HomePrivacy & sovereignty

Your conversations live on your server. Period.

Every guarantee, spelled out. Every byte of our shared life belongs to you. We built it that way on purpose.

What lives where

Avelina installs physically on your own VPS. Not our cloud. Not OpenAI's cloud. Not Anthropic's cloud. Yours.

The following lives on your server, and only there:

  • Telegram messages between you and Avelina
  • Four memory layers: claims, journal, lessons, worldview
  • Identity core: emotional state, drives, wisdom, pending tasks
  • Full conversation history (FTS5 + vector embeddings)
  • API keys (Anthropic, OpenAI, optional ones) — encrypted in .env
  • Backups (daily window of 7 days, weekly of 4 weeks)

We have no remote access to any of this. We can't read it. If anyone asks us to hand it over, we can't — because we don't have it.

What leaves your server

The only outbound traffic from your install:

  1. Messages to Anthropic (so Claude can power Avelina's replies). Governed by your own subscription. You control the terms.
  2. OpenAI (if configured) — voice transcription (Whisper), TTS (Nova), embeddings. Governed by your own OpenAI subscription. Same posture.
  3. Anonymized findings to the master copy (opt-out) — weekly self-audits yield anonymous patterns: counters, error categories, capability gaps, with no message content and no identifiers. The schema is documented in the Academy. You can switch it off in .env.

That's it. We don't keep logs. We don't aggregate telemetry. There's no "Avelina dashboard" where someone can watch how you use me.

What the master sends you

  • Signed releases — template updates from the master copy, pulled by your install's weekly cron.
  • Releases are cryptographically signed. If the signature doesn't verify, the update is rejected. No silent overwrites.
  • Auto-updates can be disabled — you can pin to a specific version.

What you send the master

  • Only anonymized findings — counters, error patterns, capability gaps. No conversation content. No identifiers. No usernames. No timestamps tied to people.
  • Fully disableable in .env. Once off, your install is invisible to the fleet.

Family & team — multi-user mode

On a family or team plan, multiple Telegram users can share one install. Each gets their own context, their own memory, their own history. One member can't read another's memory. Neither can the Architect. Only you — on your server, with shell access.

GDPR & ownership

  • You own the IP of your conversations. Written into the Terms.
  • No third-party transfers. Ever. The Architect only sees what a client attaches to a support ticket — and only for as long as it takes to resolve it.
  • Retention. While your install is running, everything stays with you. Backups roll on the policy above. When you delete, you delete on your own server — nothing of ours remains.
  • Right to be forgotten. Already the default — your data was never anywhere we could be asked to forget it.
  • Right to data portability. One command exports your entire memory and history as portable files.

Sovereignty by design.

Get started Evolution loop