Skip to content

Trust

Privacy Policy

Nauro is local-first. The core conflict-checking loop runs on your machine and makes zero external network calls, your source code never leaves it, and only the project context you explicitly choose to sync is ever stored by us.

Last updated: 1 June 2026. This policy covers the Nauro command-line tool and core (the open-source software you install), the hosted sync service on paid plans, and this website.

The short version

  • Run locally and nothing leaves your machine. The local store is plain Markdown on your own disk.
  • We never store your source code. Hosted sync carries decisions, project state, and open questions only.
  • The command-line tool's telemetry is anonymous and can be turned off with one command. The hosted service emits its own anonymous event, described below.
  • This website sets no third-party tracking cookies.

What stays on your machine

Your project context lives as plain UTF-8 files under your home directory (by default ~/.nauro/): Markdown decision files, current state, and open questions. You can read, edit, diff, version-control, and delete those files directly. The local credentials file is written with owner-only permissions. The core retrieval loop (lexical BM25, and the optional local embedding model) runs entirely on your machine with no external service and no API key.

What we collect

Anonymous telemetry from the command-line tool. The command-line tool shows a one-line telemetry notice on first run. Its telemetry is anonymous: it is keyed only by a random per-machine identifier and records four event types (a command was invoked, an MCP tool was called, a sync completed, a project was created) with a small, fixed property set. You can turn it off at any time by setting NAURO_TELEMETRY=0 or running nauro telemetry disable. The hosted service's own telemetry is separate and is described under the hosted sections below.

Hosted sync (paid plans, only when you enable it). When you enable cloud sync, the hosted service stores the following, all in AWS in the United States (region us-east-1): your verified account email (from Auth0, used as your account identity), an opaque internal account identifier, your synced project context (decisions, project state, open questions, and the snapshots captured when you write, never your source code), project and membership metadata (the project names you choose and the roles that link your account to projects), and usage and rate-limit counters. Project context is configured to be encrypted at rest in AWS S3 using S3 server-side encryption, and access to each project is isolated by a fail-closed membership check: a request can read or write a project only if your account is recorded as a member of it. Sign-in is handled by Auth0.

This website. The marketing site sets no third-party tracking or advertising cookies. Your light or dark theme preference is stored locally in your browser and never sent to us.

What we never collect

Telemetry never sends your decision titles, rationale, or content, your file paths, your repository or project names, the arguments or return values of MCP tools, or your source code. None of that leaves your machine unless you choose to sync it, and even then your source code is never included.

Subprocessors

A small set of third parties process hosted data on our behalf. There is no payment processor in this list: paid plans are arranged by contacting us and billed by invoice, so we hold no card or payment-card data and no payment vendor touches your data today.

  • Amazon Web Services (United States, us-east-1). Storage and compute: S3 (encrypted project context), DynamoDB (account email, identifiers, project metadata, membership, and usage counters), Lambda (request processing), API Gateway (ingress and TLS), CloudWatch (operational logs), and Systems Manager Parameter Store (operator configuration).
  • Auth0, an Okta company (US tenant). Authentication and identity: runs your sign-in, issues your access token, and is the system of record for your login and verified email.
  • PostHog (US cloud). Anonymous product analytics only, keyed to your opaque account identifier. As currently configured it never receives your email, your project content, your IP address, or your location.

We do not sell or share your personal information, and we do not use your project context to train models. If we add or change a subprocessor that can access hosted customer data, we will update this list.

Where your data is stored

All hosted personal data and all synced project context is stored and processed in the United States, in AWS region us-east-1, and our authentication and analytics are configured to run on US infrastructure. There is no EU or UK data-residency option today. If you are in the EU, the UK, or another region with data-export rules, using the hosted service means your personal data is transferred to and stored in the United States. Contact us at [email protected] for the data-transfer terms that apply to business customers.

When you connect an AI tool (remote MCP)

The hosted service can act as a remote MCP server. When you connect it to an AI tool you choose, such as Claude AI, Perplexity, ChatGPT, or another MCP client, your project context is read from our storage and delivered to that tool so it can answer with your decisions in view. Once your context reaches that tool, the tool's own data-handling policies govern what happens to it. We do not control or monitor what the AI tool does with your context after it is delivered, so please review the privacy policy of any AI tool before you connect it. Your source code is never read, stored, or delivered by this path.

Telemetry on the hosted service

The hosted service emits one anonymous analytics event, recording that an MCP tool was called, keyed to your opaque account identifier. As currently configured it never includes tool arguments, return values, your project content, your email, your IP address, or your location. This hosted-service telemetry is emitted by our backend as part of operating the service and is not controlled by the command-line tool's telemetry switch.

IP addresses and operational logs

Our application code does not read, log, or store your IP address. Your IP is seen transiently at the network edge by our hosting layer (AWS API Gateway and Lambda) to route your request and protect against abuse, in the ordinary way any internet service receives a connecting address. Our backend writes operational logs to AWS CloudWatch; these logs do not contain your project content, but they can contain your account identifiers and, on certain error paths, your email. These logs are not currently set to expire automatically.

Access, export, and deletion

Local data is yours outright: it is just files you can copy or remove. For data held by hosted sync, the format is the same plain Markdown, so export is straightforward, though there is no self-service export command today and we provide an archive on request. There is also no self-service deletion command in the hosted service at this time. To request access to, export of, or deletion of your hosted data, email [email protected] and we carry it out manually as promptly as we can. Deleting your hosted data removes your synced project context (including its snapshot history) and your account and identity records; operational logs that may contain your identifiers are handled separately and may persist until their retention period elapses.

Changes and contact

This is an early policy and will evolve as the hosted product matures. Questions or requests: [email protected]. See also our security practices.