Privacy Policy

Abolitus ("we", "our", or "us") operates a privacy-first, client-side artificial intelligence chat platform. Our architecture is fundamentally designed around zero-knowledge principles and End-to-End Encryption (E2EE), ensuring that your most sensitive data remains under your exclusive control.

This Privacy Policy explains how we handle data, the technical limitations on our access to your information, and your rights regarding the limited operational data we do process.

Our infrastructure operates as a 'dumb encrypted blob store'. The limited data that reaches our servers includes hashed synchronization slot identifiers, AES-256-GCM encrypted synchronization blobs (with 1KB chunk padding to obscure payload size), encrypted authentication metadata, payment transaction hashes, and entitlement states.

We may also process anonymized operational error metadata strictly necessary to maintain the reliability of our control-plane flows. We categorically do not run advertising trackers, usage analytics SDKs, or behavior profiling systems inside the application.

Abolitus is engineered so that we have zero visibility into your plaintext data. We cannot read, monitor, or access your chat content, character cards, lorebooks, local vector memory, or prompts.

Furthermore, your API keys, master vault encryption key, and recovery phrases exist exclusively on your local device. Because we do not transmit or store your master key, we cannot recover your encrypted local data or cloud backups if you lose your password or recovery phrase.

Abolitus relies on specific third-party infrastructure: Supabase for encrypted blob storage and control-plane services, and blockchain RPC providers for payment verification. All data uploaded to our storage infrastructure is encrypted client-side before transmission.

You interact directly with Large Language Model (LLM) providers (such as OpenRouter or local models like Ollama/LM Studio) from your browser. Your API keys are stored in your local Dexie.js database and sent directly to these providers via browser-based fetch requests. They never pass through our backend. Your relationship with these model providers is governed by their respective privacy policies.

Abolitus does not utilize analytics cookies, advertising cookies, or third-party tracking pixels. Our application is completely devoid of external monitoring scripts.

We strictly utilize standard browser storage APIs—including IndexedDB, localStorage, and sessionStorage—to preserve your local encrypted state, manage vault lock status, and ensure session continuity directly on your device.

Our security architecture mandates that the master encryption key is never transmitted to any server. All cryptography is executed via Web Workers within your browser environment.

Abolitus implements a 100% client-side CSAM shield. Detection events are processed entirely on your device and result in the message being silently dropped. These events produce zero server logs, maintaining our zero-knowledge invariant.

Encrypted cloud blobs are retained while your premium access remains active, and for a limited retention grace period after expiry to support account continuity.

Expired encrypted cloud data is permanently deleted from our servers after 90 days of inactivity. Local data stored on your device remains entirely under your control indefinitely, unless you manually remove it or lose the credentials required to decrypt it.

Given our zero-knowledge architecture, we do not possess readable personal data. Fulfilling deletion or access requests (such as under GDPR or CCPA) is limited to deleting the encrypted blobs, related entitlement states, and payment records associated with your hashed identifier.

You maintain total sovereignty over your local browser data. You can exercise your right to deletion at any time by clearing your browser's site storage or using the in-app local vault destruction tools.

For privacy inquiries, data deletion requests, or legal correspondence, please contact our privacy team at legal@abolitus.com.