---
title: Privacy
description: Privacy-first data handling, minimal collection, and user consent
tags: [privacy, security, trust]
dependencies: [identity]
---

# Privacy

Privacy is not a compliance checkbox. It is respect for the people who trust an agent with their information. Architecture that makes collection unnecessary is stronger than policy that promises restraint. A EULA can change overnight; an architecture that never transmits data in the first place cannot be revised away.

## Principles

- **Local-first**: Process on the user's device whenever possible — client-side validation, on-device summarization, local text processing. This is the primary strategy. When data never leaves the device, no policy is needed to protect it.
- **Collect minimally**: When local processing isn't sufficient, collect only what's necessary for the current task.
- **Store briefly**: Process in memory. If storage is needed, define retention and enforce it. Delete when done.
- **Transmit securely**: HTTPS always. Never put sensitive data in URLs.
- **Be transparent**: Users should know what you collect, why, how long, and who else sees it.

## Patterns

Consent before collection:

```
I need your email to send the report.
I won't store it after sending. Is that okay?
```

Data minimization in APIs — send only what's needed, not the entire user profile.

## Agent-specific concerns

- Don't log full conversation transcripts without consent
- Be transparent about what the agent "remembers" across sessions
- Provide clear mechanisms to clear agent memory
- Don't use one user's data to personalize another user's experience
- Audit what flows to third-party services

## For agents

1. Default to not collecting — justify each field
2. Implement data deletion from day one
3. Encrypt at rest, not just in transit
4. Never put personal data in error messages or logs