Privacy Policy

Introduction

BaseLayer ("we," "our," or "us") provides a local-first, encrypted memory layer for AI conversations. This Privacy Policy explains what data we collect, how we handle it, and your rights. It covers our desktop application, Chrome browser extension, website, and related services.

Our Core Principle: Your conversation data belongs to you. BaseLayer uses end-to-end encryption so that your AI conversations are always encrypted before they leave your device. Our servers handle encrypted data they cannot read.

Our Architecture

BaseLayer is built on an end-to-end encrypted, local-first architecture:

• Local-First Storage: Your conversation data is stored in an encrypted SQLite vault on your device (AES-256 via SQLCipher), with the encryption key stored in your operating system's secure keychain
• End-to-End Encryption: Conversations are encrypted on your device (or in your browser) before transmission. Our servers only handle encrypted blobs they cannot decrypt
• Zero-Knowledge Design: We do not have access to your encryption keys and cannot read your conversation content
• No Data Mining: We cannot and do not access, read, or analyze your conversation content

Information We Collect

1. Account Information

When you create a BaseLayer account, we collect:

• Email address: For authentication and account communications
• User ID: A unique identifier for your account
• Authentication provider: Which sign-in method you used (e.g., email/password, Google OAuth)
• Vault ID: An identifier linking your account to your encrypted vault

Purpose: Account creation, authentication, and linking your devices to your encrypted vault.

2. API Key Hashes

If you generate API keys for programmatic access, we store a cryptographic hash of each key on our server. We do not store the plaintext API key after initial generation.

Purpose: Authenticating API requests.

3. Encrypted Conversation Data (In Transit)

When conversations are relayed from the Chrome extension to your desktop app, encrypted blobs pass through our Firebase infrastructure. This data is:

• Encrypted in your browser before transmission using your encryption key
• Temporarily stored in an ingest queue on Firebase/Firestore
• Removed from our infrastructure once delivered to your desktop app

We cannot decrypt this data. It is opaque ciphertext to us.

4. Encrypted Master Key Blob

We store a passphrase-wrapped (encrypted) copy of your master encryption key on our server. This allows you to recover your vault on a new device by entering your passphrase. Without your passphrase, this blob is unreadable—including to us.

5. Anonymous Telemetry (Opt-In)

If you opt in, we collect anonymous usage telemetry:

• Event types (e.g., "vault opened," "conversation captured")
• Event counts and durations
• Never conversation content, filenames, or any personal data

Purpose: Understanding product usage patterns to improve BaseLayer. This is strictly opt-in and can be disabled at any time.

6. MCP Server Heartbeat

If you use the BaseLayer MCP server (a local tool for AI agents to query your vault), a periodic heartbeat is published to our server indicating the MCP server is running. This contains no conversation data—only a health status signal.

7. Information We Cannot Access

Due to our end-to-end encryption:

• Your conversation content: Always encrypted before it reaches our servers
• Your encryption keys: Generated and stored locally in your system keychain; we never see them
• Your vault contents: Entities, relationships, and memories extracted by the dream engine remain in your local encrypted database

Chrome Browser Extension

The BaseLayer Chrome extension captures AI conversations from browser-based tools (such as ChatGPT, Claude.ai, Gemini, OpenRouter, and Open WebUI) and relays them to your local BaseLayer vault.

What the Extension Does

• Captures conversation content from supported AI web applications
• Encrypts all conversation data in the browser using your encryption key before any data leaves your machine
• Transmits only encrypted blobs through Firebase to your desktop app
• Does not capture data from non-supported websites
• Does not capture browsing history, passwords, form data, or any data outside of supported AI chat interfaces

Extension Permissions and Why We Need Them

The extension requests only the permissions necessary for its function:

• Host permissions for supported AI sites: To read conversation content from the AI tools you use
• Storage: To store your encrypted authentication credentials and extension preferences locally
• Network access (Firebase): To transmit encrypted conversation data to the relay for delivery to your desktop app

Data Flow

Conversation in browser → Encrypted in browser with your key → Encrypted blob sent to Firebase relay → Desktop app pulls and decrypts locally → Stored in your local encrypted vault. At no point does any server (ours or Google's) see plaintext conversation content.

