Privacy & Security

Privacy-first architecture — your data stays on your machine

Privacy-First Design

TorlyAI Desktop stores all data locally on your machine. Your business plans, financial models, and personal information never leave your device — the only external connection is to the Anthropic API for AI processing.

Local Data Storage

All user data is stored at ~/.torlyai/ on your machine:

FileContents
config.jsonWorkspace configuration and app settings
credentials.encAPI keys — encrypted with AES-256-GCM
preferences.jsonTheme and appearance settings
gdpr-consent.jsonYour consent records
workspaces/Session logs, business plans, financial models, tasks, and project data

No cloud database, no remote storage, no syncing unless you explicitly enable it.

Encryption

API Key Encryption

Your Anthropic API key is encrypted using AES-256-GCM before being written to disk. The key is decrypted only in memory when making API calls.

BYOK on Web

On the web platform, Bring Your Own Key (BYOK) API keys are encrypted with AES-GCM in the browser and stored in localStorage — never sent to our servers.

GDPR Compliance

TorlyAI implements full UK GDPR compliance with the following data subject rights:

Right of Access

Export all your personal data at any time. Since data is stored locally, you always have direct access.

Right to Rectification

Update or correct any personal information through the app settings.

Right to Erasure

Delete your data completely. Since it is stored locally, deletion is immediate and permanent.

Right to Data Portability

Export your business plans, financial models, and session data in standard formats (Markdown, JSON, PDF, DOCX).

What We Don't Collect

  • No analytics tracking — we do not track your usage patterns
  • No business plan content — your plans are never sent to our servers
  • No personal data collection — we do not collect names, emails, or other PII through the desktop app
  • No session logs — chat conversations stay on your machine
  • No telemetry — no crash reports or usage metrics are sent without consent

AI Processing

The only external data transfer is to the Anthropic API for AI processing. Your prompts and business plan context are sent to Claude for generating responses, but Anthropic does not store or train on this data per their API terms of service.

Note: You provide your own Anthropic API key (BYOK model). TorlyAI does not provide API access or proxy your requests.

Related

Config File

App settings and workspace configuration

Permissions

Control what agents can do