148 lines
5.9 KiB
Markdown
148 lines
5.9 KiB
Markdown
# OpenSquilla Privacy Policy
|
|
|
|
OpenSquilla is a local-first desktop and CLI application. This policy describes
|
|
what project-distributed OpenSquilla software stores locally, what it may send
|
|
over the network, and how users can opt out or delete local data.
|
|
|
|
This policy covers OpenSquilla release artifacts published by the OpenSquilla
|
|
project. Third-party AI providers, search providers, operating systems, app
|
|
stores, package registries, and GitHub are governed by their own policies.
|
|
|
|
## Local Data
|
|
|
|
OpenSquilla stores user configuration, sessions, logs, memory, scheduler state,
|
|
cache, and provider settings on the user's machine. The default CLI/gateway
|
|
state lives under `~/.opensquilla`. The Electron desktop app also uses the
|
|
platform Electron `userData` directory for desktop-specific configuration,
|
|
encrypted credentials when Electron `safeStorage` is available, and gateway
|
|
logs.
|
|
|
|
OpenSquilla does not require an OpenSquilla account. Provider API keys are
|
|
configured by the user and are kept locally as environment variables, local
|
|
configuration references, `.env` files, or desktop encrypted storage depending
|
|
on the installation path and setup choices.
|
|
|
|
## Provider Requests
|
|
|
|
OpenSquilla sends prompts, messages, tool results, selected files, or generated
|
|
context to third-party AI providers only when the user configures a provider and
|
|
starts a workflow that uses that provider. The exact data sent depends on the
|
|
active provider, model, command, channel, skill, and user-selected context.
|
|
|
|
Users should review their configured provider's terms and privacy policy before
|
|
using external models. OpenSquilla cannot control how an external provider
|
|
stores, logs, filters, trains on, or processes requests after the provider API
|
|
receives them.
|
|
|
|
## Search, Channels, And Integrations
|
|
|
|
Features such as web search, channel connectors, GitHub workflows, browser
|
|
automation, or other integrations may contact external services when the user
|
|
configures and invokes them. OpenSquilla does not send those requests unless the
|
|
corresponding feature is enabled by configuration or user action.
|
|
|
|
## Network Observability Controls
|
|
|
|
OpenSquilla groups non-user-initiated network observability under one switch.
|
|
Set this before startup to disable automatic install telemetry, passive update
|
|
checks, and desktop startup auto-update checks:
|
|
|
|
```sh
|
|
OPENSQUILLA_PRIVACY_DISABLE_NETWORK_OBSERVABILITY=true
|
|
```
|
|
|
|
The same control can be set in configuration:
|
|
|
|
```toml
|
|
[privacy]
|
|
disable_network_observability = true
|
|
```
|
|
|
|
Legacy environment variables remain honored for compatibility:
|
|
|
|
```sh
|
|
OPENSQUILLA_TELEMETRY_DISABLED=true
|
|
OPENSQUILLA_UPDATE_CHECK_DISABLED=true
|
|
```
|
|
|
|
Manual user-initiated actions may still contact network services after user
|
|
intent, including manual release, download, or update checks and configured
|
|
providers, search, channels, automation, or integrations.
|
|
|
|
## Installation Telemetry
|
|
|
|
OpenSquilla uses anonymous installation telemetry to estimate install counts,
|
|
version adoption, and runtime compatibility. Telemetry is sent on first gateway
|
|
startup and once per OpenSquilla version. Uploads use a short timeout and never
|
|
block startup.
|
|
|
|
Telemetry payloads include:
|
|
|
|
- schema version
|
|
- locally generated stable `install_id` digest
|
|
- OpenSquilla version
|
|
- event type, such as `install` or `version_seen`
|
|
- install method, such as `pip`, `source`, `docker`, `desktop`, or `unknown`
|
|
- operating system, OS version, CPU architecture, and Python major/minor version
|
|
- first-seen and sent timestamps
|
|
- CI/test-environment marker
|
|
|
|
The `install_id` is a local one-way SHA-256 digest derived from usable MAC
|
|
addresses, then local IP addresses when no MAC is available, with a random
|
|
persisted fallback. Raw MAC addresses and raw IP addresses are not uploaded.
|
|
|
|
Telemetry does not include usernames, hostnames, local paths, API keys,
|
|
provider configuration, chat content, session content, memory content, agent
|
|
content, file names, or file contents. Source IP addresses may be visible to
|
|
HTTP servers at the transport layer, but are not part of the telemetry payload.
|
|
|
|
Use the unified network observability switch above to opt out before startup.
|
|
The legacy telemetry opt-out `OPENSQUILLA_TELEMETRY_DISABLED=true` remains
|
|
honored for compatibility.
|
|
|
|
Advanced deployments can direct installation telemetry to their own endpoint:
|
|
|
|
```sh
|
|
OPENSQUILLA_TELEMETRY_ENDPOINT=https://example.com/v1/install
|
|
```
|
|
|
|
## Logs And Diagnostics
|
|
|
|
OpenSquilla writes local logs for gateway, desktop, workflow, and troubleshooting
|
|
purposes. Logs may include command names, runtime errors, provider identifiers,
|
|
timestamps, local status, and diagnostic context. Users should review logs
|
|
before sharing them publicly because logs may reflect local configuration or
|
|
workflow details.
|
|
|
|
## Updates And Downloads
|
|
|
|
OpenSquilla release downloads are hosted on GitHub Releases. Downloading release
|
|
assets may expose standard request metadata, such as IP address and user agent,
|
|
to GitHub and network intermediaries. Release checksums are published in
|
|
`SHA256SUMS` when release assets are generated.
|
|
|
|
The unified network observability switch disables passive update checks and
|
|
desktop startup auto-update checks. Manual release, download, or update checks
|
|
may still contact GitHub after the user asks OpenSquilla to perform them.
|
|
|
|
## Deletion
|
|
|
|
Use `opensquilla uninstall` to remove OpenSquilla. By default it removes the
|
|
program and keeps user data. To delete local state and configuration, opt in:
|
|
|
|
```sh
|
|
opensquilla uninstall --purge-state
|
|
opensquilla uninstall --purge-config
|
|
opensquilla uninstall --purge-all
|
|
```
|
|
|
|
The command previews and limits deletion to OpenSquilla-owned paths. Desktop
|
|
and Docker installs may require platform-specific removal steps shown by the
|
|
uninstall command; desktop data cleanup does not remove the OS app bundle.
|
|
|
|
## Security And Privacy Reports
|
|
|
|
Report security or privacy issues through the process documented in
|
|
[`SECURITY.md`](SECURITY.md). Please do not include secrets, API keys, private
|
|
conversation content, or unrelated personal data in public issues.
|