Privacy Policy
Last updated: April 2026
At Ethos, privacy is treated as infrastructure, not an afterthought. You are entrusting the system with your thoughts, your habits, and your private data. This Privacy Policy details exactly how we handle, protect, and process your information with extreme respect for boundaries.
1. Vault Encryption architecture
Any data stored within your Vault is encrypted symmetrically in your browser using AES-256-GCM before ever touching our servers. The encryption key never leaves your device. We use a split-secret model meaning we cannot read, mine, or access your vaulted data under any circumstance. We literally lack the mathematical capacity to unlock your Vault.
2. Core Journal Data and Syncing
Standard journal entries, habits, workspace projects, and time-tracking metrics are stored securely on our servers to enable cross-device synchronization and immediate data retrieval. This data is logically isolated by user ID via Row-Level Security. We enforce strict ownership policies so your data cannot cross-contaminate. Your data is never sold, traded, or used for targeted advertising.
3. Explicit Boundaries for AI Insights
The signal layer (AI insight) is strictly optional and strictly bounded. By default, zero data goes to any external language model. If you explicitly invoke AI features—unlike ambient AI trackers—only the specific context (the entries or timeframe you select) is transmitted. Our processor agreements explicitly forbid the use of your prompts or journal fragments for AI training.
4. Telemetry and Analytics
We collect minimal, anonymized product telemetry solely to maintain service reliability. This includes sync state health, error logs for crash resolution, and performance metrics. These metrics never contain the contents of your journal, the titles of your notes, or the names of your habits.
5. Account Deletion and Right to be Forgotten
You may delete your account at any time through the dashboard. Upon deletion, all associated records, configurations, metrics, and blobs (files) are durably purged from our primary databases and object storage. A deletion job is immediately queued and your quota is zeroed.
6. Third-Party Subprocessors
We employ high-grade infrastructure providers (such as PostgreSQL for relational data and MinIO for object storage) to deliver the service. We vet our subprocessors heavily for security compliance. They act strictly as custodians of encrypted blobs and structured data matrices, with no rights to parse or own the contents within.
7. Cookies and Local Storage
We avoid third-party tracking cookies entirely. Ethos uses secure, HTTP-only cookies strictly for authentication and session management. We use your browser's local storage for device-specific preferences (like theme, density, language) and for storing your wrapped Vault encryption keys.
8. Google Sign-In
If you choose to sign in with Google, Google provides Ethos with identity-only account data: your Google account ID, verified email status, email address, name, and profile picture. We use this data only to create or link your Ethos account and to authenticate future sessions. Google Sign-In does not grant Ethos access to your Google Drive, Gmail, Calendar, or other Google API data, and Ethos does not store Google access or refresh tokens for sign-in.
9. Google API User Data
When you connect Google Drive, Gmail, Calendar, Google Docs, Google Sheets, or Google Slides through Settings → Integrations, Ethos receives an OAuth access token and refresh token, both encrypted at rest with AES-256-GCM. The assistant uses these tokens only to fulfil explicit user requests — for example, reading a Drive file the user names, summarising an email the user names, drafting a Calendar event the user describes, or proposing edits to a Doc / Sheet / Slide as a draft that the user must confirm before it is applied. We never share Google user data with third parties, never use it to train AI models, and never read or write files the user did not request. Disconnecting from Settings → Integrations calls Google's token revocation endpoint and immediately invalidates the local connection. Deleting your Ethos account additionally purges all OAuth tokens and stored Google identifiers within seconds. We retain Google user data for the lifetime of your connection only; nothing is cached longer than the duration of a single assistant turn. Ethos's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.