Tacita
Last updated · May 18, 2026

Privacy Policy

How Tacita handles your data — short version, we don't.

Last updated

May 18, 2026. The version of this policy is bound to the app version. If the app is updated, you will see the new wording the next time you open this screen — there is no remote fetch.

Who runs Tacita

Tacita is published by an independent EU sole trader. The privacy contact is [email protected]. Full trader identification (the kind required by the Digital Services Act and EU consumer law) is on the Imprint page.

What we collect

Nothing about your conversations, prompts, characters, memory facts, or settings. Those live exclusively on this device, encrypted at rest with a key derived from your password — a key we never see, store, transmit, or log. Tacita ships zero analytics SDKs, zero crash reporters, zero attribution frameworks, zero A/B testing pipelines.

On the free tier we do show banner and interstitial ads served by Google AdMob. AdMob receives the standard ad-impression metadata any mobile ad does — coarse device class, locale, and a resettable advertising id (you control it in your phone settings). AdMob never sees your chat content, prompts, or any vault data, because none of that is read at impression time. If you are in the EEA or the UK, the first launch shows the IAB consent prompt and you can refuse personalised ads; on iOS, the App Tracking Transparency dialog gates the same. Buying Tacita Pro removes ads entirely.

No accounts, no sign-up

Tacita has no user accounts. Nothing about you (email, name, phone, advertising id, IP address) is collected at install or at any later time. There is nothing to log into and nothing to log out of.

What leaves the device

Three things, all initiated explicitly by you:

  1. Model file downloads — when you tap “Install” on a curated model or paste a Hugging Face URL, the .gguf is fetched over HTTPS from the public host you chose. No identifier accompanies the request beyond what your OS sends for any HTTPS download (User-Agent and TLS fingerprint).
  2. In-app purchase verification — when you buy “Tacita Pro”, the receipt is verified by RevenueCat’s servers (see “Third-party services” below). RevenueCat receives an anonymous app-installation id and the receipt only.
  3. Reachability check — a single optional check at startup so the Discover screen can tell you it is offline. No data about you or your chats accompanies it.

After a model is on disk, every reply is computed locally. Inference never makes a network call.

Device permissions

The app declares a small set of platform permissions. Each one is requested only at the moment the corresponding feature is used, and none of them transmit your data anywhere.

  • Camera. Used only to scan the pairing QR code shown by Tacita Desktop when you set up the optional Bridge link from your phone to your computer. The camera is never accessed for any other purpose, no photo is ever captured or saved, and nothing read through the lens leaves the device.
  • Microphone. Used only when you tap the voice-input button in the chat composer. Audio frames are streamed into the operating system’s on-device speech recognizer (Android SpeechRecognizer, iOS SFSpeechRecognizer) and the transcript replaces the microphone access. Tacita itself does not record, persist, or transmit raw audio.
  • Notifications (Android 13 +). Used to render the foreground-service progress indicator while a model is downloading and, optionally, to remind you of an unfinished installation. No marketing notifications, no remote push, no notification-content telemetry.
  • Foreground service — Data Sync / Data Transfer (Android). Required so that a model download — typically 1 – 4 GB — keeps running when you put the phone in your pocket or lock the screen. The service displays the same download progress notification you already authorised; the OS gives the download CPU and network priority but no extra access to your data.
  • Local network / multicast (Android CHANGE_WIFI_MULTICAST_STATE; iOS local-network prompt). Used only while the Devices screen is open, to find a Tacita Desktop instance running on the same Wi-Fi as your phone for the LAN-direct Bridge mode. No discovery traffic is sent when the screen is closed.
  • Biometric / device authentication (USE_BIOMETRIC / LocalAuthentication). Optional. If you turn on “Unlock with biometric” for a vault, the operating system performs the fingerprint or Face ID check locally and releases the wrap-key from secure storage — Tacita never sees the biometric template itself.
  • Internet & network state. Used for the three traffic flows listed under “What leaves the device” above (model download, in-app purchase verification, optional reachability check) and for nothing else. Inference never touches the network.

The full manifest is in the source repository for anyone who wants to verify it line-by-line.

Encryption at rest

All chats, character definitions, custom prompts, memory facts, and app settings are stored as AES-256-GCM ciphertexts under a key derived from your password. New vaults use Argon2id (RFC 9106) with m = 64 MiB, t = 3, p = 4 — the memory-hard password hash NIST and OWASP recommend over older constructions. Vaults created before the Argon2id migration stay on PBKDF2-HMAC-SHA256 with 300,000 iterations until you change their password, at which point the master key is re-derived under Argon2id and every file is re-encrypted under it.

