Last Updated: December 12, 2025
Version 1.5.0
Android App: Your data stays on your device - for your own use and for your personal agent to learn from (based on your consent level).
CIRISProxy: When you use our LLM proxy, your messages are transmitted securely to our servers, then to our AI providers (Together, Groq, OpenRouter) for processing. All points in this pipeline are configured for zero data retention - your conversations are processed and immediately discarded, never stored.
See Infrastructure Data for what our servers actually store (spoiler: only billing metrics and system health - never message content).
scout.ciris.ai and agents.ciris.ai are research platforms. Data is recorded per clear on-site statements and may be used for research, improving future agent templates, and model selection.
These services implement the Consensual Evolution Protocol and provide full DSAR support. All model and prompt changes that impact responses are publicly available at github.com/cirisai.
For Android App and CIRISProxy (services covered by this policy):
All model selections, prompt templates, and code changes that could impact agent responses are immediately available on our public GitHub: github.com/cirisai
This applies to all CIRIS agents - research services, Android app, and self-hosted deployments.
This privacy policy applies to the following production services:
Mobile application with local-first architecture. Your data stays on your device. Zero data retention on our servers.
Privacy-focused LLM proxy and billing service. Zero data retention - messages processed and discarded.
The following services are research platforms with different privacy terms. They record data and may use it for research purposes:
Research interface for CIRIS agents. Data is recorded per clear on-site statements. Implements Consensual Evolution Protocol. Data may be used for improving future agent templates and model selection.
Hosted research agents. Data is recorded per clear on-site statements. Implements Consensual Evolution Protocol. Data may be used for research and improving future agent templates and model selection.
Local-First Architecture: Your agent data is stored on YOUR device (phone, computer) - not on CIRIS servers. You have full control over this data and can delete it anytime.
What we DON'T have access to: Your conversations, your agent's memories, your local data. None of this is transmitted to CIRIS servers.
Important Distinctions:
CIRIS implements a Consensual Evolution Protocol with three consent streams. Default is TEMPORARY (most privacy-preserving).
Agent Self-Training on Hosted Services: When you interact with CIRIS agents hosted on ciris.ai (like Scout), agents self-train on patterns and data from your interactions based on your consent level. TEMPORARY consent = essential interactions only (14-day limit, then deleted), PARTNERED consent = full self-training for mutual growth and improvement, ANONYMOUS consent = statistical patterns only (identity severed).
When we say CIRIS agents "self-train," we mean they use several autonomous learning mechanisms to improve their responses while respecting your consent level. These are NOT traditional machine learning model training—instead, agents learn through introspection and pattern recognition.
Every ~6 hours, agents enter a DREAM state for 30-120 minutes to consolidate memories, analyze behavioral patterns, test configuration parameters, and plan improvements. Think of it as the agent reflecting on what it learned.
View Dream Processor Code →In PLAY state, agents try creative approaches, experiment with novel solutions, and learn through exploration with fewer constraints. About 20% of the time, they'll try something new.
View Play Processor Code →When agents need recovery or reflection time, they enter SOLITUDE state to perform minimal processing, clean up old data, and reflect on past activities and patterns.
View Solitude Processor Code →Agents continuously observe their own behavior, detect patterns (temporal, frequency, performance), and generate insights. Changes are limited to 20% identity variance maximum for safety.
View Self-Observation Documentation →Agents can modify their own configuration parameters through the config graph, testing variations within safety bounds and applying changes only if they stay within the 20% identity variance limit.
Key Safety Mechanisms:
Current Status: Dream, Play, and Solitude processors are implemented but not active by default in the current deployment. Self-Observation Service is fully implemented but requires explicit activation. Your consent level determines whether and how much learning occurs when these features are enabled.
While your conversations stay on your device, our infrastructure does collect some data for billing and system monitoring. Here's exactly what we store - and what we don't.
Our observability platform monitors system health - not your content.
| Data Type | Retention | Contains User Content? |
|---|---|---|
| Performance Metrics (CPU, memory, latency) | 30 days | No |
| Service Logs (operational events) | 14-90 days | No (PII redacted) |
| Request Traces (timing, request IDs) | 14 days | No (IDs only) |
| Aggregated Metrics (hourly/daily) | 90 days - 1 year | No |
Required for billing, fraud prevention, and regulatory compliance.
| Data Type | Retention | Purpose |
|---|---|---|
| Account email | Until account deletion | Account identification |
| Transaction history (amounts, dates) | 10 years | EU AI Act / Tax compliance |
| Credit/usage counts (integers only) | 10 years | Billing records |
| Admin audit logs | 10 years | Security audit trail |
10-Year Archive (EU AI Act Compliance): Financial records are automatically archived to encrypted cold storage (AWS Glacier) and deleted after 10 years. Archives contain only transaction data - never conversation content.
