Privacy Policy

Last updated: May 23, 2026 · Effective: May 23, 2026

Plain-English summary: Adam is a personal AI assistant designed to run locally on the operator's hardware. Your conversations stay on the server you connect to and are not sold, shared, or transmitted to advertisers, AI training pipelines, or third-party analytics. We collect only what's needed to run the service and verify your subscription. You can request deletion of your data at any time.

1. Who we are

Adam ("the Service", "we", "us") is operated by An Ordinary Guy ("the Operator") from British Columbia, Canada. Adam is a locally-hosted AI assistant accessible to subscribers via a desktop application and to guest users via a web interface at adam.adamonline.ca. This Privacy Policy applies to all interactions with Adam through the desktop app, the web interface, and the associated subscription-verification systems.

This policy is written to comply with the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable British Columbia privacy legislation, including the Personal Information Protection Act (BC) (PIPA BC).

2. What data we collect

Category	What	Why	Where stored
Account credentials	Username (email format); password (bcrypt-hashed, never stored plaintext)	To authenticate you	Local SQLite database on the Operator's server
Subscription state	Current tier; Patreon or Stripe customer ID; renewal date; locked-in price	To validate your access	Local SQLite database on the Operator's server
Conversation history	Messages you send to Adam and responses Adam returns	To provide conversational continuity	Local SQLite + vector database on the Operator's server
Voice transcripts (desktop app)	Speech-to-text transcripts of audio captured during voice interaction	To process voice commands locally	Your own machine, then transmitted to Adam's server only when you intentionally invoke Adam
Patreon identity (if connected)	Patreon user ID; email address registered with Patreon; current pledge tier; OAuth refresh token	To verify active subscription when the primary server is unreachable	OAuth refresh token stored locally on your machine, encrypted via Windows DPAPI; Patreon user ID stored on Adam's server
Session metadata	Session token; IP address; user agent string; login timestamps	To maintain login state and detect abuse	Local SQLite database; rotated every 7 days
Audit logs	Login events; tier changes; subscription events; admin actions	Security and accountability	Local JSONL files on the Operator's server

What we do NOT collect

Persistent screen captures, webcam recordings, or always-on audio recordings.
Browser history, file system contents outside of files you intentionally share with Adam, or activity in unrelated applications.
Payment card numbers (handled by Patreon and Stripe directly; we never see them).
Patreon password (OAuth means you authenticate with Patreon, not with us — we never see your Patreon credentials).
Data for the purpose of advertising profiles, analytics, or behavioural tracking.

3. How we use your data

We use the data described in Section 2 only for the following purposes:

Service operation — to authenticate you, maintain your session, deliver Adam's responses, and process voice commands you intentionally invoke.
Subscription verification — to confirm your subscription is active, either by querying our own server, or, if our server is unreachable, by querying the Patreon API directly on your behalf using the OAuth credentials you authorized.
Conversational continuity — to give Adam the context of prior conversations so responses are coherent across sessions.
Security — to detect and respond to abuse, attempted unauthorized access, and policy violations.
Service improvement — to diagnose bugs and improve Adam's behaviour, using audit logs and error reports. We do not use your conversation content to train external AI models.

We do not use your data for advertising, profiling, or any purpose not listed above. We do not sell your data. We do not share your data with third parties except as described in Section 5.

4. Local-first architecture

Adam is designed around a local-first principle. The AI model that generates responses (Llama 3.1 via Ollama) runs on the Operator's local hardware. Your conversations are not sent to OpenAI, Anthropic, Google, or any other third-party AI service. The desktop application is intended to run primarily on your own machine; the Operator's server is contacted only for authentication, subscription verification, and (in some configurations) brain inference when local inference is unavailable.

This means your conversation data does not leave the Operator's infrastructure or your own machine in normal operation.

