Protect your contracts.Analyze confidential data.Get accurate information.Reason through decisions.
Everyday AI tools log your prompts, train on your input, and store conversation history on servers you don’t control. Every sensitive document you paste becomes an exposure you can’t undo.
Glaucon is built for work that carries real stakes — client matters, proprietary research, unreleased financials, privileged strategy under NDA. Glaucon’s proprietary Cyfr layer masks identifiers before anything leaves your device. Messages are end-to-end encrypted. Reasoning runs inside an attested hardware enclave. The model provider retains nothing. There is no server-side history to breach.
Data privacy, taken seriously
Just you and the AI.
Glaucon removes everyone else from the loop. No training on your work, no readable server logs, no shadow copies for ads or analytics. You bring the context; the model answers; the conversation stays yours.
Remain compliant
Built for regulated work
Honor client NDAs, privacy regulations, and internal audit requirements with controls built in from the start. Encryption, zero-retention inference, and passkey-locked history keep sensitive work out of readable server storage — so you can demonstrate confidentiality by design, not just by policy.
Secure your IP
Your edge stays yours
Trade secrets, deal terms, and unreleased strategy stay out of model-training pipelines. Cyfr masks identifiers before they leave your device; saved work is ciphertext only. Your competitive advantage doesn’t become someone else’s training data.
Stay ahead
Privacy without compromise
Discretion shouldn’t mean worse intelligence. Every frontier model runs through the same E2EE + TEE stack, with Glaucon’s reasoning layer on top. Move fast on confidential work without choosing between capability and discretion.
Structural, not contractual
Nothing to leak
Most tools ask you to trust a privacy policy. Glaucon is engineered so there is nothing readable to breach — ciphertext in transit, inference inside attested hardware, providers contractually barred from retention. Privacy by architecture, not promise.
The privacy model
The architecture of silence.
Most tools ask you to trust a policy. Glaucon is built so there is nothing to leak. Six layers stand between your privileged work and the outside world — each one enforced structurally, not contractually.
01
Encrypted cloud and file vault Glaucon-only
Pro stores chat history and uploaded files as ciphertext on our servers. Neither decrypts without your passkey: Face ID, Touch ID, or your device passcode. Glaucon never holds your unlock key — only you can read what you saved.
02
Cyfr proprietary
Glaucon’s proprietary on-device layer swaps names, firms, emails, and numbers for opaque codenames before anything leaves your browser. No other AI product has this — the model reasons on structure, never identities.
input_buffer.txt
Analyze term sheet for LexCorp acquisition.
Total cash consideration: $1.2B.
Point of contact is Clark Kent.
03
E2EE session encryption in-browser
Your masked message is wrapped in AES-GCM symmetric encryption using a per-session key generated on your device. Ciphertext only travels the wire.
04
Edge relay — no keys relay only
Glaucon’s edge servers handle auth, billing, and rate-limiting. They relay ciphertext only. No decryption key exists on the edge — impossible for us to read.
05
TEE Enclave inference AMD SEV-SNP
The message is decrypted and the model runs inside an attested confidential computing enclave. The host, the cloud provider, and Glaucon’s own infrastructure cannot read the plaintext inside.
06
ZDR model routing zero retention
Inference is routed through OpenRouter with zero-data-retention flags. The model provider is contractually and structurally prevented from logging or training on your queries.
Uncompromising intelligence
Every frontier model — one private workspace.
Every model runs through the same E2EE + TEE + ZDR stack. No model ever receives a prompt that wasn’t encrypted in transit and processed inside the enclave.
Glaucon Auto
Smart routing — picks the best model per task
Anthropic Claude
Haiku 4.5Sonnet 4.6Opus 4.8
OpenAI GPT
GPT-5.5
Google Gemini
3.5 Flash3.1 Pro
NVIDIA
Nemotron Ultra
Epistemic infrastructure
Built to resist hallucination.
Glaucon, named for Plato’s relentless interlocutor, sits on top of every model it runs and forces it to show its work. Every load-bearing claim carries a confidence score. Every shaky premise is named. Any answer can be pushed harder — until it cites, defends, or admits it doesn’t know.
