Privacy Policy · Quorom

TL;DR

Quorom is local-first. Your prompts and completions are never persisted by our infrastructure. The relay forwards token streams in memory and discards them. The only data we persist is what's needed to operate the cluster: your email, node names, model lists, and aggregate usage counters.

1. Data We Collect

Account data (via Clerk)

Email address
OAuth subject identifier (from Google/Microsoft/GitHub) or a Clerk-generated ID
Display name (if you provide one)

Cluster data (in Convex)

Cluster names and invite codes you create
Cluster membership records (which user is in which cluster)
Node records: display name, a client-generated node ID, list of models the node is serving
API keys: hashed (SHA-256), never stored in plaintext after creation
Audit log entries: cluster created, member joined, API key issued/revoked
Usage events: cluster ID, node ID, model ID, tokens-in, tokens-out, latency. No prompt or completion text.

Diagnostic data (transient)

Relay server logs: timestamps, node IDs, connection events (no payload contents)
Aggregated metrics (e.g. "total tokens routed in the last hour")

2. Data We Do NOT Collect

Prompt text. The text of messages you send through the relay is forwarded in-memory to the destination node and never written to disk on the relay or stored in Convex.
Completion text. Same — streamed through and discarded.
Model weights. Models live on your machines; we never receive them.
Browsing history, device fingerprint, location. Not collected, not stored.

3. Where Data Lives

Clerk (identity): managed by Clerk Corporation under their Privacy Policy.
Convex (cluster state, usage): Convex Cloud, hosted on AWS in the United States. Backed up by Convex per their policies.
Relay(presence + routing): a single DigitalOcean droplet in NYC3. Stateless beyond what's mirrored to Convex.
Vercel (web dashboard): hosts the Next.js app. Receives standard request logs (no payload data).

4. How We Use Data

To authenticate you and route requests between your cluster's nodes
To display your dashboard (online nodes, models, usage)
To detect and prevent abuse (rate limiting, API key revocation)
To measure aggregate Service health (no individual user profiling)
To contact you about your account in rare cases (security incidents, breaking changes)

We do not sell your data, share it with advertisers, or use it to train AI models.

5. Data Retention

Account data: retained while your Clerk account exists
Cluster state: retained until you delete the cluster
Usage events: retained for 90 days, then aggregated and discarded
Audit log: retained for the lifetime of the cluster
Relay logs: rotated every 7 days

6. Your Rights

You may:

Request a copy of your personal data
Request correction of inaccurate data
Request deletion of your account and associated data by deleting your clusters in the dashboard, then requesting account deletion via GitHub issues
Export your usage data via the dashboard (CSV, coming soon)

If you are a resident of the EU, UK, or California, you have additional rights under GDPR / CCPA. We will respond to verified requests within 30 days.

7. Security

All WebSocket connections to the relay are TLS-encrypted and verified by Clerk-issued JWTs. API keys are SHA-256 hashed at creation and never stored in plaintext. The relay runs as a non-root systemd service behind an allow-list firewall.

Despite these measures, no internet-connected service can be guaranteed secure. We will notify affected users within 72 hours of any confirmed breach.

8. Children

The Service is not directed at children under 13 (or 16 in the EU). We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

9. Changes to This Policy

We may update this Policy as the Service evolves. Material changes will be announced on the dashboard. Continued use after changes take effect constitutes acceptance.

10. Contact

Privacy questions? Open an issue at github.com/webface/quorom-app/issues.