ETOS LLM Studio follows a “Local-first” design philosophy. Most core data stays on your own device and remains under your control.
We do not automatically store your chat content, voice recordings, image attachments, or API keys on developer-controlled servers. That said, the app does store chats, configuration, memory data, and request logs locally on-device so it can provide sync, statistics, Daily Pulse, annual recap, and similar features.
2. On-Device Storage and Local Processing
Chats and session data: chat history, session settings, attachment references, worldbooks, memory data, Daily Pulse data, feedback history, and app settings are stored inside the app sandbox on your device.
API provider configuration and API keys: provider configuration (such as model lists, header overrides, and proxy settings) and API keys are stored in a local SQLite configuration database. If an older version wrote keys to Keychain, migration will merge and clean up the legacy credential storage.
Local request logs: the app records metadata such as provider name, model identifier, start time, finish time, status, streaming flag, and token usage. These logs do not include message bodies. They are used for local traffic analysis, response speed metrics, Daily Pulse summaries, annual recap, and other on-device statistics.
Feedback ticket cache: if you use the feedback assistant, the app stores ticket numbers, ticket tokens, status, update timestamps, and public URLs locally so you can track progress later.
3. AI Requests, Audio, and Images
Text chat: your messages are sent directly to the third-party AI providers you configure yourself (such as OpenAI, Anthropic, Google, OpenAI-compatible services, or self-hosted models). We do not proxy or store that content on developer-controlled servers.
Voice and audio: microphone access is only used when you actively record or trigger voice input. Audio is sent only to your current model provider or the speech/transcription service you choose.
Images and files: the app only accesses images or files when you choose them. Those attachments are sent to your current model provider, or to a local debugging endpoint that you intentionally connect.
4. Sync, Local Network, and Apple Services
iPhone / Apple Watch sync: live sync between your iPhone and Apple Watch uses WatchConnectivity and does not pass through developer-operated servers.
iCloud sync: if you explicitly enable iCloud sync, selected data may sync between your own devices through Apple’s iCloud / CloudKit stack, including provider configuration data that may contain API keys.
Local network and debugging: local network permission is only used for optional LAN debugging / remote file access features. If you connect your own desktop debugging tool, related app files or request traffic may be sent to a local endpoint that you control.
5. Feedback Assistant
Data is sent to the feedback service only when you actively choose to submit feedback.
User-entered content: feedback type, title, description, reproduction steps, expected behavior, actual behavior, and extra context.
Environment snapshot: platform, app version, build number, OS version, device model identifier, locale, and time zone.
Anti-abuse verification: feedback requests also include challenge, timestamp, signature, and proof-of-work related fields to limit spam submissions.
Status refresh: when you later refresh a ticket in the feedback center, the app uses the locally saved issue number and ticket token to query the feedback service for updates.
Before upload, feedback text goes through a basic sanitizer that tries to mask common Bearer tokens, API key labels, and a few common secret formats. However, this is not a full data loss prevention system. Please do not put secrets, government IDs, addresses, health data, or similar sensitive information into feedback submissions.
6. Third-Party Services, Analytics, and Server Boundaries
Third-party AI providers: process the chat, image, and audio requests that you intentionally send.
Apple system services: such as WatchConnectivity and iCloud / CloudKit are governed by Apple’s own policies.
Developer-operated feedback service: used only when you intentionally submit or refresh feedback tickets.
Not uploaded by default: chat content, local memory, local request logs, annual recap data, and API keys are not automatically uploaded to developer-controlled servers.
Ads and general analytics SDKs: the current codebase does not include third-party ad SDKs, and we did not find a general-purpose developer-side behavioral analytics SDK. If that changes in the future, we will update this policy first.
Apple analytics sharing: if you choose to share analytics with developers at the system level, Apple may collect anonymous crash logs or diagnostic information under Apple’s own rules.
7. Disclaimer
Neutral tool: this app is a general LLM client. It may prefill some service endpoints or feedback service addresses, but it does not ship with ready-to-use commercial model credentials.
Content responsibility: all AI-generated output comes from third-party providers you configure yourself. We cannot guarantee the accuracy, legality, or suitability of that output.
Service choice: any API service, sync capability, or feedback service you use should be evaluated by you based on its own privacy policy, terms, cost, and risks.
8. Contact Us
If you have any questions about this Privacy Policy, please contact: