
- Encrypted chat history (optional): If you enable the Encrypted mode, your chat history is encrypted in your browser before being stored. We store only ciphertext and a nonce. We cannot read it.
What We Do NOT Collect
- Email address in our own app or database
- Name or postal address
- IP address (not stored or logged)
- Conversation content (prompts or responses)
- Browsing history or tracking cookies
- Device fingerprints
Payments
Payments are processed by Stripe on Stripe Checkout. Stripe may collect your payment details and billing contact details, including an email address, on their hosted checkout page. We receive only the payment result and the account identifier we attach to the checkout session. We do not store payment card details, and we do not store your checkout email in Cavendra.
See Stripe's privacy policy at stripe.com/privacy.
Zero-Knowledge Storage
If you use Encrypted Mode, your chat messages are encrypted using a key that exists only in your browser (derived from your passkey via the FIDO2 PRF extension). We store the encrypted data. We do not have access to the key, and therefore cannot decrypt or read your messages.
Your Rights (GDPR)
You have the right to:
- Access: Request a copy of data we hold about your account ID.
- Erasure: Delete all data associated with your account ID. You can do this at any time via Settings → Delete Account. We will delete: your balance, all transactions, and all encrypted chat ciphertext. Since we cannot read the ciphertext, the deletion is verifiable via our open schema.
- Portability: Your encrypted data is stored in standard formats (AES-256-GCM, base64). If you have your encryption key, you can decrypt it independently.
We cannot identify you from your account ID alone. If you lose your account ID and passkey, we cannot link any data to you.
Data Processors
We use the following third-party services to operate Cavendra. Each processes only the minimum data necessary.
| Processor | Purpose | Data Shared |
|---|---|---|
| Anthropic | AI model provider (standard mode) | Chat prompts/responses, processed with zero data retention — not stored or used for training. See Anthropic's privacy policy. |
| xAI | AI model provider (unfiltered mode) | Chat prompts/responses, processed transiently. Only used when unfiltered mode is enabled. See xAI's privacy policy. |
| Supabase | Database hosting | Account UUID, encrypted ciphertext, Pulse balance. No plaintext content. |
| Vercel | Hosting & infrastructure | HTTP requests (no content logged by us). |
| Stripe | Payment processing | Account UUID and payment amount; Stripe may additionally collect billing contact details such as payer email on its hosted checkout page. See Stripe's privacy policy. |
Data Processing Agreements (DPAs) are required with all processors before launch.
No Tracking, No Analytics
We do not use Google Analytics, Meta Pixel, or any third-party tracking scripts. All fonts, icons, and assets are self-hosted. The only external domain your browser contacts is Stripe's checkout page when you make a payment.
Data Retention
We retain account data until you delete it. Transaction records are retained for 7 years as required by financial regulations (Pulse balance history, not payment card data).
Contact
For privacy questions, contact: privacy@usecavendra.com