eri
Try eri free

Privacy

Privacy policy.

Plain-English version of how eri handles data. The legal version is here too — we just refuse to bury the lede.

Last updated · May 21, 2026

1. The short version

eri is a desktop app. Voice, gaze, and the editor itself run on your machine. The only data that leaves your device is the model call to the eri Engine and any third-party providers you've configured with your own keys. eri-cloud handles billing and account state — nothing else.

2. What we collect on the server

Account email, a bcrypt hash of your password, subscription state from Stripe (tier, status, renewal date), and aggregated usage counters (iterations, deploys, voice minutes). We do not store prompts, code, voice recordings, or gaze data on our servers.

3. What stays on your machine

Your microphone stream, the wakeword detector output, the gaze estimator output, every file in every open project, your shell history, and any local model weights. The eri runtime treats these as device-local by design — there is no code path that exfiltrates them.

4. Model calls

When you trigger an edit, eri sends the relevant context to a model provider. By default this is the eri Engine. If you've configured Anthropic, OpenAI, Google, or a local Llama endpoint, calls go there instead. We sign the request on your behalf for billing tiers, but the request body still travels from your machine to the provider — we never see it.

5. Cookies & analytics

The marketing site uses a single first-party cookie to remember your theme. We use PostHog for product analytics on the website — events only, no personally identifiable information. There is no advertising tracker on any eri property.

6. Sub-processors

Stripe (billing), Resend (transactional email), Supabase EU (database and auth), Sentry (opt-out crash reports), PostHog (product analytics), Vercel (web hosting). Each has a data processing agreement on file. The current list lives on the security page and is updated when it changes.

7. Children

eri is not intended for users under the age of 13. We do not knowingly collect data from children. If you believe we have, email privacy@eri.dev and we will delete the account.

8. International data transfers

Account data is stored in Supabase's Frankfurt region. When you sign in from outside the EU, your session traverses our hosting provider's edge network. Standard Contractual Clauses apply for transfers out of the EEA.

9. Your rights

You can export every piece of account data we hold by hitting the export endpoint in your dashboard. You can delete your account permanently from the same screen. If you'd rather email a human, write to privacy@eri.dev and we'll do it for you within 30 days.

10. Retention

Active account data is kept while your account is active. Billing records are retained for seven years to comply with tax law. Usage counters are aggregated weekly and the raw events are discarded after 30 days. Deleted accounts are purged within 30 days of the request.

11. Security

Passwords are bcrypt-hashed at cost factor 12. Session tokens are JWT HS256 with a 7-day expiry. All traffic uses TLS 1.3 with HSTS preloaded. BYOK API keys are encrypted at rest in your OS keychain — never on our servers.

12. Telemetry

eri ships with crash reporting enabled by default through Sentry. You can turn it off in Settings → Privacy. Diagnostic events never include the contents of files, prompts, or voice frames — just stack traces and version metadata.

13. Changes to this policy

If we make a material change, we will email every account holder at least 30 days before it takes effect. Cosmetic edits are made in place; the revision date below always reflects the latest version.

14. Contact

Privacy questions go to privacy@eri.dev. Data deletion requests go to the same address. For everything else, see the contact page.