Privacy & Safety

Privacy & Safety

Local-first, tri-state auth, backups, usage analytics, honesty rails, ARIA never touches money.

Privacy & Safety

LIVE

Local-first

Your data is on your machine. The app works without the network for most surfaces. When ARIA calls an external API, it is explicit about it.

Authentication model

Three states:

  • AUTH_OPTIONAL — family default. Sign-in is optional.
  • AUTH_REQUIRED — regulated or initialized environment.
  • SECURE_LOCKDOWN — broken database or missing users when auth was initialized.

Eleven distinct permissions (chat_write, document_write, medical_read, manage_hardware, and more). PIN for destructive actions: deleting a device, clearing logs, resetting the ontology cache.

Backup and restore

On-demand backups including chat history, profiles, phenotype logs, SDL data, and the registry snapshot. Integrity validation is part of the MAVS deterministic check set. Inspect Backup previews contents without restoring.

Usage Analytics

Local-only dashboard. Token counts are exact per message per model. No data leaves the device.

Conversation Management

1M-token context on Opus 4.6. Automatic compaction at 800K with medical-aware preservation rules. Seven preservation categories protect clinically important content.

ARIA never touches money

This is architectural, not editorial. Payment methods are not stored. ARIA never submits orders or charges. Any transfer to a commerce service requires a mandatory confirmation screen listing what is sent and what is not. You always complete payment on the third-party service in your own account. An append-only handoff audit log is stored locally so "did ARIA send anything?" is always answerable.

Honesty rails

  • No pathogenicity claims in Phenopacket exports (acmgPathogenicityClassification: NOT_PROVIDED).
  • EEG Workspace uses "template-brain estimate" and "clinician review recommended" — no diagnostic language.
  • Provenance Badges are visible on all research surfaces.
  • Correlation Network is labeled hypothesis-generating, not diagnostic.

When things go wrong

Graceful error handling with recovery actions. Flight recorder logs locally so remote debugging does not require reproducing the failure.

Why it exists

Privacy is designed in, not bolted on. Safety rails are architectural.

Go back to docs
Updated on: 
Apr 14, 2026