NOLO
Provable, not just promised

What's actually private, and what isn't.

Most apps say "we respect your privacy" and stop there. Here is the whole picture: what leaves your device, who receives it, what we keep, and where the honest limits are. No marketing words you can't check.

Data flow

What leaves your device, per action.

An AI that runs in your browser still has to send some things to answer you. Here is exactly what, and to whom, for each thing NOLO can do.

Action
What leaves your device
Who receives it
What they keep
Chat message
Your message and the parts of the conversation needed to answer. No name, no email, no account.
The AI model provider, reached through NOLO's server, so your raw IP never reaches them.
Nothing. The providers we use operate under zero-data-retention terms: answer, then discard.
Web search
Only the search keywords NOLO builds from your request, not your whole chat.
The search provider, through NOLO's server.
A standard search query log on their side; no link to who you are.
Image generation
The text prompt for the image.
A third-party image provider (proprietary model), through NOLO's server.
Processes the prompt to render the image; not tied to an identity.
Voice dictation
The short audio clip you record, only while you hold the mic.
The speech-to-text provider, through NOLO's server.
Transcribes it and discards it; the audio is not stored.
Live data
The symbol, place or query (a stock ticker, a city for weather).
Public market and weather data sources.
A normal API request; no profile of you.
Drive sync (opt-in)
An encrypted blob of your chats, only if you turn sync on.
Your own Google Drive (a private app folder). NOLO can't read it.
It lives in your Drive until you delete it. See the honest limit below.

If you never turn on sync and never use a tool, the only thing that ever leaves your device is the message you send to get an answer.

On our side

What NOLO's own servers store.

We do keep a little, and we'd rather tell you exactly what than pretend it's zero. It's pseudonymous: tied to your anonymous ID, never to a name, email or raw IP, and never the content of your chats.

Per-message usage record

For each message we store a small row: your anonymous ID, the message type, which model answered, the token count, and your plan. This is how daily limits and billing work. We never store the text of your messages or the answers.

Usage rows (id, type, tokens, plan)90 days
Anonymous visitor counts180 days
Daily usage totals30 days
Rate-limit buckets7 days
Your IP address, in the clearnever
The content of your chatsnever

Your IP is only ever used as a salted, one-way hash to stop abuse, and that bucket is deleted within a week. It can't be turned back into your address.

The honest part

Where the limits actually are.

Anyone can claim "fully private". These are the places where NOLO is not, stated plainly so you can decide for yourself.

Your history is on your device, but it is not encrypted at rest

Chats are stored in your browser's local storage in plain form. That keeps them off our servers, but it also means anyone with access to your unlocked device could open them. If that matters to you, use a device passcode and clear NOLO when you're done.

Drive sync is encrypted, but it is not true end-to-end

When you turn on sync, your chats are encrypted before they reach your Google Drive. But the key is derived from your Google account identifier, not from a password only you know, so it's strong obfuscation rather than zero-knowledge encryption. Treat it as "much better than plain", not "mathematically impossible for anyone".

Image generation uses a third-party, proprietary model

The chat models are open-weights and we name them. Image generation is the exception: it runs on a third-party provider's proprietary model. The prompt still goes through our server without your identity, but it's fair to know that one capability isn't open-weights.

Don't trust, verify

Check it yourself in two minutes.

You don't have to take our word for any of this. The browser already gives you the tools to watch what NOLO does.

Open the network panel

In NOLO, press F12 and open the Network tab, then send a message. You'll see requests go to NOLO's own API and nowhere else, no ad networks, no analytics trackers, no third-party profilers.

Clear the storage

In the same panel, open ApplicationStorage and clear it. Your chats vanish, because that's the only place they live. There's no server copy to delete.

Check what was sent

Click any request to /api/chat and read the payload. There's no email, no name, no login token, just your anonymous ID and the message you chose to send.

Name the model

Ask NOLO which model is answering. It will tell you, the chat models are open-weights, so you can look up exactly what's running and judge it for yourself. See the comparison.

FAQ

Straight answers.

Not exactly, and we won't claim it. We keep pseudonymous usage rows (your anonymous ID, token counts, the model used) for up to 90 days so limits and billing work. We never log the content of your messages and never store your IP in the clear. "No content logs, no identity" is accurate; "zero logs" would not be.

No. Sync stores an encrypted blob in your own Google Drive app folder. We don't hold the data and don't have a copy. The honest caveat is that the encryption key is derived from your Google identifier rather than a private password, so it's strong protection but not zero-knowledge end-to-end.

No. Your message reaches the provider, gets answered, and is discarded under their zero-data-retention terms. Because there's no account, there's also nothing for them to tie a message back to.

To enforce daily limits, process payments and stop abuse, the bare minimum to run a service without an account. It's pseudonymous and short-lived, and you can see precisely what it is above.

Private by design. Honest about the rest.

Open it, watch the network, read the payload. Then decide.