What we store, what we don't, and why.

Demiurge is local-first. Every session you run produces a full record on your machine: chat text, generated scripts, screenshots, API calls, Unity project paths, scene names. None of it is transmitted unless you explicitly opt in.

Screenshots never leave your machine, period — not even when you opt in to data sharing, not even in aggregate, not even for debugging.

When you do opt in to share anonymous usage data, what leaves your machine is a small set of aggregate, categorical signals — enough to help us spot patterns in product performance, nothing that identifies you or describes your project.

Your full session record stays on disk, on your machine, for your own auditing and undo. If you've opted in to anonymous analytics, a separate summary is derived from the session and that's what gets transmitted — the full record is never sent.

The summary is built from an explicit allow-list, not by stripping fields from the full record. Anything not on the list is structurally absent from what gets transmitted, not silently dropped. When the allow-list changes, this page is updated with the same release.

Broad categories only, at a level that helps us measure aggregate product health:

• Session metadata: a random session identifier, a timestamp, duration, and total token counts.
• Whether the session completed successfully, failed, or was abandoned — and a high-level failure category when relevant (no error text, no messages).
• A short task-type label (the kind of operation the session ran) — never the specific instructions you typed.
• A small set of structural booleans describing which safety steps ran during the session.

Every one of those fields carries no free-form text and no project content — they're bounded categorical values chosen from short, fixed lists.

• Screenshots (PNG files on disk).
• The generated C# scripts.
• The goal text you typed.
• Scene names, GameObject names, file paths, asset paths.
• Your Unity project name or folder.
• Your Anthropic API key.
• Any free-form strings that could carry project content.

Those items never leave your machine as part of any analytics, any aggregate, or any support interaction. The only way they reach us is if you voluntarily attach something to a support email.

On first launch of the browser-based chat UI, Demiurge asks whether you want to share anonymous usage data to help the product improve. The default is no. You can change your mind later from the settings surface (or by editing your local consent file — the full path is shown at the time of the prompt).

If you decline, no shareable log is ever transmitted from your machine. The private log is still written locally because it's the source of truth for your own undo / rollback flow; you can delete it at any time.

If you create a Demiurge account (required for billing on paid tiers), we store:

• Your email address.
• A secure password hash (or OAuth identifier if you sign in via a third party).
• Your current plan and billing status (handled by our payments provider; we never see your card).
• Aggregate monthly counters — how many turns you've run and how much compute the scaffolding has used this month, enforced by the billing system against your tier's limits.

That's the whole list. No Unity projects, no session content, no script text.

When Claude generates code on your behalf, the request goes through Anthropic's API under your API key (bring-your-own-key model). That means:

• Anthropic sees the text of your prompts (the system prompt, your goal, the briefing, the reference snippets) because they need to in order to generate the response. Anthropic's own privacy policy governs what they do with that text.
• Demiurge never routes your prompts through our servers as a proxy. Your prompt and Anthropic's response travel directly between your machine and api.anthropic.com.

Private data. On your local filesystem, in the folder where you installed Demiurge. ./logs/ for session records, ./memory/ for cross-session user preferences, ./logs/index.db for the session index. You own the files; delete any time.

Account data. US-based servers (Supabase + Fly.io). Encrypted at rest.

Shareable telemetry (if you opt in). Sent to our collector at api.getdemiurge.com, stored for pattern analysis, never joined back to your account identity beyond a short-lived correlation id.

Anything stored locally on your machine — session records, cached preferences — stays fully under your control. Delete those folders any time.

To delete your account and any data we hold on our side, send a request from the address associated with the account. We'll confirm when it's done.

Demiurge is a developer tool. We do not knowingly collect data from anyone under 13. It's not a platform for health-related information and you should not treat it as one.

If the policy changes in a material way (new data category transmitted, different storage location, expanded third parties), we will update the “last updated” date above and notify account holders by email. Changes that reduce data collection (shorter retention, smaller allow-list) don't get a notification — they apply immediately and are called out in release notes.

Privacy questions, deletion requests, disputes — use the contact form. A human reads it.

Specific questions — what fields are in a given summary, how long a piece of data is retained, how deletion is verified — are all fair game. Reach out and we'll answer.