Back to Home

Privacy Architecture

ThisChatNeverExisted makes privacy violations technically impossible through zero-backend architecture. There is no server to compromise, no database to breach, and no backend to trust.

For complete privacy documentation, see PRIVACY.md on GitHub.

Executive Summary

Privacy through impossibility means:

  • Your conversations cannot be stored (no storage APIs exist in codebase)
  • Your messages cannot be transmitted (no backend exists to receive them)
  • Your data cannot be breached (no database exists to compromise)

This isn't a privacy policy asking you to trust us. This is an architectural guarantee you can verify yourself.

What We Track

We use Plausible Analytics for anonymous usage metrics:

  • Page views: Automatic tracking on route changes
  • Anonymous events: chat_started, model_download_started, model_download_completed, burn_triggered
  • No cookies on your domain
  • No personal identifiers
  • GDPR compliant

What We NEVER Track

The following data cannot be tracked because the architecture makes it impossible:

  • ❌ Your messages (never sent to any server)
  • ❌ AI responses (generated locally, never transmitted)
  • ❌ Conversation history (lives in RAM only)
  • ❌ Personal information (no accounts, no login)
  • ❌ User identifiers or device fingerprints

How Privacy Works

Zero-Backend Architecture

  • No server-side processing of any kind
  • No databases or data storage systems
  • No API endpoints to receive data
  • Static HTML/CSS/JS hosted on Cloudflare Pages CDN

RAM-Only Storage

  • Conversations live in React component state (browser RAM)
  • No localStorage, sessionStorage, IndexedDB, or cookies
  • Memory cleared on page close, refresh, or burn ritual
  • ESLint rules enforce at build time

Local AI Processing

  • Chrome Prompt API with Gemini Nano (~22GB model)
  • All AI inference happens on your device (CPU/GPU)
  • Zero network calls during chat
  • Model downloaded once, persisted by browser

Verification Guide

For a detailed step-by-step walkthrough, verify our claims using our Verification Guide.

DevTools Network Tab Verification

  1. Open Chrome DevTools (F12 or Cmd+Option+I)
  2. Click “Network” tab
  3. Clear existing requests
  4. Start a chat conversation
  5. Send multiple messages

What you WILL see:

  • plausible.io/api/event - Anonymous events only (no conversation content)

What you WON'T see:

  • Your messages sent anywhere
  • AI responses sent anywhere
  • Any other network calls during chat

Code Audit Verification

Don't trust, verify:

# Clone repository
git clone https://github.com/aykutuysal/thischatneverexisted
cd thischatneverexisted

# Search for forbidden patterns
grep -r "localStorage" src/     # Result: None
grep -r "sessionStorage" src/   # Result: None
grep -r "indexedDB" src/        # Result: None

# Check for backend
find src/app/api                # Result: Doesn't exist

# Review dependencies
cat package.json                # No data-exfiltration libraries

ESLint Privacy Rules

Our build process enforces privacy at compile time:

  • localStorage → ESLint error: “localStorage is forbidden - use RAM-only state”
  • sessionStorage → ESLint error: “sessionStorage is forbidden - use RAM-only state”
  • indexedDB → ESLint error: “IndexedDB is forbidden - use RAM-only state”
  • document.cookie = → ESLint error: “Setting cookies is forbidden”

Build fails if storage APIs are used. No way to deploy privacy-violating code.

Open Source Transparency

Full code auditability:

  • GitHub Repository
  • MIT License (fully auditable, forkable)
  • No hidden dependencies or obfuscation
  • All code publicly reviewable

Summary

Privacy through impossibility:

  • ✅ Zero backend → No server to compromise
  • ✅ RAM-only storage → No data persistence
  • ✅ Local AI processing → No network calls during chat
  • ✅ Static site → No server-side processing
  • ✅ Open source → Full code auditability
  • ✅ ESLint enforcement → Privacy rules enforced at build time

Don't trust. Verify.