--- name: privacy-and-ai-use type: release tags: [release, v0.1, privacy, trust, ai-use, disclosure, user-facing] description: "User-facing privacy + AI-use disclosure for Lumotia v0.1. Lists what stays local, what optionally reaches the network, what NEVER leaves the machine, the AI use disclosure (local LLM + AI-assisted implementation), the MCP server caveat, the opt-in activation log, crash-dump policy, and the open-source licence framing. Linked from README + Settings → Privacy + v0.1 release notes." --- # Privacy + AI-use disclosure Lumotia v0.1 — last reviewed 2026-05-14. --- ## What stays local Every piece of data the app creates or captures lives only on your machine: - Audio recordings (captured, processed, then discarded from memory — not persisted to disk by default) - Raw transcripts (exactly what the speech engine heard, always recoverable) - Cleaned transcripts (LLM-formatted versions; the raw is always preserved alongside) - Extracted tasks and subtasks - MicroStep breakdowns and focus-timer state - Transcript and task history (SQLite database in your app-data directory) - Downloaded speech models (Whisper, Parakeet) and LLM model files (GGUF) - Custom vocabulary and profile terms - Activation log events (if you opt in — see below) - Onboarding state and preferences Nothing in this list is ever transmitted automatically. --- ## What optionally reaches the network There are exactly two outbound network paths in v0.1: **1. Model downloads (huggingface.co)** When you pick or download a speech model or LLM in onboarding or Settings → Models, Lumotia fetches the model file from `https://huggingface.co`. The request contains only a standard HTTP GET for a specific file URL (content-addressed, pinned to a commit hash). No account, no user identifier, no transcript content is sent. The download is initiated by your explicit action. Once downloaded, the model runs fully on-device. **2. Update check (stub in v0.1)** Lumotia includes a `check_for_update` command wired to `tauri-plugin-updater`. In v0.1 this function returns immediately with no update available — no network request is made. This will change in a future release; when it does, the check will be user-initiated or clearly disclosed. **What about `npm audit` and supply-chain tooling?** `npm audit` and the supply-chain pre-flight in `run.sh` are development-time tools only. They run when a developer builds from source, not in the installed application. The packaged app contains no npm runtime and makes no npm network calls. --- ## What NEVER leaves the machine These are hard commitments, not soft defaults: - Your voice recordings - Your transcript text (raw or cleaned) - Your task content - Your extracted MicroSteps - Your activation log - Your history and search index There is no telemetry system, no analytics pipeline, no crash-reporting service, and no background process that phones home. Crash dumps and logs are stored locally and are only shared if you explicitly bundle and attach them to a support issue (see below). --- ## AI use disclosure Lumotia uses a local large language model for two narrow purposes: transcript cleanup and task extraction. The model is downloaded once and runs entirely on your device. It never sees data outside those two call sites — there is no chat surface, no persistent conversation history, and no system prompt that accumulates your content across sessions. The raw Whisper transcript is always preserved; LLM output is additive, never destructive. The app itself was built with AI assistance. That process is documented in `docs/release/how-lumotia-is-built.md`, including the audits and guardrails applied to AI-generated code before it was committed. --- ## MCP server caveat Lumotia includes an optional MCP server (`lumotia-mcp`) you can wire into Claude Desktop, Cline, or any MCP-capable client. It is: - **Read-only.** No tool can create, edit, or delete transcripts or tasks. - **Stdio-only.** No network listener. No TCP socket. No Unix socket. - **Off by default.** You must explicitly launch it and add it to your MCP client's configuration. The honest thing to flag: when you wire `lumotia-mcp` into an MCP client, that client gets read access to your entire transcript history and task list. There is no per-row permission system in v0.1. Treat it the same way you would treat giving a tool access to a folder of personal notes — only enable it if you trust the client end-to-end. --- ## Activation log The activation log is opt-in and local-only. It records milestone events — first capture, first export, first task extracted — in the `lumotia_events` table in your local database. It contains no transcript text and no audio. Nothing is sent automatically. You can read it via Settings → Diagnostics → Activation log, and you can clear it or opt out from the same screen. --- ## Crash dumps and logs Lumotia captures Rust panics and frontend errors to disk so you have something useful to attach if you file a bug report. Files are written to: - `/crashes/` — panic and crash dumps - `/logs/lumotia.log` — runtime log Neither location contains transcript text or audio. The diagnostic-report bundler in Settings → About assembles a redacted snapshot from these directories; it skips transcript content and audio files by default. You decide whether to share the bundle. On Linux, `` is typically `~/.local/share/uk.co.corbel.lumotia`. --- ## Your data, your machine Lumotia is open source. The repository is public. The licence is to be finalised before public beta; current intent is a permissive open-source licence. You can read every line of code that handles your data, run the test suite, and verify the claims on this page yourself. If you find a discrepancy between this document and the codebase, file an issue — we will fix whichever one is wrong.