Desktop Application

The BaseLayer desktop app (macOS) creates and manages your local encrypted vault:

• Local encrypted database: SQLite with SQLCipher (AES-256 encryption)
• Encryption key: Stored in your macOS Keychain, never transmitted
• AI conversation capture: Captures conversations from IDEs (Cursor, Claude Code, Copilot, Aider, Gemini CLI) directly on your machine
• Dream engine processing: Extracts entities and relationships from conversations—all processing happens locally on your device

Infrastructure Providers

Our backend infrastructure runs on Google Cloud Platform / Firebase. This includes:

• Firebase Authentication: Manages user sign-in (email, OAuth)
• Cloud Firestore: Stores account metadata, encrypted blobs in transit, API key hashes, and telemetry data

Google's infrastructure processes the encrypted conversation blobs we relay, but cannot decrypt them—only you hold the key. Google's handling of infrastructure data is governed by Google Cloud's Data Processing terms.

How We Protect Your Information

• End-to-End Encryption: Conversation content is encrypted with AES-256 before leaving your device. Our servers handle only ciphertext
• TLS in Transit: All network communication uses TLS encryption
• Secure Key Storage: Encryption keys are stored in your operating system's secure keychain, never on our servers
• Hashed Credentials: API keys are stored as cryptographic hashes, not in plaintext
• Minimal Server Data: We store only what's necessary for authentication and encrypted relay

Because of our end-to-end encryption, even a breach of our servers would not expose your conversation content—we don't have the keys to decrypt it.

Data Sharing and Disclosure

We Do Not Sell Your Data

We will never sell, rent, or trade your personal information.

Limited Sharing

We may share information only in these circumstances:

• Infrastructure Providers: Google Cloud/Firebase processes data as described above, under their data processing agreements
• Legal Obligations: When required by law or court order. Note: due to our end-to-end encryption, we cannot produce your conversation content even if compelled—we don't have access to it
• Business Transfers: In the event of a merger or acquisition, with advance notice to you

Your Rights

General Rights

You have the right to:

• Access: Request a copy of the personal information we hold about you (account data, telemetry)
• Correction: Update or correct your account information
• Deletion: Request deletion of your account and all associated server-side data
• Portability: Your vault data is already on your device in a standard SQLite format—you always have it
• Objection: Object to processing of your personal information

GDPR Rights (EU/EEA Users)

If you're in the European Union or European Economic Area, you have additional rights under GDPR, including:

• Right to restriction of processing
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority

CCPA Rights (California Users)

If you're a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected
• Right to know if personal information is sold or shared (we don't sell it)
• Right to deletion
• Right to non-discrimination for exercising your rights

Exercising Your Rights

To exercise any of these rights, contact us at: privacy@baselayer.id

We will respond within 30 days (or as required by applicable law).

Data Retention

• Account Data: Retained while your account is active. Deleted within 30 days of account deletion request
• Encrypted Blobs in Transit: Temporarily stored in the ingest queue and removed once delivered to your desktop app, or within 30 days, whichever comes first
• Local Vault Data: Stored on your device indefinitely under your control. You can delete it at any time
• Telemetry Data: Retained in aggregate for up to 12 months, then deleted

Children's Privacy

BaseLayer is not intended for users under 18. We do not knowingly collect information from children. If you believe a child has provided us with personal information, please contact us at privacy@baselayer.id.

International Data Transfers

Our infrastructure is hosted on Google Cloud in the United States. If you're accessing BaseLayer from outside the United States, your account information may be transferred to and stored in the United States. Your conversation content, however, is always encrypted before transmission and cannot be read by any server regardless of jurisdiction.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Updating the "Last Updated" date at the top of this policy
• Sending an email to registered users for material changes
• Posting a notice in the BaseLayer application

Your continued use of BaseLayer after changes become effective constitutes acceptance of the revised policy.

Cookie Policy

The BaseLayer website uses minimal cookies:

• Essential Cookies: Required for website functionality and authentication

We do not use analytics or tracking cookies. You can control cookies through your browser settings.

Contact Us

For questions, concerns, or to exercise your privacy rights:

• Privacy inquiries: privacy@baselayer.id
• General inquiries: hello@baselayer.id