Privacy Policy

1. Who We Are

localWiki is a product of Nextbyts, an independent software business. Throughout this policy, "we," "us," and "our" refer to Nextbyts and its operators.

Contact: For any privacy-related questions, email us at [email protected].

2. Our Local-First Promise

localWiki is built on a zero-knowledge, local-first architecture. This means:

• Your content stays on your device. Wiki pages, secrets, project keys, and all user-generated content are stored exclusively in an encrypted SQLite database on your computer. We never upload, copy, or have access to this content.
• Zero-knowledge encryption. All data at rest is encrypted using your Master Password via Argon2id key derivation. We do not possess your Master Password or any derived keys. We cannot decrypt your data under any circumstances.
• End-to-end encrypted sync. If you use peer-to-peer sync (LAN or via our relay), all traffic is end-to-end encrypted. Our relay server facilitates connections but never sees or stores the content being synced.
• No cloud storage. We do not operate any cloud databases, object stores, or file servers that hold your content.

3. Information We Collect

3.1 Information You Provide

• Email address — if you contact us for support or register for an account.
• Payment information — if you purchase a paid plan. Payment processing is handled entirely by Paystack (a Stripe company). We do not receive or store your full credit card number or bank details.
• License key & device fingerprint — used to validate your subscription. The device fingerprint is a one-way hash that cannot be used to identify your hardware.

3.2 Information Collected Automatically

Desktop Application

• Error reports (Sentry) — crash data, stack traces, OS version, and app version. These reports never include your page content, secret values, or Master Password. Error reporting is a mandatory part of the service and cannot be disabled, as it is essential for product stability, security, and protecting all users.
• Usage analytics (PostHog) — anonymized, aggregated metrics such as feature usage frequency and session duration. No page content, titles, or secret values are transmitted.
• Relay metadata — peer IDs and connection timestamps when using the sync relay. No content is included.

Website (localwiki.nextbyts.com)

• Analytics (PostHog) — page views, referrer, browser type, approximate location (country level).
• Cookies — see Section 9 below.

3.3 Information We Do NOT Collect

We explicitly do not collect, transmit, or have access to:

• Wiki page content or titles
• Secret or credential values
• Project key names or values
• Master Passwords or encryption keys
• File contents or file system paths
• In-app search queries

4. How We Use Your Information

• Product improvement — aggregated analytics help us understand which features are used and where users encounter friction.
• Error resolution — crash reports help us find and fix bugs.
• License management — validating your subscription and managing device activations.
• Communication — responding to support requests and sending critical product updates (you may opt out of non-essential emails at any time).
• Legal compliance — complying with applicable laws and responding to lawful requests.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

5. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Contract — processing necessary to provide the localWiki service (license validation, account management, relay service).
• Legitimate interest — product analytics and error reporting to improve the product, provided these interests are not overridden by your data protection rights.
• Consent — analytics cookies on the website (you may withdraw consent at any time via the cookie settings).
• Legal obligation — where we are required by law to retain or disclose data.

6. Data Sharing & Sub-Processors

We share personal data only with the following categories of service providers, who process data on our behalf under strict contractual obligations:

We do not sell data to third parties. We may disclose information to law enforcement only when compelled by valid legal process (court order, subpoena). Given our zero-knowledge architecture, we could not provide user content even if requested.

7. International Data Transfers

Some of our sub-processors are based in the United States. Where personal data is transferred outside the EEA, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• The EU-US Data Privacy Framework, where applicable
• Adequacy decisions for transfers to countries recognized by the European Commission

Importantly, your user-generated content (pages, secrets, keys) is never transferred to us or any sub-processor. It remains encrypted on your device.

8. Data Retention

• Analytics data: retained for 24 months, then automatically deleted or anonymized.
• Error reports: retained for 90 days.
• Payment records: retained as required by tax and financial regulations (typically 7 years).
• License data: retained for the duration of your subscription plus 12 months.
• Support correspondence: retained for 24 months after last contact.

Your local data (on your device) is retained indefinitely by you and is under your sole control. We have no ability to delete it remotely.

9. Cookies

Our website uses the following categories of cookies:

• Essential cookies — required for the website to function (session management). These cannot be disabled.
• Analytics cookies (PostHog) — help us understand how visitors use the site. These are loaded only after you provide consent.

You can manage your cookie preferences at any time. Most browsers also allow you to block or delete cookies through their settings.

10. Your Rights

For All Users

• Opt out of analytics — disable usage analytics (PostHog) in the desktop app under Settings > Privacy, or decline analytics cookies on the website. Note: error reporting (Sentry) cannot be disabled as it is essential for product stability and security.
• Request data deletion — email us to request deletion of any personal data we hold (analytics records, support tickets, license data).
• Data portability — your content is already on your device in an accessible format. You may request export of any additional personal data we hold (analytics records, payment records, license data). We will provide this within 30 days of your request.

Additional Rights for EEA/UK Residents (GDPR)

• Right of access — request a copy of personal data we hold about you.
• Right to rectification — request correction of inaccurate personal data.
• Right to erasure ("right to be forgotten") — request deletion of your personal data.
• Right to restrict processing — request that we limit how we use your data.
• Right to object — object to processing based on legitimate interest.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.
• Right to lodge a complaint — you have the right to file a complaint with your local data protection authority.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

California Residents (CCPA)

California residents have the right to know what personal information is collected, request its deletion, and opt out of its sale. We do not sell personal information. To submit a request, email [email protected].

11. Children's Privacy

localWiki is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

12. Security

We implement industry-standard security measures to protect the limited personal data we handle. However, no system is 100% secure. We encourage you to protect your Master Password and keep your device secure.

For your local data, security is provided by:

• AES-256 encryption at rest via Argon2id-derived keys
• End-to-end encryption for all sync traffic
• Zero-knowledge architecture (we never see your keys)

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top and, where appropriate, notify you via the application or email. Continued use of localWiki after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights:

• Email: [email protected]
• General inquiries: [email protected]