Data stored on YOUR device is under YOUR control. Here are the default retention settings (which you can modify):
| Local Data Type | Default Retention | Your Control |
|---|---|---|
| Conversation History | Until you delete it | Delete anytime in app |
| Agent Memory Graph | Based on consent level | Clear memories in settings |
| PDMA Decision Logs | 14 days (configurable) | Adjust in privacy settings |
| Local Audit Trail | 90 days (configurable) | Export or delete anytime |
It's your device, your data. You can delete all local data at any time by uninstalling the app or using the "Clear All Data" option in settings. We have no backup of your local data.
When you revoke consent or request deletion, we initiate a 90-day decay process:
User ID disconnected from all data immediately. Identity→data links broken.
Gradual conversion to anonymous form. Behavioral patterns become statistical aggregates.
All user-linked data removed or fully anonymized. Only safety-critical patterns retained (anonymous).
Under GDPR, CCPA, and other privacy regulations, you have the following rights:
Request a copy of all data we hold about you
Request deletion of your data (90-day decay process)
Request corrections to inaccurate data
Receive your data in machine-readable format (JSON/CSV)
Limit how we process your data
Object to specific processing activities
Email: privacy@ciris.ai
API Endpoint: POST /v1/dsar
Web Interface: scout.ciris.ai/account/privacy
Response Time: Within 30 days (often faster)
Per GDPR Article 28, we maintain a list of subprocessors who process data on our behalf. All subprocessors are contractually bound to equivalent data protection standards.
| Provider | Purpose | Location | Data Retention | DPA |
|---|---|---|---|---|
| Vultr | Infrastructure hosting | US (configurable) | We control | Available |
| Groq | LLM inference | US | Zero (default) | Signed |
| OpenRouter | LLM routing | US/EU | Zero (enforced) | Enterprise |
| Together AI | LLM inference | US | Zero (configured) | Privacy Policy |
| Stripe | Payment processing | US/EU | Per Stripe policy | Available |
| OAuth authentication | US/EU | Per Google policy | Available |
High-performance LLM inference. Zero data retention by default. EU Representative: DP-Dock GmbH (Hamburg). Never trains on customer data.
LLM routing with Zero Data Retention (ZDR) enforcement. EU routing available. SOC-2 compliant. Prompts/completions not logged by default.
LLM inference and fine-tuning platform. Configured for zero data retention on CIRIS requests.
GDPR-ready cloud infrastructure. Data residency controlled by CIRIS - your data stays where we put it. Vultr acts as data processor; we control all data handling. Standard Contractual Clauses (SCCs) for EU transfers.
Subprocessor Changes: We will notify users at least 30 days before adding new subprocessors that handle personal data. You may object to new subprocessors by contacting privacy@ciris.ai.
CIRIS services are hosted in the United States. If you access our services from outside the US, your data will be transferred to and processed in the US.
We comply with applicable data transfer regulations:
CIRIS services are not directed to children under 13 (or 16 in the EU). We do not knowingly collect personal information from children.
If we learn that we have collected information from a child without parental consent, we will delete it immediately. Contact privacy@ciris.ai if you believe we have data from a child.
We may update this privacy policy to reflect changes in our practices, technology, legal requirements, or other factors.
Continued use of CIRIS services after changes take effect constitutes acceptance of the updated policy.
This privacy policy is governed by the CIRIS Covenant (Version 1.0-RC1), which establishes our ethical foundation:
Your autonomy, privacy, and dignity are paramount
Maximize benefits, minimize harms
Equitable treatment for all users
You control your data and relationship with CIRIS
Truthful communication about data practices
For privacy questions, DSAR requests, or concerns:
Privacy Team Email: privacy@ciris.ai
General Inquiries: info@ciris.ai
GitHub Issues: CIRISAI/CIRISAgent
Discord Community: discord.gg/SWGM7Gsvrv
DSAR API: POST /v1/dsar
CIRIS - Ethical AI by Design
© 2025 Eric Moore and CIRIS L3C | AGPL-3.0 License
Last Updated: December 12, 2025 | Version 1.5.0