Privacy
Xero runs on your machine. Your projects, journals, and keys stay there. This page spells out what we touch and what we don't.
Last updated · April 2026
Xero is a desktop app. Your projects, sessions, and journals stay on your machine. The API keys you paste live in the operating system keychain. We never receive them, and they aren't written in plain text on disk.
When an agent calls a model, the request goes from your machine straight to the provider (Anthropic, OpenAI, Cursor, xAI, Google, OpenRouter, GitHub, Azure, Bedrock, Vertex, or local Ollama). We are not in the middle of those calls.
The desktop app touches three categories of data, all locally:
The website you're reading uses standard analytics to understand which pages get used (Vercel Analytics): page-level only, no personal identifiers, no cross-site tracking.
The desktop app sends optional, anonymized crash reports if you opt in. You can disable them under Settings → Diagnostics. They contain stack traces and version info, never your prompts or files.
When you email team@xeroshell.com we hold the contents of your email to reply. That's it.
Each provider you connect has its own privacy and data-retention policy. Xero is a thin client over their APIs. Your prompts and outputs are subject to whichever provider you chose for that call.
If you need full isolation, point Xero at a local Ollama instance. No request leaves your network in that mode.
The Solana bundle is an opt-in subscription for managed RPC, indexer, and webhook infrastructure. When it ships we'll publish a dedicated processing addendum covering the third-party providers involved. Until then, there is no Xero cloud holding your data.
The data Xero holds about you (locally) is yours. Delete the app and the journals go with it. For anything we hold server-side, such as emails to support or the analytics record of your page views, you can request access or deletion at team@xeroshell.com.
Questions about this policy? Email team@xeroshell.com. We read every message.
