Privacy Policy
Cuttlefish is built local-first: the vast majority of your data never leaves your machine. This policy explains what we collect, what we never touch, and how to exercise your rights.
Legal entity: Moguls Inc · Last updated: April 23, 2026 · Contact: [email protected]
1. Overview
This Privacy Policy explains what data Moguls Inc ("we", "us", "our") collects through the Cuttlefish website (getcuttlefish.app) and the Cuttlefish desktop application (the "App"), and how that data is used.
We designed Cuttlefish to be a local-first, privacy-respecting application. The vast majority of your data never leaves your machine.
2. What the Website Collects
Server logs
When you visit getcuttlefish.app or app.getcuttlefish.app, request metadata such as IP address, browser user-agent, requested path, and timestamp may be processed by our hosting and edge providers for routing, availability, caching, and security operations. The public website and mobile PWA are hosted on Microsoft Azure static website infrastructure behind Azure Front Door.
Website analytics
Cuttlefish may collect first-party operational website analytics to understand page views, navigation, download clicks, installer delivery, update activity, and product health. These analytics are used internally for reliability, installation proof, and product planning. They do not include advertising cookies, cross-site behavioral tracking, prompts, model outputs, credentials, or customer content.
No tracking cookies
The Cuttlefish website does not set tracking cookies, advertising cookies, or third-party analytics cookies. First-party website analytics use privacy-preserving browser storage and sanitized event metadata. We do not use Google Analytics, Facebook Pixel, or any similar tracking technology.
3. What the Desktop App Collects
The Cuttlefish desktop application collects the following data, which may be transmitted to our backend services:
- Session metadata — session identifiers, timestamps, and configuration preferences necessary to operate the application.
- Governance receipts — cryptographically signed records of the policy checks Cuttlefish performs before consequential actions. These receipts are essential for auditability and are stored in immutable write-once storage. See Section 5 for details.
- Auto-update checks — the App periodically contacts our update server to check for new versions. This request includes your current app version and operating system. No personally identifiable information is transmitted.
4. What the Desktop App Never Collects
Cuttlefish is built on the principle that your data stays on your machine. The following categories of data are never collected, transmitted, or stored by Moguls Inc:
- API keys — your AI provider API keys are stored exclusively in your operating system's native keychain (macOS Keychain, Windows Credential Manager, or Linux Secret Service). They never leave the OS keychain and are never transmitted to our servers.
- Conversation content — your chats, prompts, agent outputs, and any AI-generated content remain entirely local.
- Files and documents — any files you open, create, or reference in Cuttlefish stay on your local filesystem.
- Keystrokes — the App does not include any keylogging functionality.
- Screenshots or screen recordings — the App does not capture your screen.
- Location data — the App does not request or collect geolocation information.
Note: when you use third-party AI providers (OpenAI, Anthropic, etc.) through Cuttlefish, your prompts are sent directly from your machine to those providers using your own API keys. Those transmissions are governed by each provider's own privacy policy, not ours. See our subprocessors page and the data processing terms for how third-party data sharing is handled.
5. Governance Receipts and 7-Year Retention
Before Cuttlefish takes a consequential action, it records a cryptographically signed receipt of the policy check it performed. These receipts are stored in write-once, read-many storage with a 7-year retention period, and their signatures make them tamper-evident.
Governance receipts contain:
- Policy evaluation outcomes (allow / deny decisions)
- Timestamps and session identifiers
- Cryptographic signatures for tamper-evidence
Governance receipts do not contain conversation content, API keys, or file contents.
The 7-year retention period is designed for regulatory compliance and audit trail integrity. Receipts cannot be modified or deleted during this period. For how these records relate to data sharing and processing roles, see our data processing terms.
6. Third-Party Services
Cuttlefish integrates with the following categories of third-party services:
- AI providers (OpenAI, Anthropic, Google, Mistral, etc.) — prompts are sent directly from your machine to these providers using your own API keys. We do not proxy or store this traffic.
- Microsoft Azure — hosts the public website and mobile PWA through Azure static website infrastructure, with global edge delivery and routing via Azure Front Door. Subject to Microsoft's Privacy Statement.
For the maintained list of the providers that process data on our behalf, see our subprocessors page. Data processing roles and responsibilities are set out in our data processing terms.
7. Data Storage and Security
Backend infrastructure for Cuttlefish runs on Microsoft Azure in the United States. Data at rest is encrypted using Azure-managed encryption. Data in transit uses TLS 1.2+.
Governance receipts are stored in immutable, write-once blob storage with signature verification to ensure tamper-evidence.
For more details on our security practices, see our Security Policy.
8. Your Rights (GDPR / CCPA)
For EU/EEA residents (GDPR)
If you are located in the European Economic Area, you have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data (subject to the write-once retention policy for governance receipts)
- Object to or restrict processing of your data
- Data portability
- Withdraw consent at any time
For California residents (CCPA)
If you are a California resident, you have the right to:
- Know what personal information is collected about you
- Request deletion of your personal information
- Opt out of the sale of personal information — we do not sell personal information
- Non-discrimination for exercising your rights
To exercise any of these rights, contact us at [email protected].
9. Children Under 13
Cuttlefish is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at [email protected] and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will provide notice through the application or website. Your continued use of Cuttlefish after changes constitutes acceptance of the updated policy.
11. Contact
For privacy-related questions or to exercise your data rights:
Moguls Inc
Email: [email protected]
Support: [email protected]
Admin: [email protected]
Web: https://getcuttlefish.app