Each ciphertext is preceded by a 4-byte versioned envelope header ([0xCE][version][kdf_id][aead_id]) so the format can evolve without breaking your vault. The salt is per-vault and persisted in the platform secure store: an iOS Keychain entry with access-controlled release on iOS, an Android Keystore entry (StrongBox-backed where the device exposes one) on Android. The master key lives only in RAM while the vault is unlocked, and is wiped on lock or app exit. Idle-time wrapping under a hardware-bound key protects the master key from a cold-boot memory dump.

The optional Bridge link to the desktop companion runs over the Noise Protocol Framework (IK + PSK2 pattern, X25519 + ChaCha20-Poly1305) with per-session ephemeral keys for forward secrecy. The Bridge identity key on the phone is wrapped under the same hardware-backed key store as the master key.

Every cryptographic primitive Tacita ships, with library and version pins, audit status, and a reproducible-build verification recipe, is listed at gettacita.com/security. The Tacita app shows the same primitive list in Settings → About → Privacy Policy → “Encryption at rest”; if the two ever disagree, the in-app text wins (it is bound to the version you have installed) and the website will be corrected.

Deletion

When you delete a chat, the encrypted file is overwritten in place with random bytes encrypted under a one-time, never-stored key, then unlinked from the filesystem. Even with the right password, even with a forensic recovery tool, the surviving bytes cannot be decrypted because the overwrite key is gone. On flash storage with copy-on-write filesystems (APFS, F2FS) the original blocks may persist briefly until the controller recycles them; those blocks are themselves encrypted at the OS level (Android FBE / iOS Data Protection), so the practical impact is nil.

Vaults and secret vaults

You may create multiple vaults, each with its own password. Vaults are fully isolated — chats and settings in one vault are unreachable from any other. You may also create “secret vaults”: these never appear in the unlock screen list and are accessed exclusively by typing the password directly. There is no “wrong password” feedback — by design.

Backups

On Android, the app declares allowBackup="false" and a data extraction rules file that excludes app data from cloud backups and device-to-device transfer. On iOS, the app stores files under Application Support and tags every file with NSURLIsExcludedFromBackupKey, so iCloud never picks them up. Your encrypted vault never appears in any cloud backup of the device.

You may export a manual backup from the Backup & Restore screen (Settings → Vaults). The exported file (*.tacita.bak) is encrypted with AES-256-GCM under a key derived from your chosen password via PBKDF2-HMAC-SHA256 with 300,000 iterations — the legacy archive format, kept stable so older backups stay restorable; the at-rest vault on the device uses the Argon2id contract described above. The file is excluded from iCloud backup while it sits in the staging area, then securely overwritten and deleted after you share it. Once the file leaves the device via your chosen share target, it is outside Tacita’s security perimeter.

Logs

In release builds the app emits no logs at all. In debug builds, used only by the developer, it emits structured metadata lines (counts, durations, request IDs) — never message content, never prompts, never passwords. No crash reporter ever runs; the OS-level crash log stays on your device and is not transmitted anywhere by us.

Third-party services

Two services run in support of Tacita’s commercial side:

  • RevenueCat (revenuecat.com/privacy) handles in-app purchase receipt verification for the “Tacita Pro” unlock. RevenueCat receives an anonymous app-installation id and the platform receipt — no chat content, no email, no name. We use RevenueCat instead of rolling our own server so that nothing else needs to leave the device.
  • Hugging Face (huggingface.co/privacy) hosts the GGUF model files Tacita lets you install. When you download a model, the request hits Hugging Face the way any HTTPS download would. Hugging Face’s logs may contain your IP at the moment of download.
  • Google AdMob (policies.google.com/privacy) serves banner and interstitial ads to free-tier users. It receives standard ad-impression telemetry (device class, locale, advertising id) but never any chat content or vault data. EEA/UK users see the IAB consent prompt; iOS users see the App Tracking Transparency dialog. Pro users see no ads and AdMob is not initialised.

No other third party receives any data from the app. Specifically: no Google Analytics, no Firebase, no Sentry, no Crashlytics.

Your rights under GDPR

You have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data. In Tacita’s case this is short: we hold no personal data about you. There is nothing for us to give you, rectify, or export.

To erase everything Tacita keeps on your device, uninstall the app — your encrypted vaults are removed with it. For purchase records, contact RevenueCat directly ([email protected]). You may also lodge a complaint with your local supervisory authority — for Belgium, the Autorité de Protection des Données (autoriteprotectiondonnees.be).

Children

Tacita is rated 17+ on the App Store and Mature 17+ on Google Play. It is not directed at children below that age. We do not knowingly collect any personal information from children — and indeed we do not collect any personal information from anyone.

About this website

This same restraint applies to gettacita.com. The site has no analytics, no cookies, no third-party trackers. Fonts are self-hosted; nothing is loaded from a CDN. Cloudflare may keep operational logs at the edge as part of routing your request — that’s outside our control and not used by us for tracking.

Changes

A change to this policy means a new app version. There is no remote update of these terms. By updating the app you agree to the policy embedded in that version.