Privacy & Security

ChatWalaʻau is localhost-first. By default it binds to 127.0.0.1 and stores your data on your own machine.

Where your data lives

Conversations are stored as JSON files on your host.
Uploads, generated images, and RAG vectors (ChromaDB) are stored locally.
API keys and secrets live in your .env file -- never committed, and never shipped to a third party by the runtime.

Network access

The runtime only talks to the model providers and tools you configure. No telemetry is sent by default.

Access control

Binding to a non-loopback address fails closed unless you configure authentication (APP_REQUIRE_AUTH_ON_LAN=true by default).
A Bearer API_KEY protects the API and write endpoints.
An optional web sign-in (AUTH_USERNAME) gates the web app behind an HttpOnly session cookie.

See Authentication for the full model.

This website

This marketing and documentation site is statically generated. The only dynamic endpoint is the contact form, which stores your submission so we can reply. The form uses spam protection but no third-party trackers or marketing scripts.

Where your data lives​

Network access​

Access control​

This website​

Where your data lives

Network access

Access control

This website