5. Third-party services

Adam uses the following third-party services, limited strictly to the purposes described:

Patreon (policy) — to process subscription payments and verify active membership. When you connect Patreon via OAuth, we receive your Patreon user ID, the email address you registered with Patreon, and your current pledge tier. We do not receive your Patreon password, payment card details, or other account information.
Stripe (policy) — to process subscription payments for à-la-carte personality add-ons and Stripe-direct subscriptions. We receive only your Stripe customer ID, subscription state, and the price IDs associated with your purchases. We never see your payment card details.
Cloudflare (policy) — for tunneling, DNS, and edge hosting of the marketing site. Cloudflare may log IP addresses and request metadata as part of standard operation; we do not have access to any data Cloudflare collects beyond what they provide in their dashboards.

We do not use Google Analytics, Facebook Pixel, advertising trackers, or any third-party analytics service on Adam properties.

6. How long we keep your data

Data type	Retention
Account credentials	Until you delete the account or after 12 months of inactivity (whichever comes first)
Conversation history	Indefinitely while account is active; deletable on request
Voice transcripts	Same as conversation history; the audio itself is not retained beyond the transcription step
Patreon identity	Until you disconnect Patreon or delete your account
Session metadata	Active sessions expire after 7 days of inactivity; failed-login records purged after 24 hours
Audit logs	12 months, then archived or deleted

7. Your rights

Under PIPEDA and PIPA BC, you have the following rights regarding your personal information:

Access — You can request a copy of the personal information we hold about you.
Correction — You can request that we correct inaccurate or incomplete information.
Deletion — You can request deletion of your conversation history, your account, or both. Deletion is permanent and cannot be undone.
Withdrawal of consent — You can disconnect Patreon at any time from the desktop app's Settings panel. This will revoke the OAuth tokens and prevent further Patreon API access on your behalf.
Portability — You can request your conversation history in a machine-readable format (JSON export).
Complaint — You can complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, if you reside in British Columbia, to the Office of the Information and Privacy Commissioner for BC (oipc.bc.ca).

To exercise any of these rights, email privacy@adamonline.ca. We will respond within 30 days.

8. Security

We protect your data using the following measures:

Passwords are stored as bcrypt hashes (cost factor 12), never in plaintext.
Session tokens are 32-byte cryptographically random opaque strings, stored in HttpOnly Secure cookies with SameSite=Lax to defend against XSS and CSRF.
Per-IP login rate limiting (5 failed attempts in 5 minutes triggers a 15-minute backoff).
Server data resides on encrypted storage on the Operator's hardware.
Patreon OAuth refresh tokens stored on your machine are encrypted via Windows Data Protection API (DPAPI), tied to your Windows user account.
All traffic between you and the Operator's server is encrypted via TLS, terminated at Cloudflare's edge and forwarded over an encrypted tunnel to the local server.

No system is perfectly secure. If we become aware of a breach involving your personal information, we will notify affected users within 72 hours and report to the Office of the Privacy Commissioner of Canada as required.

9. Children

Adam is not directed at children. We do not knowingly collect personal information from anyone under the age of 14. If we learn we have collected information from a child under 14, we will delete it. If you believe a child has provided us with personal information, contact privacy@adamonline.ca.

10. International users

Adam is operated from British Columbia, Canada, and your data is stored in Canada. If you access the Service from outside Canada, you are transferring your data to Canada for the purpose of receiving the Service. Canadian privacy laws apply.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated policy at this URL with a new "Last updated" date. Material changes will be announced via email to active subscribers. Continued use of the Service after a material change constitutes acceptance of the updated policy.

12. Contact

For privacy questions, requests, or complaints:

Email: privacy@adamonline.ca
Operator: An Ordinary Guy (pseudonym), British Columbia, Canada
Web: adamonline.ca

The Operator publishes under a pseudonym for personal-safety reasons. Real legal identity is on file and will be disclosed in response to a valid Canadian court order, lawful subpoena, or other binding legal process, as required by PIPEDA. For all other contact — including privacy requests, support, and good-faith inquiries — please use the email addresses above; we will respond as required by law.