Privacy by Design: Built From the Ground Up to Protect You
Most apps add privacy as an afterthought. A settings page here, a compliance checkbox there, a revised privacy policy when regulations force their hand. Clairvoyant took the opposite approach: we made privacy a foundational architectural decision before writing the first line of code.
What "Privacy by Design" Means
The term "privacy by design" was coined by Ann Cavoukian, former Information and Privacy Commissioner of Ontario, and has since been adopted into the GDPR as a legal requirement. It comes down to seven principles:
- Proactive, not reactive — prevent privacy issues before they occur
- Privacy as the default — no action required from the user to be protected
- Privacy embedded into design — not bolted on as an add-on
- Full functionality — privacy without sacrificing features
- End-to-end security — data protected through its entire lifecycle
- Visibility and transparency — operations are verifiable and auditable
- Respect for user privacy — user interests above all else
These aren't marketing principles. They're engineering constraints. Every technical decision in Clairvoyant is evaluated against them.
Layer 1: Local-First Architecture
The most effective way to protect data on a server is to never put it there in the first place.
Clairvoyant is a local-first application. Your tasks, calendar events, notes, and settings live on your device as the primary data store. The app works fully offline — you can create, edit, complete, and delete tasks without any network connection.
This is fundamentally different from how most productivity apps work:
| Traditional App | Clairvoyant |
|---|---|
| Server is the source of truth | Your device is the source of truth |
| Requires internet to function | Works fully offline |
| Search queries hit the server | Search runs locally |
| Server processes your data | Server stores encrypted backups it can't read |
| Outage = no access to your tasks | Outage = no sync, full local access |
By default, the server exists for one purpose: sync and backup. It stores encrypted data it cannot read. That sync layer is encrypted with keys only you hold.
If you choose to opt in to Server-Assisted AI, our server can also run AI inference on your tasks — but only in memory, never stored in plaintext, and never through third-party AI providers. This is an explicit opt-in, never enabled without your consent. Learn how it works →
This architecture wasn't chosen for performance or cost savings (though it delivers both). It was chosen because it's the only architecture where the service provider genuinely cannot access user data by default.
Layer 2: Zero-Knowledge Sync
When your data does sync to the cloud, it leaves your device already encrypted. Clairvoyant uses AES-256-GCM encryption with keys derived from your password via PBKDF2 (100,000 iterations). By default, the encryption and decryption happen entirely on your device. If you opt in to Server-Assisted AI, our server can temporarily decrypt your tasks in memory for AI processing — but the plaintext is never written to disk and is discarded immediately after processing.
What our servers see by default:
Task title: "3f8a2b1c9d4e5f6a7b8c9d0e1f2a3b4c..."
Description: "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6..."
Notes: "7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b..."
What you see:
Task title: "Prepare Q2 board presentation"
Description: "Include revenue projections and hiring plan"
Notes: "Ask Sarah about the new product timeline"
We can't bridge that gap. By design.
If you opt in to Server-Assisted AI, our server temporarily bridges it in memory for AI processing, then discards the plaintext. But by default? The server can't read a thing.
Structural metadata — due dates, completion status, priority levels — remains unencrypted so the sync engine can resolve conflicts efficiently. This metadata reveals when and how you organize tasks, but nothing about what those tasks actually contain.
Layer 3: Minimal Data Collection
Privacy by design requires data minimization — collecting only what's strictly necessary. Here's what Clairvoyant stores on our servers:
Required for the service to function:
- Email address (authentication)
- Encrypted task data (sync and backup)
- Subscription status (billing)
Not collected, period:
- IP-based location tracking
- Device fingerprinting
- Behavioral analytics (unless you opt in)
- Usage patterns or session data
- Third-party advertising identifiers
Most apps collect dozens of data points per user session. We collect what's needed for login and sync. That's it.
Layer 4: Opt-In Telemetry
Crash reports and usage analytics are disabled by default. This is unusual — most apps enable telemetry by default and offer opt-out buried in settings. We invert this because privacy by design means the default state must be the most private state.
If you choose to enable telemetry:
- Crash reports are stripped of personally identifiable information before transmission
- Usage analytics are anonymous counters, not user-level behavioral tracking
- All telemetry goes to infrastructure we control (Sentry for errors, custom service for analytics) — no third-party analytics platforms
We'd rather debug issues more slowly than compromise your privacy for engineering convenience.
Layer 5: Vendor Independence
Depending on a single cloud provider creates a privacy risk. If that provider changes their terms, gets acquired, or suffers a policy change, your data handling changes without your consent.
Clairvoyant is architected for vendor independence:
| Service | Current Provider | Self-Hosted Alternative | Migration Path |
|---|---|---|---|
| Database | Supabase Cloud | Self-hosted Postgres | Standard SQL, same schema |
| Error Tracking | Sentry | GlitchTip | Same SDK, swap DSN |
| Hosting | Vercel | Any Node.js host | Standard build output |
| Analytics | Custom service | Self-hosted (Supabase) | Already our own code |
Every third-party dependency was chosen because it has an open-source, self-hostable alternative with a compatible API. This isn't theoretical — the migration paths are documented and the abstractions exist in code.
Our HTTP layer uses a factory pattern that auto-detects the runtime environment. Our storage layer uses an adapter pattern that abstracts the underlying storage mechanism. Swapping providers means changing configuration, not rewriting application code.
Layer 6: Open Source Verifiability
We don't ask you to trust our marketing. Clairvoyant is open source. You can:
- Read the encryption implementation and verify it does what we claim
- Audit the telemetry service and confirm it only sends what we describe
- Inspect the sync layer and check that data is encrypted before transmission
- Review the privacy settings and verify defaults are genuinely private
Open source isn't just about transparency. It's about accountability. If we ever deviate from our privacy commitments, the code will show it.
Why This Architecture Is Rare
Building a privacy-by-design productivity app is harder than building a traditional one. Here's why most companies don't do it:
Feature complexity: End-to-end encryption makes collaboration features significantly harder to implement. Sharing an encrypted task requires key exchange protocols. Server-side search is impossible without decryption.
The AI challenge: Most AI productivity apps send your data directly to OpenAI or similar providers. We chose to run our own AI models on our own servers so your data never leaves our infrastructure. This is harder and more expensive to build — but it means no third-party AI company ever sees your tasks.
Business model friction: Companies that monetize user data have no incentive to make that data inaccessible. Even companies that don't sell data directly benefit from being able to analyze usage patterns for product decisions.
Engineering overhead: Local-first architecture requires solving conflict resolution, offline queue management, and eventual consistency — problems that server-first apps avoid entirely.
User experience trade-offs: Our encryption model means no password reset. Local-first means sync delays. Privacy by default means less telemetry data for debugging.
We accepted every one of these trade-offs because we believe the alternative — an app that feeds your most personal data to third-party AI companies — is unacceptable for a tool that people use to organize their entire lives.
The Result
When you use Clairvoyant:
- Your data lives on your device first, syncs as encrypted backup
- By default, we cannot read your task content, even with full server access
- If you opt in to Server-Assisted AI, your data is processed in memory only — never stored in plaintext, never logged, never sent to third-party AI providers
- No tracking, analytics, or telemetry runs unless you explicitly enable it
- Every third-party service can be replaced with a self-hosted alternative
- The code is open source and auditable
This isn't a feature list. It's the consequence of treating privacy as an engineering constraint rather than a marketing checkbox.
Your productivity tool knows your goals, your struggles, your health appointments, your financial deadlines, and your career plans. That information deserves the same protection as your private messages and medical records. We built Clairvoyant to provide exactly that.