Your keys, in your keychain
API keys are stored in the OS keychain (Keychain Access on macOS, Credential Manager on Windows). ORA reads them at runtime; they never touch our servers because we don't have servers.
Your prompts, your files, your credentials — they live on your machine. ORA talks to providers using your own keys, with approval prompts before anything risky leaves your laptop.
We built ORA because we were tired of pretending a chat window was a workspace. Real workspaces are quiet, focused, and yours. They don't ship your thoughts to someone else's server by default.
So ORA is a desktop app — not a tab. It runs on your machine, it stores its state on your disk, and it speaks to AI providers using credentials you control. We do not see your prompts. We do not see your files. We do not proxy your traffic through us. We don't run a back-end you log into.
Privacy isn't a feature we layered on top. It's the shape of the thing.
Four guarantees
Architecture, not policy. Every guarantee maps to code we ship.
API keys are stored in the OS keychain (Keychain Access on macOS, Credential Manager on Windows). ORA reads them at runtime; they never touch our servers because we don't have servers.
File writes, network calls outside the chat, shell commands, and browser automations all stop at an approval prompt. Approve once, approve always, or deny — visible in the Approval Center.
Local file search only sees folders you explicitly approve. Revoke a folder and ORA wipes its embeddings on the next start. Sensitive paths (SSH, dotenv, keychains) are auto-redacted.
Switch on ORA Local AI and the whole workspace works without internet. Your laptop is the model — no ad tracking, no analytics, and nothing about your work leaves your device.
Three layers — each with a clear privacy boundary.
1. Client. The Tauri app on your desktop. Native binary, signed by us, sandboxed by your OS. Holds all your data: chat history, indexes, agent definitions, settings. Persists to your local app-data directory, which you can inspect or wipe.
2. Providers. Direct connections from your machine to Claude, OpenAI, Google, xAI, Perplexity, Mistral, DeepSeek, and ORA Local AI running on-device. Your prompts go to the providers you choose, signed by your keys. No proxy.
3. Update channel. When you allow it, ORA fetches updates from a signed release manifest hosted on our CDN. The fetch is the only network call ORA makes to us, and it carries no identifiers.
What goes where
If it isn't on this list, ORA doesn't collect it.
| Data | Where it lives | Who sees it |
|---|---|---|
| Your prompts & chats | Your machine | You + the providers you chose |
| API keys | OS keychain | You |
| File search embeddings | Your machine | You |
| Custom agents | Your machine | You (until you share them) |
| App settings | Your machine | You |
| Update checks | Our CDN | No personal data sent |
| Crash reports | Opt-in only | Us, anonymised |
| Email at purchase | Cloudflare KV (India + EU edge) | Us — to deliver licence + receipts |
| Name + phone (optional) | Cloudflare KV | Us — only with your consent |
| Marketing consent record | Cloudflare KV (audit-logged) | Us — proof of your choice |
| Razorpay payment ID | Razorpay + KV reference | You + Razorpay + us |
| Connect form requests | heyora.in data folder | Us — to reply and qualify business/support requests |
| IP at consent time | Hashed (SHA-256 prefix) only | Us — never raw |
| Crash reports | Opt-in only | Us, anonymised |
DPDP Act 2023 · Your rights
India's Digital Personal Data Protection Act is the bar we hold ourselves to.
Transactional (always sent). Your purchase receipt, the licence email, refund confirmations. We need to send these to do business with you — DPDP categorises this as legitimate purpose.
Marketing (only with your consent). Product updates, launch news, occasional offers. The checkbox at checkout is off by default. Tick it if you want these. Untick anytime from your account at heyora.in/account.
Right to access. Sign in at heyora.in/account to see every device, licence, payment, and consent record we hold on you.
Right to correction. Reply to any email from us or write to [email protected] — we fix mistakes within 48 hours.
Right to withdraw consent. One click in your account. Effective immediately. No questions asked.
Right to erasure. Email [email protected] with subject "Delete my data". We delete within 30 days, log the action, confirm in writing.
Grievance redressal. If we mess up, [email protected] is the founder's inbox. Replied within 48 hours.
We don't believe AI belongs in someone else's cloud.
It belongs on your desk — running on your terms.
No account required. No ad tracking, no data sold. Telemetry stays off by default — and your prompts go only to the providers you choose.