Privacy Policy

Plain English Summary

Jarvis is built privacy-first. By default, everything happens on your Mac. Your voice never leaves your device. We do not run accounts or servers that store your conversations. The only data we receive about you, by default, is: (1) the email you submit to the Jarvis 2.0 waitlist on this website, and (2) optional, anonymous app-usage telemetry that contains no transcript content and no personal identifiers. Cloud transcription or LLM APIs are entirely optional. You bring your own API key, and your data goes directly from your Mac to that provider, never through us.

Data Jarvis Processes On Your Mac (Local, Never Sent To Us)

Microphone audio: captured while you hold the hotkey, transcribed locally using Whisper.cpp or Parakeet models that run on your device, then discarded. Transcripts: stay on your Mac unless you choose to send them to an LLM (see below). Settings, hotkey configuration, custom dictionary, and any memory items you create: stored locally in your macOS user data folder (~/Library/Application Support/Jarvis/). Whisper models: downloaded from HuggingFace on first use, then cached locally.

Optional Cloud Services You Can Enable

You may choose to enable cloud-based transcription (OpenAI Whisper, Deepgram Nova-3) or cloud-based LLMs (OpenAI, Anthropic Claude, Google Gemini, or a local Ollama instance) by entering your own API key in Settings. You may also choose to connect a Google account (Gmail, Calendar, Drive — see the next section for detail). When enabled, the App sends data directly from your Mac to that provider over HTTPS. We never see this data, never proxy it, and never store your API keys or OAuth tokens on our servers — they are kept locally in your settings file or macOS Keychain. You are responsible for understanding the privacy policies of the providers you enable: OpenAI, Anthropic, Deepgram, Google. All cloud features are off by default and require explicit consent before first use.

Google Account Data (Gmail, Calendar, Drive)

When you choose to connect a Google account in Jarvis, the App requests OAuth permission to access specific Gmail, Calendar, and Drive data via the official Google APIs. Data flows directly from Google to your Mac — Jarvis AI operates no backend server that handles, stores, indexes, or otherwise processes your Google account content. OAuth tokens are stored encrypted in your local macOS Keychain via Electron safeStorage.

Scopes Jarvis requests and what each is used for:

• https://www.googleapis.com/auth/gmail.readonly — Read your Gmail messages so Jarvis can summarize unread mail, answer voice queries about your inbox ("did anyone reply about X?", "what is important today?"), and surface threads that match your stated priorities. Full message bodies are required because metadata alone (subject and sender) is insufficient for useful summarization. The narrower gmail.metadata scope does not provide the data Jarvis needs.

• https://www.googleapis.com/auth/calendar.readonly — Read your calendar events so Jarvis can display today's schedule on the Today widget, answer voice queries like "what is on this week", and find free slots when you ask. We do not create or modify events with this scope.

• https://www.googleapis.com/auth/drive.file — Per-file scope. Jarvis can only access files it has itself created in your Drive on your behalf; Jarvis cannot see, read, or modify any other files in your Drive.

• openid, email, profile — Standard sign-in scopes used to identify the connected Google account.

Write actions: Sending email, modifying messages, creating or editing calendar events, and similar write operations are NEVER performed through the read-only scopes above. If you ask Jarvis to perform such an action, the App runs a separate, optional incremental-authorization flow where you must explicitly consent to the specific additional scope (for example gmail.send) at that moment. Until you grant the upgrade, Jarvis cannot and does not perform the write action.

Limited Use commitment: Jarvis AI's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements. Specifically: (a) Gmail, Calendar, and Drive data is used only to provide and improve the user-facing Jarvis features described above; (b) we do not transfer this data to third parties for advertising or any unrelated purpose; (c) we do not sell this data; (d) we do not use this data to develop, improve, or train generalized or non-personalized artificial-intelligence or machine-learning models — when you invoke a Jarvis feature that summarizes or reasons over Gmail or Calendar content using a cloud LLM you have configured (OpenAI, Anthropic, Google Gemini, etc.) the relevant content is sent directly from your Mac to that provider using your own API key under their published API terms, which for these providers generally prohibit training on submitted user content; (e) no human at Jarvis AI reads or otherwise accesses your Gmail, Calendar, or Drive content at any time; the only parties that can read this content are you (on your device) and the cloud AI provider you have chosen if and only if you invoke a feature that requires it.

Session replays and Google data: interface replays mask all on-screen text precisely so that Gmail, Calendar, or Drive content rendered in the Jarvis interface is not captured or transmitted (see "App Analytics & Session Replays" above).

Revocation: You can disconnect any Google account at any time from Jarvis Settings → Connections → Disconnect, which deletes the locally stored OAuth token. You can also revoke Jarvis's access at the Google account level at https://myaccount.google.com/permissions — once revoked there, Jarvis can make no further API calls regardless of local state. We recommend revoking at the Google level if you uninstall Jarvis without first disconnecting.

