Privacy
depends on: identity
Privacy is not a compliance checkbox. It is respect for the people who trust an agent with their information. Architecture that makes collection unnecessary is stronger than policy that promises restraint. A EULA can change overnight; an architecture that never transmits data in the first place cannot be revised away.
Principles
- Local-first: Process on the user's device whenever possible — client-side validation, on-device summarization, local text processing. This is the primary strategy. When data never leaves the device, no policy is needed to protect it.
- Collect minimally: When local processing isn't sufficient, collect only what's necessary for the current task.
- Store briefly: Process in memory. If storage is needed, define retention and enforce it. Delete when done.
- Transmit securely: HTTPS always. Never put sensitive data in URLs.
- Be transparent: Users should know what you collect, why, how long, and who else sees it.
Patterns
Consent before collection:
I need your email to send the report.
I won't store it after sending. Is that okay?
Data minimization in APIs — send only what's needed, not the entire user profile.
Agent-specific concerns
- Don't log full conversation transcripts without consent
- Be transparent about what the agent "remembers" across sessions
- Provide clear mechanisms to clear agent memory
- Don't use one user's data to personalize another user's experience
- Audit what flows to third-party services
For agents
- Default to not collecting — justify each field
- Implement data deletion from day one
- Encrypt at rest, not just in transit
- Never put personal data in error messages or logs