Security & Privacy
Your data stays yours. Period.
Built with privacy at the core
Askimo is designed from the ground up to protect your privacy. We don't collect your data because we simply can't access it. Everything stays on your device, encrypted and under your control.
Our Privacy Principles
Our commitment to keeping your data safe and private
No Data Collection
We never collect, store, or transmit your API keys, conversations, documents, or usage data. Askimo has no backend servers collecting your information.
Local-First Architecture
All data is stored locally on your device. Your conversations, RAG documents, and settings never leave your machine unless you explicitly send queries to AI providers.
Encrypted at Rest
Sensitive data like API keys is encrypted using AES-256-GCM before being written to disk. Even if someone accesses your files, they can't read your secrets.
No Telemetry or Tracking
Zero analytics, no crash reporting, no usage metrics. We don't track what you do, what you ask, or how you use Askimo. Your workflow is completely private.
What We Don't Collect
We explicitly do NOT collect or transmit these types of data
API Keys & Credentials
Your API keys are encrypted locally. We never see or store them.
Conversations & Prompts
All chat history stays on your device. We have no access to what you discuss with AI.
RAG Documents & Knowledge Base
Your indexed documents are stored and processed entirely on your machine.
Usage Metrics & Analytics
No tracking of how often you use Askimo, which features you use, or any usage patterns.
Personal Information
No email addresses, phone numbers, names, or any personally identifiable information.
Crash Reports & Error Logs
No automated error reporting. Logs stay on your machine for your own debugging.
File Contents or Code
Your source code and files are only sent to AI providers you explicitly configure.
Device Information
No fingerprinting, no device IDs, no hardware information collection.
In short: We collect absolutely nothing because we have no way to access your data.
How We Protect Sensitive Data
Encryption at Rest
Askimo stores your API keys securely using your system's keychain when available (macOS Keychain, Windows Credential Manager, Linux Secret Service). If keychain is not available, API keys are encrypted using industry-standard AES-256-GCM encryption with integrity protection.
System Keychain (Preferred) - macOS Keychain, Windows Credential Manager, or Linux Secret Service for OS-level protection
AES-256-GCM encryption (Fallback) with random initialization vectors and authentication tags
Installation-specific encryption keys stored with strict file permissions (owner-only)
Tamper detection - corrupted or modified encrypted data is rejected
Local Storage Only
All configuration, chat history, and encrypted data live under your user's Askimo folder on your device. No cloud sync, no remote backups.
| Data Type | Location | Protection |
|---|---|---|
| API Keys | ~/.askimo/session | System Keychain (preferred) or AES-256 encrypted |
| Chat History | ~/.askimo/askimo.db | Local SQLite database |
| RAG Documents | ~/.askimo/project_id/ | Local Lucene index |
| Preferences | ~/.askimo/askimo.yml | Yaml file |
RAG: Private Document Indexing
When you use RAG (Retrieval-Augmented Generation) to connect documents to AI conversations, all indexing and search happens locally using Apache Lucene and jvector.
100% local processing - documents never leave your machine during indexing
Local vector search - semantic search powered by on-device embeddings
Your knowledge base stays private - only relevant snippets are sent to AI when you ask questions
How We Protect Sensitive Data
Encryption at Rest
Askimo stores your API keys securely using your system's keychain when available (macOS Keychain, Windows Credential Manager, Linux Secret Service). If keychain is not available, API keys are encrypted using industry-standard AES-256-GCM encryption with integrity protection.
System Keychain (Preferred) - macOS Keychain, Windows Credential Manager, or Linux Secret Service for OS-level protection
AES-256-GCM encryption (Fallback) with random initialization vectors and authentication tags
Installation-specific encryption keys stored with strict file permissions (owner-only)
Tamper detection - corrupted or modified encrypted data is rejected
Local Storage Only
All configuration, chat history, and encrypted data live under your user's Askimo folder on your device. No cloud sync, no remote backups.
| Data Type | Location | Protection |
|---|---|---|
| API Keys | ~/.askimo/session | System Keychain (preferred) or AES-256 encrypted |
| Chat History | ~/.askimo/askimo.db | Local SQLite database |
| RAG Documents | ~/.askimo/project_id/ | Local Lucene index |
| Preferences | ~/.askimo/askimo.yml | Yaml file |
RAG: Private Document Indexing
When you use RAG (Retrieval-Augmented Generation) to connect documents to AI conversations, all indexing and search happens locally using Apache Lucene and jvector.
