Privacy & Data
Rephlo is built to keep you in control of your data. The Privacy tab is where you decide how long history is kept, what leaves your device, and whether sensitive information is scrubbed before it ever reaches a cloud model.
Open it from Settings → Privacy.
What stays on your device
By default, the heart of Rephlo lives on your machine, not in the cloud:
- Your commands, Spaces, templates, and history are stored in a local database.
- API keys and tokens are encrypted and never leave your device or appear in exports.
- The Privacy tab shows your local data location so you always know where it lives.
What gets sent to a model depends on how you run it. With a cloud provider, your prompt (and any attached Space context) is sent to that provider to generate a response. With on-device models, nothing leaves your machine at all. The explanatory text in this tab adapts to the provider you're using — it discloses cloud processing whenever the request goes to a cloud provider (whether that's the managed service or your own BYOK keys), and confirms local-only processing only when you're using an on-device model.
History retention
Choose how long Rephlo keeps your execution history:
| Option | Effect |
|---|---|
| Forever | Keep all history until you clear it. |
| 90 Days | Auto-delete entries older than 90 days. |
| 30 Days | Auto-delete entries older than 30 days. |
| Immediate | Don't save history at all. |
Older entries are removed automatically based on your choice.
Export your data
Click Export Data to download a ZIP archive of your information for backup or portability. The export includes your commands, templates, Spaces, transaction/usage history, and (when signed in) your account profile. API keys and other encrypted secrets are deliberately excluded — the export is safe to store and share.
Clear all history
Clear All History permanently deletes every history entry. Because this can't be undone, Rephlo asks you to confirm first. It clears history only — your commands, Spaces, and providers are untouched.
Privacy routing (sensitive data)
Two toggles give you finer control over what reaches the cloud:
Force Local for Sensitive
When on, requests flagged as sensitive are handled by an on-device model so they never go to a cloud provider. Because this needs a local model to fall back to, the toggle is available only when:
- your plan allows on-device models (Pro and up), and
- you have at least one on-device model downloaded.
If your plan qualifies but no model is downloaded yet, Rephlo shows a nudge with a shortcut to the On-Device Models catalog. Turning this on pre-warms your local model so the first sensitive request isn't slow.
Scrub PII Before Cloud
When on, Rephlo removes detected personal information from a request before sending it to a cloud provider. This pairs with the redaction settings below.
On-device PII redaction
Rephlo can detect and redact personal information locally before anything is sent, using an on-device Named Entity Recognition (NER) model. This is separate from your chat models and is downloaded on demand (~1.1 GB).
To use it:
- Turn on Enable on-device redaction. If the model isn't present yet, Rephlo offers to download it, showing a progress bar you can cancel.
- Choose which categories to redact. All are on by default and can be toggled independently:
- Name
- Date of birth
- Address
- Phone
- SSN
- Credit card
- Other ID
- Optionally enable Block send if redaction is uncertain — when the detector isn't confident it caught everything, Rephlo holds the request back rather than risk leaking data.
Redaction is only fully active when the toggle is on and the model is downloaded; until then, the categories that depend on the AI model are shown as unavailable so you're never misled about what's actually being scrubbed.
Note: PII redaction is governed by a feature switch. If your build has it turned off, the redaction section is hidden and no scrubbing layer is installed.