Policy Draft
AI Provider Data Flow Draft
Rendered from the repo policy source as a real command-center page. Draft for review, not legal advice.
NyrA AI Provider Data Flow Draft
Status: Draft for attorney review
Last updated: 2026-05-31
Scope: NyrA Swarm Little Buddy desktop app only
This draft is not legal advice. It is a provider-data handoff for the privacy policy, legal review packet, support playbook, and command-center launch gates. Provider policies change, so this file must be refreshed before public policy publication, app-store submission, or live paid checkout.
Purpose
NyrA can only feel useful if it can hear, read, reason, see selected screen or camera context, and route tasks to AI providers. That also means customer content can leave the local device when third-party AI processing is enabled. This document defines what may be sent, what must never be sent, what provider controls are required, and what still blocks paid launch.
Data NyrA May Send To AI Providers
Only send the minimum context needed for the requested task:
| Data category | Examples | Default launch rule |
|---|---|---|
| Chat and command text | User prompt, task request, recent conversation context | Allowed only after third-party AI consent is enabled |
| Voice transcript | Transcribed command or conversation text | Prefer transcript over raw audio when audio is not needed |
| Realtime voice audio | Live voice stream for low-latency conversation | Allowed only when microphone/live voice consent is enabled |
| Screen context | Screenshot, OCR text, visible app/window description | Allowed only when screen-look consent is enabled |
| Camera context | Camera frame or generated description | Allowed only when camera-look consent is enabled |
| Local memory/context | Saved preferences, project context, prior notes | Allowed only when memory/passive-context consent is enabled and relevant |
| Tool/action results | File list excerpt, command result, browser page summary, click result | Allowed only after tool-specific permission and redaction |
Data NyrA Must Not Send By Default
NyrA should block or redact these items unless a future legally reviewed, explicit, task-specific permission flow is added:
- Raw API keys, Stripe secrets, webhook signing secrets, recovery codes, passwords, private keys, SSH keys, seed phrases, or session cookies.
- Full credit card numbers, CVV codes, bank account numbers, government ID numbers, full EIN/SSN values, or tax IDs.
- Broad filesystem dumps, whole mailboxes, whole browser histories, or unnecessary personal files.
- Background microphone, camera, or screen data unrelated to a user-requested task.
- Biometric voiceprint enrollment or identity-authentication data. Current NyrA language must stay limited to voice input, transcription, and context.
- Customer support uploads unless the user intentionally attaches the file or confirms diagnostics export.
Provider Flow Matrix
| Provider | Planned NyrA use | Content that may be sent | Current official data posture checked 2026-05-31 | NyrA launch control |
|---|---|---|---|---|
| OpenAI | Primary chat, voice, transcription, text-to-speech, vision, realtime, and possible computer-use reasoning | Prompts, responses, audio, transcripts, screenshots/camera frames, tool context | OpenAI states API data is not used to train by default unless the customer opts in. Abuse monitoring logs are generally retained up to 30 days. Responses and other endpoints can have endpoint-specific application-state behavior, so NyrA must explicitly use store:false and avoid stateful provider features unless documented. |
Keep store:false on Responses calls, keep NYRA_CONSENT_REQUIRED, document endpoint choices, and review any feature that stores files, conversations, threads, or background responses |
| Anthropic | Optional Claude/swarm reasoning route | Prompts, responses, selected task context, optional screen text summaries if enabled | Anthropic says commercial API inputs and outputs are automatically deleted within 30 days by default, except longer-retention services under customer control, usage-policy enforcement, legal requirements, or a separate zero-data-retention agreement. Anthropic also states commercial customer data is not used for model training unless the customer opts into the Development Partner Program. | Do not enable by default until provider key, consent text, usage cap, and privacy copy are confirmed |
| Google Gemini | Optional Gemini/swarm reasoning route | Prompts, responses, selected task context, possible image/screen inputs if enabled | Google Gemini API docs state logs for billing-enabled projects expire after 55 days by default, prompts and responses in logs are not used for product improvement by default, and dataset/feedback sharing is opt-in. Shared datasets may be used for product/model improvement and should not include sensitive or confidential information. | Keep logging/data sharing off unless intentionally enabled by the account owner; do not route sensitive data to shared datasets |
| xAI/Grok | Optional Grok/swarm reasoning route | Prompts, responses, selected task context, possible tool summaries | xAI API security docs state xAI does not train on customer API inputs or outputs without explicit permission, stores API requests and responses temporarily for 30 days for abuse/misuse audit, and offers enterprise Zero Data Retention with response-header confirmation. | Do not enable by default until provider key, consent text, usage cap, and privacy copy are confirmed; record whether ZDR is active if enterprise account is later used |
App Controls Required Before Paid Beta
- First-run and Settings consent must clearly separate microphone, camera, screen, third-party AI, local memory, passive context logs, and computer control.
- Provider calls must fail closed with
NYRA_CONSENT_REQUIREDwhen third-party AI consent is off. - High-impact actions must continue to require
NYRA_HIGH_IMPACT_APPROVAL_REQUIRED. - Paid-provider features must continue to require an active license or return
NYRA_PRO_REQUIRED. - Support diagnostics must redact provider keys, billing secrets, tokens, and personal identifiers.
- Command-center uploads must stay behind the private dashboard/cloud access model and must not accept raw secrets.
- The privacy policy, support playbook, launch site, and checkout pages must link to the public provider-data explanation before live payments.
BYOK And Hosted-AI Policy
BYOK is planned later, not for first paid launch. Until BYOK exists:
- NyrA is responsible for hosted provider costs and must enforce the hosted AI cap chosen in the dashboard.
- Customers must be told that selected content may be processed by third-party AI providers when they enable those features.
- Provider keys must live in a secret store or cloud secret manager, not repo files, command-center uploads, or desktop renderer state.
- If BYOK is later added, the app needs a separate key-storage policy, customer-facing warning, key testing flow, revocation flow, and support boundary.
Dashboard Handoffs
Track these in the command center before live launch:
| Handoff | Owner | Where it belongs |
|---|---|---|
| Final provider list for paid beta | User + Codex | Launch Setup / Policies |
| Hosted AI cap | User | Pricing Model / Launch Setup |
| Provider account and secret-store readiness | User | Handoffs / Cloud |
| Public privacy and provider data URLs | User + Codex | Policies / Launch Site |
| Attorney-reviewed provider/subprocessor language | User | Policies / Legal Review Packet |
| Data-retention refresh date | Codex | Daily Agents / Team Updates |
Open Launch Blockers
- Attorney review is required before provider/subprocessor language is published.
- Public policy URLs and support inbox do not exist yet.
- Final provider stack and hosted AI cap are not approved.
- Cloud dashboard access, Worker URLs, D1/R2 resources, and secret storage are not live.
- Live Stripe checkout must not be exposed until provider-data wording matches actual app behavior.
Source References
- OpenAI Data Controls: https://platform.openai.com/docs/guides/your-data
- Anthropic Organization Data Retention: https://privacy.claude.com/en/articles/7996866-how-long-do-you-store-my-organization-s-data
- Anthropic Processor/Controller FAQ: https://support.claude.com/en/articles/9267385-does-anthropic-act-as-a-data-processor-or-controller
- Google Gemini API Data Logging and Sharing: https://ai.google.dev/gemini-api/docs/logs-policy
- xAI API Security FAQ: https://docs.x.ai/developers/faq/security