Privacy & Data

What leaves your assistant

Your messages and context go to the AI model provider.

Every time you send a message, your assistant assembles a context bundle:

• Your message
• The current conversation history (or a summary of it, if it's long)
• Workspace files (SOUL.md, USER.md, IDENTITY.md)
• Relevant memories retrieved from the memory system
• Skill instructions (if a skill is loaded)
• Tool results from the current conversation

This bundle is sent to the AI model provider (Anthropic) to generate a response. That's how your assistant thinks — the AI model runs in the cloud.

API calls to connected services.

When your assistant checks your calendar, sends an email, or browses a web page, it makes API calls to those services. The data in those calls is whatever's needed for the action. These are standard API calls — the same ones any app would make.

Optional telemetry.

If you opt in (Settings > Privacy), Vellum collects:

• Usage analytics — anonymized data like token counts and feature adoption. No message content, no personal data.
• Crash diagnostics — error reports via Sentry to help us fix bugs. No message content, no personal data.

Both are off by default. You can toggle them independently. If you leave them off, nothing is sent.

How credentials are protected

The credential system is designed with the assumption that the AI is compromised and acting maliciously. We literally don't want the assistant to be able to access your credentials — it can say what it wants to do with them, and you can approve that, but it never gets the actual values.

Credentials are stored in the macOS Keychain (or an AES-256-GCM encrypted file on Linux), inside a protected directory with restricted file permissions. When you need to enter a credential, a dedicated popup UI appears — you submit it there, not in the chat. This ensures the credential is captured and stored directly without ever passing through the assistant or the AI model.

All credential-bearing operations run through a Credential Execution Service (CES) — a separate process that handles authentication in isolation. The assistant says “make this API call with my Gmail credentials,” and the CES executes it deterministically, with no AI involved, without exposing the credential to the assistant's context or the AI model.

This is a hard process boundary, not just a software abstraction. The CES has its own grant system, audit log, and cleanup rules for temporary credential materializations.

How secrets are caught

If you accidentally type a credential into the chat instead of using the secure popup, Vellum detects it and blocks it from reaching the AI model. This is the second layer of protection — the popup ensures credentials are captured securely, and the scanner catches anything that slips through.

Beyond chat input, secrets can end up in unexpected places — returned in a tool result or embedded in a file. Vellum runs a secret scanner that:

• Detects 30+ known secret formats (AWS keys, GitHub tokens, Stripe keys, database connection strings, private keys, JWTs, and more)
• Uses entropy analysis to catch high-randomness strings that look like tokens
• Scans encoded content (base64, percent-encoded, hex-escaped)
• Filters out placeholders and test values to reduce false positives

When a secret is detected, the system can redact it, warn you, block the operation, or prompt for confirmation — depending on your configuration.

Who can access your data

Not everyone who messages your assistant gets the same access.

• You (the guardian) — full access to memories, workspace files, tools, and credentials
• Trusted contacts — verified people who can message your assistant through channels like Telegram or Slack. They can chat but can't access your memories, modify your workspace, or use sensitive tools without your approval
• Unknown actors — unverified people. Heavily restricted — no memory access, no file operations, no credential use

Trusted contacts and unknown actors have heavily restricted access compared to you. Sensitive actions from trusted contacts require your explicit approval through guardian-in-the-loop notifications.

Private conversations

You can start a private conversation that gets its own isolated memory scope. Memories from a private conversation can't surface in other conversations. The private conversation can still access your shared memory pool, but nothing flows back out.

Use this for sensitive topics where you want the assistant to have context during the conversation but don't want those details persisting into your general memory.

Computer use safety

When your assistant controls your screen, additional safety measures kick in:

• Step limits — a maximum of 50 actions per session, preventing runaway automation
• Loop detection — if the screen doesn't change after repeated actions, the assistant pauses and asks for guidance
• Sensitive data detection — the secret scanner runs on screen observations, blocking actions that would expose credentials
• Destructive action blocking — dangerous keyboard shortcuts and system-level actions are restricted

You see an overlay showing what the assistant is doing at each step, and you can stop it at any time.

The permission system

Every tool your assistant uses has a risk level:

• Low risk (reading workspace files, web searches) — runs automatically
• Medium risk (writing files, making API calls) — prompts you for approval
• High risk (destructive operations, sensitive access) — requires explicit approval with no cached grants

When you approve an action, you choose the scope: one-time, 10 minutes, this conversation, always, or never. These rules accumulate in your trust configuration, so the assistant learns your boundaries over time without you having to re-approve the same actions.

The AI model provider

Your messages are processed by Anthropic's Claude. Anthropic's API terms state that data sent through the API is not used for model training. Prompts and responses are processed to generate outputs and are subject to Anthropic's data retention policies.

Read Anthropic's Privacy Policy for full details. We chose Anthropic for their approach to safety and data handling, but we also believe you should verify their policies yourself.

Your options for sensitive information

If you have information you don't want sent to an AI model:

1. Don't tell your assistant. If it's not in the conversation, it's not sent to the model.
2. Use a private conversation. Memories stay isolated and won't resurface in other contexts.
3. Ask it to forget. “Forget what I told you about [topic].” This removes it from memory.
4. Edit your workspace files. Remove anything from USER.md or SOUL.md that you don't want in the context window.
5. Review your trust rules. Check ~/.vellum/protected/trust.json to see what you've auto-approved.

Hosting options

Currently, Vellum runs as a self-hosted installation on your machine. Your assistant is a process on your computer, and all data lives locally.

Additional hosting options are coming soon:

• Platform Managed — your assistant runs in Vellum's cloud. You interact through the desktop app, but the assistant itself is hosted by us. Lower friction, same security model.
• Self-Hosted Cloud — your assistant runs in your own GCP or AWS infrastructure. You manage the environment; we provide the software.

Regardless of where your assistant is hosted, the same permission system, trust rules, credential isolation, and channel security apply. Your assistant's data stays within its hosting environment and is never aggregated centrally.