Legal

Privacy Policy

Last updated: April 15, 2026

Overview

NovaKit is a local-first AI workspace. We designed it so that your data stays on your device. This privacy policy explains what data we collect (very little), what we don't collect (almost everything), and how we handle the data that does pass through our systems.

NovaKit never sells, shares, or uses your data for training AI models.

Zero telemetry commitment

The NovaKit application contains zero analytics, zero tracking pixels, and zero telemetry. Workspace data is stored locally in your browser. When you use NovaKit, requests are sent to the AI provider you choose, and in some cases those requests are relayed through NovaKit server routes purely to satisfy provider networking requirements. This applies to all individual plans (Free, Starter, Pro).

Data that stays on your device

The following data is stored exclusively in your browser and never sent to NovaKit servers:

  • Conversations and chat history
  • API keys (encrypted before storage)
  • Prompt templates and personas
  • Knowledge base documents and embeddings
  • Prompt chains and automation workflows
  • Memories and personal knowledge
  • Application settings and preferences
  • Cost tracking and usage data

Data sent to AI providers

When you send a message, the message content, conversation history, any attached files, and your API key are sent to the AI provider you selected (e.g., OpenAI, Anthropic, Google). For providers that support browser access this can happen directly from your browser; for others, NovaKit may relay the request through a server route before forwarding it. NovaKit is designed not to persist these request contents.

Providers that require a relay

Some providers block direct browser connections for technical reasons. For these providers, requests pass through a lightweight relay on our server that forwards the request as-is. The relay does not log, store, or inspect any data. Your API key is included in the forwarded request and is never saved on our side.

Knowledge base processing

When you upload documents to the knowledge base, the document text is sent to your chosen embedding provider (using your own API key) to make the content searchable. The provider's API data usage policy governs how they handle that data. The resulting search index is stored locally on your device.

Switching providers mid-conversation

If you switch AI providers during a conversation, your conversation history is sent to the new provider for context. NovaKit shows a notice when this happens so you can make an informed choice.

Each AI provider has their own privacy policy and data retention practices. We recommend reviewing the privacy policy of each provider you use.

Data by plan

Free, Starter & Pro (individual plans)

The vast majority of your workspace data is stored locally in your browser. NovaKit does not use a hosted user database for individual plans, but some requests may transiently pass through NovaKit-managed server routes for AI relays, contact delivery, and license validation.

Teams (future)

Team data (shared prompts, shared chains, knowledge base, usage analytics) will be stored on a secure backend provisioned for your organization. Team admins will be able to see member message counts, token usage, and costs — but never message contents. Individual team members will retain full control over their personal conversations.

Enterprise (future)

Enterprise deployments will include audit logs that record actions (logins, messages sent, files uploaded) but not message contents by default. Content logging will be an opt-in configuration requiring explicit employee consent where legally required.

Data we collect

License validation

If you purchase a Starter or Pro license, we verify your license key through our payment partner. During first activation, your license key and a randomly generated device ID (not a hardware fingerprint) are sent for validation. After activation, NovaKit works fully offline — no network requests are made for license checks. The payment partner tracks active device count per license to enforce device limits.

Contact form

If you use our contact form, we receive your name, email, and message. This data is used solely to respond to your inquiry and is not shared with third parties.

Marketing site

We may use privacy-respecting, cookie-less analytics on the marketing site only (landing page, blog, pricing) to understand aggregate page views. These analytics do not track individual users, do not use cookies, and respect Do Not Track browser headers. The NovaKit application itself has zero analytics.

Encryption

API keys are encrypted before storage using industry-standard encryption. If you set an optional passphrase, your keys are protected with a key derived from your passphrase using a strong key-stretching algorithm. Without the passphrase, stored keys cannot be decrypted — not even by us, since we never have access to them.

Data deletion

Since your workspace data lives in your browser, you can delete it at any time by clearing your browser's storage for novakit.ai, or by using the data management options in Settings > Storage. We cannot directly remove data that remains only in your browser storage.

For any data held by our infrastructure (license records, contact form submissions), contact us and we will delete it within 30 days.

Third-party services

We use a small number of trusted services to operate NovaKit. Each handles only the minimum data needed for its function:

  • Payment partner — Processes license purchases and manages license key validation
  • Email delivery — Delivers contact form responses
  • Hosting provider — Serves the NovaKit application and website

These services only receive the minimum data needed for their task. Data stored only in your browser is not uploaded to them unless a feature explicitly requires a relay or outbound request.

Your rights (GDPR)

If you are in the European Economic Area, you have the following rights under the General Data Protection Regulation:

  • Right of access — request a copy of any personal data we hold about you
  • Right to portability — export your data in a machine-readable format (available via Settings > Storage > Export All Data)
  • Right to erasure — request deletion of your data (local data is under your control; for license data, contact us)
  • Right to restrict processing — request that we limit how we use your data
  • Right to object — object to specific processing of your data

Since NovaKit stores virtually all user data locally in your browser, most of these rights are automatically satisfied — you already have full control. For any data held by our infrastructure, contact us at the address below.

Changes to this policy

We may update this policy as our product evolves. Significant changes will be announced on our blog. The "last updated" date at the top reflects the most recent revision.

Contact

Questions about this privacy policy? Reach us at support@novakit.ai or through our contact page.