At kashi.io, we believe privacy is a fundamental right. Our application is designed around a local-first architecture, meaning your data belongs to you, resides on your local device by default, and is only sent to the cloud when you explicitly configure and request it.
1. Data Storage & Ownership
By default, all notes, folders, tasks, saved searches, and password manager entries are stored strictly within your browser's local storage (such as localStorage and IndexedDB). We do not collect, view, or store this local data unless you create a cloud account and enable synchronization.
2. Cloud Sync & End-to-End Encryption
If you choose to register for a cloud account, your data is synchronized to our servers to enable backup and multi-device access. To protect your sync data, we provide an optional Cloud encrypt (End-to-End Encryption) feature:
- Local Encryption: Your workspace library JSON is encrypted directly in your browser using AES-256-GCM via the Web Crypto API before it is uploaded.
- Opaque to Servers: Because the decryption key is derived locally from your passphrase and is never sent to our servers, we cannot read the contents of your notes or workspace structure.
- Data Recovery: You receive a six-word recovery phrase upon setup. If you lose both your passphrase and recovery phrase, we cannot recover or decrypt your data.
- Important Notice: File attachments (up to 25MB each) and meeting audio recordings are currently uploaded as standard secure cloud files (protected by HTTPS and session authentication) and are not covered by the library's end-to-end encryption.
3. Real-time Communication & Collaboration
We offer real-time peer collaboration on shared notes and real-time chat (DMs and Group Channels) powered by Firebase Realtime Database. When you use these features:
- Discovery: Other registered users can look up your account by name or email address to start chat conversations or invite you to share notes.
- Message Processing: Chat messages, channel metadata, and collaborative edit updates are transmitted in real-time. This information is stored in the database to keep history synchronized across your authenticated devices.
- Shared Notes Access: You can grant
read or write permissions for shared notes. Access can be revoked instantly.
4. AI Assistant Context
When using the in-app AI assistant, note context is processed to generate answers:
- Context Bounds: The assistant only receives the context you specify (the active note, specific @-mentioned notes, or the entire workspace) along with optional file attachments or web search results.
- Processing: Prompts are sent securely to model APIs (via OpenRouter) and are not saved by the AI providers for training purposes.
5. Cookies & Tracking
We use session cookies and secure authentication tokens to manage your sign-in state. We run zero third-party tracking scripts, advertising cookies, or analytics beacons. We only log anonymous server access logs to maintain security and monitor application stability.
6. Contact Us
If you have any questions about this Privacy Policy, your data rights, or kashi.io's security practices, please contact us at [email protected].