Privacy at Ostler.

What Ostler processes

When you run Ostler, it imports and processes data from your GDPR exports and connected services:

• Contact names, companies, positions, and connection dates from LinkedIn, Facebook, Instagram, Twitter, WhatsApp, and iCloud
• Calendar events (dates, titles) from Google Calendar and iCloud Calendar
• Message metadata (who, when, how many) from LinkedIn Messages – not message content
• Conversation transcripts (if you use the conversation capture features)
• Browser history URLs and page titles (if you enable the browser extension)

Where your data is stored

On your machine. Only your machine.

Ostler stores data in three local databases running as local container services on your Mac, with all data files written to your home directory:

• Qdrant – vector database for semantic search
• Oxigraph – knowledge graph (RDF triples)
• Valkey – cache and message bus (the Linux Foundation fork of Redis 7.2)

The engine zone (~/.ostler/) holds the database files, encryption keys, and service configuration. The visible zone (~/Documents/Ostler/) holds the human-readable outputs: conversation summaries, wiki pages, and exported artefacts. Both directories are on your local filesystem and nowhere else.

These databases run on localhost and are not exposed to the internet. The on-disk files are encrypted at rest with a key derived from a passphrase only you hold (PBKDF2 600,000 iterations, SQLCipher AES-256). Without your passphrase the databases are unreadable to anyone, including us. The full crypto detail is in the legal privacy policy §8.

What Ostler sends to the cloud

Your knowledge graph stays on your Mac.

The AI models run locally via Ollama. The Ostler app contains no telemetry, no in-app analytics, no crash reporting, and no usage tracking. We do not know who is using Ostler, how many people are using it, or what they are doing with it. No bulk export of your graph leaves your device under any circumstances. (The marketing website ostler.ai uses Cloudflare Web Analytics, a cookieless privacy-respecting analytics service – see “Marketing site sign-ups” below.)

What Ostler does fetch from the internet

Ostler connects to the internet for these specific purposes. None of them stream your knowledge graph; two of them carry names from your graph in the query, which we are direct about:

• Wikidata / Wikipedia – public biographical and organisational data, used to enrich person and company pages. The query carries the name of the person or organisation you are enriching. Off by default; enable in Settings.
• Web search – when you explicitly ask your assistant to search the web. The query you typed is sent to your configured search provider (default: a SearXNG instance that strips client identifiers before forwarding to upstream engines). Triggered only when you ask.
• AI model downloads – one-time downloads of model weights from Ollama’s registry during setup. No personal data.
• Software updates – Homebrew packages and Ostler component updates via the built-in updater. No personal data.

The honest summary: public data comes in; nothing about your relationships, messages, calendar, or inferences is uploaded. Names do leave your device for Wikidata enrichment (when you enable it) and in any query you actively send to web search. The full breakdown is in the legal privacy policy §5.

You can verify this by disconnecting from the internet. Ostler continues to work – you lose web search and Wikidata enrichment, but your knowledge graph, AI assistant, and all local features function normally.

Independently audited

An independent security review is in scoping with a recognised cybersecurity firm. We aim to publish a public summary when complete. Trust should be verifiable, not assumed.

Data portability

Your data is stored in standard, open formats:

• Qdrant vectors can be exported as JSON
• Oxigraph triples can be exported as Turtle, N-Triples, or JSON-LD
• Conversation transcripts are stored as Markdown files
• Coaching observations are in SQLite databases

If you stop using Ostler, your data does not disappear into a proprietary format. It remains on your machine in standard formats that any other tool can read.

Data deletion

To exercise your right to erasure: run ostler-uninstall, which stops all Hub services and the local database containers and removes your data (~/.ostler/ and ~/Documents/Ostler/). Your data is gone. There is no server-side copy to request deletion of, because there is no server.

Future features

If we ever build a feature that touches the network, we will tell you before it ships and it will be opt-in. Local-first is not a marketing position. It is how the software is built.

Marketing site, sign-ups, and billing

The pieces of personal data Creative Machines itself holds are limited and disclosed in full in the legal privacy policy. Summary:

• Newsletter / early-access sign-ups are sent to Buttondown (buttondown.email), our email service provider, who stores your email and name solely to deliver our updates. We never share, sell, or use this data for anything else. You can unsubscribe with one click in any email.
• Website analytics on ostler.ai and docs.ostler.ai use Cloudflare Web Analytics, a cookieless, privacy-respecting analytics service derived from edge request logs. No identifying cookies are set, no profiles of visitors are built, IP addresses are not retained linkably.
• Billing for the Hub goes through Stripe Inc. (USA; transfers from EU/UK governed by EU Standard Contractual Clauses); Ostler Pro is billed by Apple Inc. via the iOS App Store (USA / Ireland). We see only a subscription identifier and payment status, never your card. Both providers are described in detail in the legal privacy policy §9.

Learn more

• Security architecture – encryption, network hardening, threat model
• What Ostler knows about you – a transparent breakdown of every data type
• Full privacy policy – the legal version
• Terms of service

Contact

Questions about privacy, data handling, or this policy: [email protected].

Suspected vulnerability or security issue? Email [email protected] and see the responsible-disclosure note on our security page.