See it
Confidence, not hedge
Every reasoned answer carries a ribbon: how many claims are strong, moderate, or speculative. Calibrated probabilities, not flat-toned overconfidence and not defensive hedging on every sentence.
Vet
Push back
One click to vet
Click Vet and an independent skeptic challenges the answer. Glaucon must defend each claim, cite it, or retract it — on the record. Where it can’t support a claim, it says so instead of fabricating a source.
Inspect it
Reasoning shows its work
Conclusions are separated from the premises that hold them up. When a premise is weak, the conclusion is marked, not papered over. The whole chain is inspectable, not implied.
Private AI FAQ
Questions professionals ask before trusting an AI.
Honest answers about encryption, retention, and what Glaucon can and cannot see.
Does Glaucon train on my data?
No. Glaucon routes inference through zero-data-retention (ZDR) providers and does not use your prompts to train models. Live chat is not stored as readable server-side history.
Is Glaucon end-to-end encrypted?
Yes. Chat requests are encrypted in your browser before they leave your device and are decrypted only inside an attested hardware enclave. Pro encrypted cloud history and the file vault are encrypted with keys generated on your device and wrapped only by your passkey/biometric or recovery code — Glaucon never receives the keys and stores ciphertext only.
What makes Glaucon different from ChatGPT?
Mainstream AI assistants store conversation history on provider infrastructure by default. Glaucon combines browser-side encryption, attested hardware enclave inference, and zero-data-retention routing so plaintext prompts are not readable on Glaucon’s edge and are not retained by model providers.
What is zero data retention (ZDR) inference?
ZDR means the model provider is contractually and technically prevented from logging or training on your queries. Glaucon uses ZDR routing by default.
Can Glaucon read my saved chat history?
No. Pro cloud history and your file vault are stored as ciphertext encrypted with keys only you hold — there is no server-side key and no recovery backdoor. You unlock with a passkey/biometric (Face ID, Touch ID) or your 144-bit recovery code. If you lose both, the data is unrecoverable, by design.
Protect contracts, analyze confidential data, get accurate information, and reason through decisions — with nothing logged, nothing retained, and saved history sealed behind your passkey alone.
Glaucon is the privacy-first, E2EE, TEE, & ZDR AI solution for professionals — frontier models for writing, coding, research, and analysis, with structural privacy controls and structured reasoning discipline. General-purpose productivity software, not legal, investment, medical, or regulatory advice.
What you get
Glaucon routes live chat to frontier models (Claude, GPT, Gemini, and others) through OpenRouter with zero-data-retention flags on every inference call. Lite and Pro unlock encrypted cross-device history, the file vault, adaptive web search, and Cyfr name-masking (on by default). Pro adds the full frontier catalog and economy overflow after your monthly premium credit budget. New accounts start with a free trial, then Glaucon Lite ($10/mo) or Pro ($20/mo).
How live chat is protected
Signed-in chat uses v2 browser-to-enclave encryption (P-256 ECDH + AES-GCM): your browser seals each turn for the TEE public key, a Cloudflare Worker at the edge handles auth, billing, and quotas while relaying ciphertext only — it does not hold the enclave private key — and attested AMD SEV-SNP Azure confidential containers decrypt inside protected hardware, run inference with ZDR routing, and return an encrypted reply. A standby Azure enclave provides hardware failover. Your browser decrypts the response. Live inference is ephemeral; Glaucon does not store ordinary plaintext chat logs on its servers.
Content–identity unlinkability: your email, user ID, plan, and billing metadata never cross the inference boundary — model providers cannot cryptographically link prompts to your Glaucon account.
History & storage
Lite, Pro, and Enterprise default to end-to-end encrypted cloud history and file vault (AES-GCM ciphertext only in D1/R2; MEK secret wrapped by your history passkey or recovery code in the browser — never sent to Glaucon). Local-only history is optional in Settings. Trial accounts use device-local history. When you burn a thread, it is removed from your history on that device; cloud copies follow your sync settings.
Reasoning
Glaucon steers answers toward evidence, structure, and calibrated confidence instead of engagement bait or stale consensus. Every turn follows a conclusion-first discipline: load-bearing claims up front, weak premises surfaced, and terms defined before arguing.
