Security

Darvy reads your screen and types on your behalf. That's a lot of trust to ask for. Here's what we do with it.

Status

Coming soon. A full security overview, including our third-party data flow diagrams, will be published here and in the project's legal/ directory on GitHub.

What stays on your machine

  • Your account passwords and login cookies for Google, Microsoft, etc.
  • Documents, emails, and files Darvy reads to answer your question.
  • Conversation history (if you enable history — off by default).
  • Your license key (stored in your OS keychain).

What leaves your machine

  • Microphone audio goes to a speech-to-text provider for transcription. Audio is not retained by that provider after transcription.
  • Transcribed text and tool descriptions go to a large-language-model provider to decide what action to take. We do not opt in to provider-side training.
  • Reply text goes to a text-to-speech provider to generate the voice you hear.
  • Crash diagnostics (anonymous) go to our error reporting service if Darvy crashes.

Payment data

Card details go directly from your browser to Polar, our PCI-compliant payment processor. We never see them. We see only your email address and a Polar customer ID.

Responsible disclosure

If you find a security vulnerability — in this website, the desktop app, or our license server — please report it to support@darvy.ai with "Security" in the subject. We'll acknowledge within 48 hours and work with you on a coordinated disclosure timeline. We don't have a paid bug bounty programme yet but we'll publicly credit you (with permission) once a fix ships.

More detail

For deeper technical detail — data flow diagrams, subprocessor list, retention windows — see email support. A canonical version will be committed to legal/security.md.

Last updated: 2026-05-18.