local-firstyour keysmetadata-only logs
Private by architecture.
Not by promise.
A cloud agent has to promise not to look at your data. OpenDesktop mostly cannot look: files, keys, and tool runs live on your machine and never pass through us.
What stays.
What leaves.
- Your files. The agent reads and writes them on your disk, in the workspace folder you choose
- Your API keys, stored in the macOS keychain
- Tool and command runs, executed in an isolated container with networking off by default
- Your chat history and app data, kept in a local data folder you can open in Finder
- The messages and file excerpts you send to the model provider you picked. That is the job
- Web searches and page fetches, when you use the web tools. Both can be switched off
- In managed mode, request metadata to your company's gateway: who, when, model, tokens, cost. Never the content
No third destination. There is no OpenDesktop analytics backend collecting your prompts.
The privacy panel
is in the app.
You do not have to take this page's word for it. Settings has a privacy tab that shows your mode, your data folder, and exactly which hosts the app talks to.
A badge in the sidebar keeps the answer visible while you work: Local or Managed, always one glance away.
Two modes, both honest.
bring your own key
Your machine talks directly to your model provider with your key. We are not in the path at all. Your privacy relationship is with the provider you chose, and nobody else.
managed
Requests route through your company's gateway so budgets and policy apply. The gateway records metadata per request and is built to never store prompt or response content.