Privacy Policy

Last updated: 7 June 2026

The short version. Abertide is local-first. When you use the app without signing in or enabling a cloud feature, we collect nothing and send nothing to our servers. Cloud features are opt-in, per vault, and clearly labelled. Your credentials stay encrypted on your own device. You can return to a fully local, offline state at any time.

1. Who we are

Abertide ("Abertide", "we", "us") provides a local-first, multi-agent project workspace, available as a desktop application and optional cloud services. This policy explains what data we process and when. Questions: admin@abertide.com.

2. Local-first by default

The Abertide desktop app stores everything you create — notes, tasks, canvases, project files — as ordinary files on your own device. You do not need an account to use it.

In this default state we do not:

collect telemetry, usage analytics, or crash data automatically;
ping our servers to check for updates;
transmit your content anywhere.

Diagnostic reports are only ever sent if you explicitly choose to send one.

3. What we collect (only when you opt in)

Account sign-in

If you choose to sign in to use cloud features, we process your email address and authentication tokens to identify your account and manage any subscription. Signing in by itself does not upload your content.

Managed Sync (optional, per vault)

If you enable Managed Sync for a vault, that vault's content is synchronised to our cloud storage. You choose the protection mode for each vault:

SaaS mode — content is stored so that real-time collaboration and sharing are possible. Our infrastructure can technically access it (the same trust model as Notion, Linear, or Dropbox). We do not call SaaS-mode vaults "zero-knowledge", because they are not.
Vault-bound end-to-end encryption (E2EE) — content is encrypted on your device with a key derived from a vault password you set, before it is uploaded. By design, we receive only encrypted data and the key never leaves your device, so our infrastructure is not designed to be able to read the contents. The cryptographic design (key derivation and authenticated encryption) is documented and slated for independent third-party audit; until that audit is published we describe this protection at the design level rather than as an audited guarantee. There is no recovery key: if you lose the vault password, the remote copy cannot be recovered.

Vaults you do not enable sync for are never uploaded.

4. Connected tools (Jira, GitHub, and similar)

You may optionally connect third-party services such as Atlassian Jira or GitHub. When you do:

You authenticate directly with the provider (for example, via Atlassian's OAuth 2.0 consent screen). We never see your provider password.
The resulting access/refresh tokens are stored encrypted in your operating system's secure storage on your device — not in plain files and not on Abertide servers.
Data from the connected service (e.g. Jira issues, boards, projects) is fetched and processed on your device. Abertide does not proxy or store that data on our servers.
You can disconnect at any time from within the app, which deletes the stored tokens. You may also revoke access from the provider's own settings.

Your use of a connected service remains governed by that service's own terms and privacy policy.

5. AI features

AI features use your own credentials — your API key for a provider you choose, or a local model running on your machine. AI requests go directly from your device to the provider you selected (or stay entirely local). Abertide does not proxy your AI requests through our servers, and your API keys are stored only in your device's secure storage.

6. This website

The abertide.com marketing site serves static pages. We do not set advertising or cross-site tracking cookies. Our hosting provider may process standard server logs (such as IP address and request metadata) transiently for security and reliability; we do not use them to build profiles of visitors.

7. How we store and protect data

Local data lives in your workspace folders and your OS secure storage (safeStorage). Its security is tied to your device and operating-system account.
Cloud data (only for vaults you sync) is encrypted in transit (HTTPS/TLS). E2EE vaults are additionally encrypted at rest, by design, with a key derived on your device that we are not designed to receive (pending the independent audit described in the Subprocessors and Managed Sync sections).
We apply reasonable technical and organisational measures to protect data we hold, but no system is perfectly secure.

8. Subprocessors

When you use cloud features, we rely on a small number of infrastructure providers ("subprocessors") that process data on our behalf. We name every one of them. If you never sign in and never enable a cloud feature, none of these providers receive anything about you.

Supabase — authentication and accounts, vault metadata (such as vault names, membership, and roles), subscription state, and, for E2EE vaults, the wrapped (encrypted) key material. Supabase stores this control-plane data and, for E2EE vaults, never holds the unencrypted contents.
Cloudflare — object storage (Cloudflare R2) for the content of vaults you choose to sync and for content you choose to publish, plus the gateway and content-delivery layer that serves cloud and website requests. For SaaS-mode vaults this content is stored so our infrastructure can technically access it; for E2EE vaults it is stored as ciphertext.
Resend — transactional email delivery. When you sign up or reset your password, Resend processes your email address and the verification or reset code in order to deliver that single message. It is not used for marketing email.
Stripe — payment processing for paid subscriptions. Stripe is engaged only if and when you purchase a paid plan; at that point it processes your name, email, and payment details to take payment. We do not store full card numbers ourselves. (Paid billing is not active for all users yet; this entry is listed in advance so the list is never out of date.)

These providers operate under data-processing agreements that limit them to acting on our instructions. The physical region where synced and account data is stored, and the corresponding cross-border-transfer safeguards (for example, for users in the EU, the UK, Korea, and Japan), are being finalised and will be stated here. We keep this list current: it is the single source of truth, and we intend to give cloud users advance notice before a new subprocessor that handles their content goes live.

9. Data retention and deletion

Local data is retained for as long as it exists on your device and is entirely under your control. For cloud features, we retain account and synced data while your account is active. You can delete synced vaults from the app, and you can request deletion of your account and associated cloud data by contacting us.

10. Your rights

Depending on where you live, you may have rights to access, correct, export, or delete personal data we hold about you, and to object to or restrict certain processing. Because most of your data never leaves your device, much of this is already in your direct control. For data we do hold (account/cloud), contact admin@abertide.com and we will respond within a reasonable time.

11. Children

Abertide is not directed to children under 13 (or the minimum age in your jurisdiction), and we do not knowingly collect their personal data.

12. Changes to this policy

We may update this policy as the product evolves. We will revise the "last updated" date above and, for material changes affecting cloud users, provide reasonable notice.

13. Contact

Privacy questions or requests: admin@abertide.com. General support: admin@abertide.com.