Privacy Policy

1. Overview

This Privacy Policy explains what data Moguls Inc ("we", "us", "our") collects through the Cuttlefish website (getcuttlefish.app) and the Cuttlefish desktop application (the "App"), and how that data is used.

We designed Cuttlefish to be a local-first, privacy-respecting application. The vast majority of your data never leaves your machine.

2. What the Website Collects

Server Logs

When you visit getcuttlefish.app, our hosting infrastructure (Vercel) automatically collects standard server logs including IP address, browser user-agent, pages visited, and timestamp. These logs are used for security monitoring and are retained per Vercel's standard data retention policy. REVIEW

Vercel Analytics

We use Vercel Web Analytics for aggregate, privacy-friendly page view statistics. Vercel Analytics does not use cookies, does not track individual users across sessions, and does not collect personally identifiable information. REVIEW

No Tracking Cookies

The Cuttlefish website does not set any tracking cookies, advertising cookies, or third-party analytics cookies. We do not use Google Analytics, Facebook Pixel, or any similar tracking technology.

3. What the Desktop App Collects

The Cuttlefish desktop application collects the following data, which may be transmitted to our backend services:

• Session metadata — Session identifiers, timestamps, and configuration preferences necessary to operate the application.
• Governance receipts — Cryptographically signed records of policy evaluations performed by the Palisade governance engine. These receipts are essential for auditability and are stored in immutable WORM (Write-Once-Read-Many) storage. See Section 5 for details.
• Auto-update checks — The App periodically contacts our update server to check for new versions. This request includes your current app version and operating system. No personally identifiable information is transmitted.

4. What the Desktop App Never Collects

• API keys — Your AI provider API keys are stored exclusively in your operating system's native keychain (macOS Keychain, Windows Credential Manager, or Linux Secret Service). They never leave the OS keychain and are never transmitted to our servers.
• Conversation content — Your chats, prompts, agent outputs, and any AI-generated content remain entirely local.
• Files and documents — Any files you open, create, or reference in Cuttlefish stay on your local filesystem.
• Keystrokes — The App does not include any keylogging functionality.
• Screenshots or screen recordings — The App does not capture your screen.
• Location data — The App does not request or collect geolocation information.

Note: When you use third-party AI providers (OpenAI, Anthropic, etc.) through Cuttlefish, your prompts are sent directly from your machine to those providers using your own API keys. Those transmissions are governed by each provider's own privacy policy, not ours.

5. Governance Receipts and WORM Storage

Cuttlefish's Palisade governance engine generates cryptographically signed receipts (Ed25519 signatures) for every policy evaluation. These receipts are stored in WORM (Write-Once-Read-Many) storage with a 7-year retention period.

Governance receipts contain:

• Policy evaluation outcomes (allow/deny decisions)
• Timestamps and session identifiers
• Cryptographic signatures for tamper-evidence

Governance receipts do not contain conversation content, API keys, or file contents.

The 7-year retention period is designed for regulatory compliance and audit trail integrity. Receipts cannot be modified or deleted during this period. REVIEW

6. Third-Party Services

Cuttlefish integrates with the following categories of third-party services:

• AI Providers (OpenAI, Anthropic, Google, Mistral, etc.) — Prompts are sent directly from your machine to these providers using your own API keys. We do not proxy or store this traffic.
• Vercel — Hosts getcuttlefish.app. Subject to Vercel's Privacy Policy.
• GitHub — Hosts desktop application release assets and auto-update manifests. Subject to GitHub's Privacy Policy.

REVIEW Confirm the complete list of third-party services that receive user data.

7. Data Storage and Security

Backend infrastructure for Cuttlefish runs on Microsoft Azure (Azure Kubernetes Service) in the United States. Data at rest is encrypted using Azure-managed encryption. Data in transit uses TLS 1.2+.

Governance receipts are stored in immutable blob storage (WORM policy) with Ed25519 signature verification to ensure tamper-evidence.

For more details on our security practices, see our Security Policy.

8. Your Rights (GDPR / CCPA)

For EU/EEA Residents (GDPR)

If you are located in the European Economic Area, you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data (subject to the WORM retention policy for governance receipts)
• Object to or restrict processing of your data
• Data portability
• Withdraw consent at any time

For California Residents (CCPA)

If you are a California resident, you have the right to:

• Know what personal information is collected about you
• Request deletion of your personal information
• Opt-out of the sale of personal information — we do not sell personal information
• Non-discrimination for exercising your rights

To exercise any of these rights, contact us at legal@getcuttlefish.app. We will respond within 30 days. REVIEW

9. Children Under 13

Cuttlefish is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at legal@getcuttlefish.app and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. For material changes, we will provide notice through the application or website. Your continued use of Cuttlefish after changes constitutes acceptance of the updated policy.

11. Contact

For privacy-related questions or to exercise your data rights:

Moguls Inc
Email: legal@getcuttlefish.app
Web: https://getcuttlefish.app