Skip to content

Privacy & Data Flow

Whittl is a local-first desktop app. Your code stays on your disk. Your prompts go to the AI backend you picked. Nothing passes through Whittl's servers — in fact, Whittl doesn't run any servers.

This page is the explicit breakdown.

What stays local

  • Your project code. Everything lives under ~/.whittl/projects/ on your machine. Whittl never uploads or syncs it.
  • Your API keys. Stored encrypted at rest in ~/.whittl/settings.json using a machine-derived key (Fernet). Copying the file to another machine decrypts to junk.
  • Your skills library. The skill files at ~/.whittl/skills/ are plain markdown, read-only from the AI's perspective, written by you (or Whittl's auto-learn on your explicit opt-in).
  • Your templates, settings, themes, archives, favorites, chat history. All local, all in ~/.whittl/.
  • Crash logs. ~/.whittl/crash.log if something went wrong. Whittl does not send this anywhere. If you want to share it for bug reporting, you attach it to an email yourself.

What goes to the AI backend you selected

When you hit Generate, Whittl sends:

  • The prompt you wrote in chat
  • Context — the project code Whittl decided was relevant (see Smart File Routing)
  • Skills — the markdown skill files Whittl matched to this request
  • Images — if you dropped a screenshot into chat (vision-capable models only)
  • System prompt — Whittl's orchestration prompt telling the model how to behave

This goes to the backend you chose. Not to Whittl.

Backend Where your prompt goes
Claude Anthropic's servers (US, EU, depending on endpoint)
Gemini Google's servers
DeepSeek DeepSeek's servers (China)
OpenRouter OpenRouter, which forwards to the underlying model provider
Ollama Nowhere — runs entirely on your machine

Every backend except Ollama is a third-party service. Read their privacy policy before sending them data you consider sensitive. Whittl is a pipe, not a curator of what the backend does with your prompt.

What goes to Whittl's author

Nothing by default. No telemetry, no phone-home, no usage analytics. Whittl doesn't contact any server under my control in the normal course of operation.

The two exceptions:

  1. Update checks. When you click Help → Check for Updates, Whittl fetches a version manifest from my Cloudflare R2 bucket (pub-573d835c3fa144b4943659b8717d7fd1.r2.dev). Static HTTP GET. Cloudflare sees the request (as it would for any website you visit). I don't get usage data from these.
  2. License validation (paid install only). First-launch license check against LemonSqueezy's license-key endpoint. One request per machine. After that, Whittl runs offline indefinitely.

Neither involves your prompts, your code, your projects, or anything you generated.

What goes to LemonSqueezy (purchase only)

Your purchase of Whittl was handled by LemonSqueezy. Email address, payment method, license key. Standard e-commerce — LemonSqueezy's privacy policy governs it.

After purchase, Whittl itself never contacts LemonSqueezy except for the one-time license check.

Offline mode

If you use Ollama as your backend, Whittl works fully offline:

  • No internet required
  • No API keys needed
  • No data leaves your machine, ever

Slower per-generation and lower quality ceiling than cloud backends, but for privacy-mandated environments (air-gapped networks, confidential codebases, etc.), this is the setup.

See Ollama for configuration.

Future telemetry

Whittl has never asked to collect telemetry and has no plans to. If that ever changes in a future version, it'll be:

  • Opt-in, not opt-out
  • Clearly labelled in the Settings dialog
  • Documented on this page before the version ships

Until then, assume zero telemetry is accurate.

Summary

Your code, API keys, skills, templates, and history live on your disk. Prompts go to the backend you chose. Whittl's author gets update-check hits (at your initiative) and a license-validation hit (on first launch if you bought the paid version). Nothing else.

What's next