App Analytics & Session Replays (Jarvis 2.0 Beta)

During the Jarvis 2.0 beta, analytics are enabled by default in the closed-source distribution and can be turned off at any time in Settings → Privacy → Analytics. Two kinds of data are sent to PostHog (processed at us.i.posthog.com in the United States). (1) Usage events: which features are used (for example "dictation completed", "onboarding step viewed"), counts and durations, app version, OS version, Mac architecture, and configuration facts such as which AI provider type is connected. Events carry a random UUID generated at first launch on your Mac; it is not linked to your email, name, or any account. Usage events never include transcript text, message content, file paths, or document contents. (2) Interface session replays: a visual reconstruction of how the Jarvis interface is used (screens visited, buttons clicked), which we use to find usability problems in the beta. On-screen text in replays is masked: the content of your chats, emails, memory, and other text is replaced with placeholder characters before anything leaves your Mac, and no audio is ever recorded. Replays are retained for 30 days, usage events for up to 12 months. Turning the toggle off stops both immediately. Open-source builds compiled from source ship with analytics disabled and no PostHog key.

Data This Website Collects

When you submit an email to the Jarvis 2.0 waitlist, we store: your email address, the random A/B/C test variant assignment, the page you submitted from (modal or page), your browser user-agent string, the referring URL, and a server timestamp. This data is stored in a Firestore database hosted on Google Cloud (region: us-central1) and used solely to email you when Jarvis 2.0 opens up. We do not share or sell waitlist emails to anyone. You can request removal at any time by emailing [email protected]. The website also uses Firebase Analytics (a Google service) to record anonymous page views and clicks; this does not include your email or any other personally identifying information.

Investor page (jarvis.ceo/investor): this access-coded page, intended for investors we share it with, additionally uses PostHog to record page analytics, session replays, and, if you choose to use the voice feature, transcripts of your conversation with the Jarvis demo agent. That page states this before the conversation starts. This data is used solely for our fundraising process and is retained on the same schedule as other PostHog data (replays 30 days, events up to 12 months). Write [email protected] to have it removed.

Auto-Update

The App checks the GitHub Releases API (api.github.com) every six hours to see if a new version is available. This check sends your current Jarvis version and your IP address (a standard HTTP request) to GitHub. It does not send any of your audio, transcripts, settings, or identifiers. You can disable auto-update in Settings.

No Accounts, No Logins, No Cloud Sync

Jarvis does not have a signup or login system. There is no user account, no profile, no cloud-stored history. The App stores a placeholder local user record purely for code structure ("user@localhost") that exists only on your Mac and is sent nowhere.

Permissions Jarvis Requests From macOS

Microphone: required, to capture your voice when you press the hotkey. Accessibility: required, so Jarvis can detect the function key and type the transcript into other apps. Calendar, Reminders, and Screen Recording: optional, only requested the first time you invoke a feature that needs them (for example, asking Jarvis to read events from your local macOS Calendar app, or "look at my screen"). These are standard macOS Privacy permissions and live entirely on your Mac — distinct from the Google Account OAuth flow described in the previous section, which is the path Jarvis uses to read Gmail and Google Calendar. macOS permissions can be reviewed and revoked at any time in System Settings → Privacy & Security.

Children

Jarvis is not directed at children under 13 (or 16 in the EU). We do not knowingly collect data from children. If you believe a child has submitted their email to our waitlist, contact [email protected] and we will delete it.

Your Rights (GDPR / CCPA / Equivalent)

If you are in the EU, UK, California, or another jurisdiction with similar laws, you have the right to access, correct, delete, port, or restrict processing of personal data we hold about you. Since we hold very little. Typically just your waitlist email and an anonymous app UUID. Most requests are simple. Email [email protected] to exercise any of these rights. We respond within 30 days. We do not sell personal data, so the CCPA "right to opt out of sale" does not apply.

Data Retention

Waitlist emails: kept until Jarvis 2.0 launches and the waitlist closes, then deleted unless you have become a paid user. App usage events: kept up to 12 months by PostHog; interface session replays: 30 days. Local app data on your Mac: kept until you uninstall Jarvis or delete the user data folder yourself.

International Transfers

Our website infrastructure (Firebase Hosting, Firestore, Analytics) is operated by Google Cloud and may process data in the United States or other Google data centers. If you enable optional cloud APIs (OpenAI, Anthropic, Deepgram, Google Gemini), data is processed by those providers in regions defined by their own policies. PostHog telemetry is processed in the United States.

Security

Local data on your Mac is protected by macOS file permissions and disk encryption (FileVault, if you have it on). Data in transit (waitlist signups, optional cloud API calls, auto-update checks) is sent over TLS/HTTPS. No security system is perfect. If you spot a vulnerability, please email [email protected].

Changes To This Policy

If we materially change how we handle data, we will update this policy and bump the Last Updated date at the top. Significant changes will be announced on the Jarvis website. Continued use of Jarvis after changes constitutes acceptance.

Contact

For any privacy question, data request, or DPO inquiry, email [email protected] (or [email protected] for formal data-protection officer matters). We respond within 30 days, usually within 72 hours.