SECURITY & PRIVACY
Built to be trusted with your work.
Most of what you do with Gladys never leaves your device. The little that does is encrypted, scoped to what's necessary, and never used to train AI models.
HOW WE THINK ABOUT IT
Four pillars. One goal: your data stays yours.
Sovereignty
Your apps and the data inside them live in your phone's sandbox. The cloud sees the bare minimum required to handle the request — never the contents of your apps.
Sandboxing
Every mini-app you build runs in its own isolated container. One app cannot read another's data, see its assets, or call its bridges. No shared cookie jar, no shared storage.
Standards
TLS 1.3 in transit. Encrypted-at-rest local storage. OAuth tokens kept in iOS Keychain. Cloudflare-fronted infra with WAF + DDoS protection. Industry-baseline at every layer.
Visibility
You see every app you've built, every connected account, every credit you've spent. Delete anything in one tap. Export your data on request. No dark patterns, no engagement metrics.
UNDER THE HOOD
Concrete protections, not marketing claims.
What we actually do. Worded conservatively — if a claim isn't on this page, it isn't true yet.
On-device first
Mini-apps execute locally in WKWebView. SQLite databases sit in your app sandbox. Assets live on-device. Cloud calls happen only for: model inference (text, image, voice generation), web search, and OAuth-mediated integrations you explicitly connect.
Encrypted in flight + at rest
All network traffic uses TLS 1.3. iOS file-level encryption protects local databases and asset buckets. OAuth tokens are stored in the iOS Keychain (Secure Enclave-backed when available). Cloud-side, we use ChaCha20-Poly1305 for sensitive blobs.
Per-app isolation
Every mini-app gets its own UUID-keyed SQLite file and asset directory. The runtime's native bridges enforce per-app scoping at the iOS layer — a "Recipes" app physically cannot read your "Client Tracker" app's data, even by accident.
No training on your data
We do not sell your data. We do not share it with third parties beyond what's required to serve your request (e.g., the model provider that handles a specific call). We do not use your conversations, apps, or memories to train models.
OAuth tokens you control
Connected accounts (Spotify, Gmail, etc.) are bound to your Gladys identity, encrypted at rest, scoped to the minimum permissions required. Disconnect any time from Settings — the token is revoked and forgotten.
Delete and forget
Delete a mini-app: gone, with its data. Delete your account: every saved chat, every memory, every connected account, every uploaded file — wiped from our systems within 7 days. Not soft-deleted. Actually gone.
WHERE WE BEAT THE CATEGORY
The smallest cloud surface in AI assistants.
VS CLOUD-FIRST AGENTS
Less data to breach.
Cloud-first AI platforms accumulate everything you say and do on their servers. Gladys keeps the apps + their data on your device. The smallest cloud surface in the category — fewer servers to compromise, fewer logs to leak, fewer rows in fewer tables.
VS WEB-BASED BUILDERS
Apps run where you trust them.
Web app builders host your generated apps on their infrastructure. Yours sit in your iOS app sandbox — the same boundary that protects every other app on your phone. Apple's OS-level isolation is a security model billions of devices rely on; we ride it.
VS DESKTOP DASHBOARDS
Mobile-native protections.
iOS Keychain. Secure Enclave. Biometric auth. Per-app sandboxing at the OS level. App-Transport-Security on every network call. These aren't add-ons we built — they're iOS guarantees we inherit. A web SaaS dashboard cannot match them.
COMPLIANCE
What's certified. What's not yet.
We're a small, focused team. We won't claim a badge we haven't earned — but we will tell you exactly where we are.
GDPR-aligned
ActiveRight to access, right to be forgotten, data portability — all implemented.
SOC 2 Type II
In progressEngaged auditor, control implementation underway. Targeting H2 2026.
CCPA-ready
ActiveCalifornia Consumer Privacy Act protections implemented for all users.
Apple Privacy
ActiveApp Store Privacy Nutrition Labels filed and accurate. App Tracking Transparency respected.
GET IN TOUCH
Found something? Want to dig in?
We take security reports seriously and respond fast. If you've found a vulnerability — responsible disclosure to the address below. Enterprise security questions? Same place.