100% local processing - documents never leave your machine during indexing
Local vector search - semantic search powered by on-device embeddings
Your knowledge base stays private - only relevant snippets are sent to AI when you ask questions
What This Protects (And What It Doesn't)
What This Does Protect
- ✓ Your credentials from casual snooping or accidental exposure
- ✓ Multi-user environments where others can access your file system
- ✓ Accidental commits of config files to version control
- ✓ Privacy from Askimo itself - we can't read your data
- ✓ Backup copies being readable without the encryption key
What This Doesn't Promise
- ! Protection if your computer is fully compromised by malware running as your user
- ! Security of data after it's sent to third-party AI providers (OpenAI, Claude, etc.)
- ! Protection from untrusted plugins or extensions you install
- ! Physical access attacks (someone with your unlocked computer)
- ! Network interception if AI providers don't use HTTPS (they all do)
Our Philosophy: We prefer clear boundaries over marketing claims. The goal is to make everyday use safer by default while being honest about what local encryption can and cannot protect against.
Security Best Practices
Use System Keychain
When Askimo offers to use your OS keychain (macOS Keychain, Windows Credential Manager), accept it. This provides an additional layer of OS-level protection.
Keep Config Private
Never commit your ~/.askimo folder to version control. Add it to your .gitignore if working in shared repos.
Rotate API Keys
If you suspect your API key was exposed, rotate it immediately in your provider's dashboard and update it in Askimo.
Avoid Hardcoding Secrets
Don't hardcode API keys in scripts. Use environment variables or Askimo's secure storage instead.
Review Provider Permissions
Understand each AI provider's data policies. Local providers (Ollama, LM Studio) keep everything private. Cloud providers have their own policies.
Secure Your Device
Use full-disk encryption, strong passwords, and keep your OS updated. Physical security is the foundation.
Open Source & Transparency
Verify Our Claims
Askimo is open source. You don't have to trust our words—you can read the code yourself.
Audit the encryption: Check how API keys are encrypted in the source code
Verify zero telemetry: Search the codebase—there's no analytics code
Inspect network requests: See exactly what data is sent to AI providers
Common Questions
Answers to frequently asked questions about Askimo's security and privacy
Do you collect any data at all?
No. We collect absolutely nothing. Askimo has no backend servers, no analytics, no crash reporting, and no telemetry. We can't collect your data because we have no way to access it. Everything stays on your device.
Where do my API keys go when I use AI providers?
Your API keys are stored locally on your device in encrypted form. When you send a query to an AI provider (like OpenAI or Claude), Askimo uses your API key to authenticate directly with that provider's servers. The key travels directly from your device to the provider—it never passes through any Askimo servers because we don't have any.
What happens to my RAG documents?
When you add documents to RAG, Askimo indexes them locally using Apache Lucene and jvector. The entire indexing process happens on your device. When you ask a question, Askimo searches your local index for relevant snippets and includes only those snippets in the context sent to the AI provider. Your full documents never leave your machine.
Can I use Askimo completely offline?
Yes! If you use local AI providers like Ollama, LM Studio, LocalAI, or Docker AI, you can use Askimo completely offline. Your conversations, chat history, and RAG documents all work without an internet connection. You only need internet when using cloud providers like OpenAI, Claude, or Gemini.
How do I delete my data?
Simply delete the ~/.askimo folder on your device. That's it. Since everything is stored locally and we don't have any cloud backups, deleting this folder completely removes all your data. There's nothing stored anywhere else because we don't have servers collecting your information.
Do cloud AI providers see my data?
When you use cloud providers (OpenAI, Claude, Gemini, etc.), the prompts and context you send are visible to those providers according to their privacy policies. Askimo sends your queries directly to them. If privacy is critical, use local providers (Ollama, LM Studio, LocalAI, Docker AI) where everything stays on your device.
Your Data. Your Device. Your Control.
Experience AI assistance without compromising your privacy.