Cyfr (default on)
Cyfr is a client-side layer enabled by default that substitutes sensitive names with codenames before a message is encrypted. It reduces accidental PII in ciphertext; you can disable it in Settings. It does not replace your own ethics, contract, or regulatory obligations about what data may be sent to a third-party AI tool.
Honest limits
Glaucon is designed to minimize surveillance-style retention and server-side plaintext exposure, but no online service can guarantee perfect security or anonymity in every circumstance. You remain responsible for deciding whether a given matter, dataset, or workplace policy allows third-party AI tools. Glaucon is not certified compliant with any specific regulatory framework unless separately agreed in writing.
The name nods to Plato's Republic — Glaucon's Ring of Gyges, an early meditation on invisibility, identity, and what people do when they believe no one is watching. We built Glaucon for principled privacy from default surveillance — and for accountability in reasoning.
Glaucon is the privacy-first, E2EE, TEE, & ZDR AI solution for professionals who need structural privacy — not policy promises alone. This page summarizes our security architecture for review. Live posture is also exposed at GET /api/config → security.
Cryptography specification
Algorithms, key hierarchy, wrapper types, envelope formats, API shapes, threat model, and structural guarantees are documented for security reviewers:
Cloud history & file vault (Lite / Pro / Enterprise): End-to-end encrypted — random MEK secret wrapped by passkey or recovery code in browser; D1/R2 store ciphertext + IV only. Local-only is optional in Settings.
Inference: OpenRouter ZDR pool only on every call (provider.zdr: true, data_collection: deny) — no user-facing non-ZDR path.
TEE: Dual Azure confidential containers (primary + standby failover); AMD SEV-SNP attestation with pinned measurement and nonce-bound session keys in production.
Content–identity unlinkability: Account email, user ID, plan, and billing never cross the inference boundary — providers cannot cryptographically link prompts to Glaucon accounts.
Cyfr: Client-side codename masking on by default before encryption; optional disable in Settings.
Enterprise controls
SAML 2.0 SSO (SP-initiated) with XML signature verification
Global rate limits and daily spend circuit breaker
Subprocessors
We use the following categories of infrastructure and service providers to operate Glaucon:
Provider
Purpose
Data handled
Cloudflare
Edge worker, D1, KV, email routing
Account metadata, ciphertext, rate-limit hashes
Microsoft Azure
Confidential container (TEE gateway)
Ephemeral ciphertext for inference
OpenRouter
Model inference (ZDR)
Ephemeral prompts/responses per ZDR policy
Stripe
Billing
Payment and subscription metadata
Google
Optional OAuth sign-in
Email, profile per OAuth consent
Certifications
SOC 2 Type II and ISO 27001 are on our enterprise roadmap. Contact security@glaucon.ai for security questionnaires and DPAs.
Honest limits
Encrypted cloud history and the file vault decrypt only after your history passkey or recovery code. Without that unlock, browser storage inspection shows ciphertext and sealed blobs — not decrypted content. Live chat plaintext exists only ephemerally in browser and attested enclave RAM during inference; Glaucon does not persist it server-side. Malware on an actively unlocked session could observe what you can see — passkeys, session sealing, and CSP mitigate but cannot eliminate that class of risk in any web E2EE product.
Applies to: Glaucon web application, related websites, and account, billing, and support interactions
Overview
Glaucon LLC, a Texas limited liability company ("Glaucon," "we," "us"), is the data controller responsible for personal information processed through the service. Contact details appear in the Contact section below.
Glaucon is the privacy-first, E2EE, TEE, & ZDR AI solution for professionals, with zero-data-retention routing on every live inference request. Chat requires a registered account. Signed-in live chat uses browser-to-enclave encryption: the browser encrypts messages for a hardware-backed Trusted Execution Environment (TEE), currently deployed as an Azure confidential container. The edge worker relays ciphertext only and does not hold the TEE private key. Plaintext live chat is not stored by Glaucon as ordinary server-side history.
Glaucon also offers optional features that change how data is handled, including encrypted cloud history, browser-local history, account registration, file upload and local parsing, Pro subscriber API budget add-ons, and paid subscriptions through Stripe. Adaptive web search may run when a turn needs current facts. Every live inference request uses OpenRouter zero-data-retention (ZDR) routing — there is no user-facing non-ZDR path. This policy explains what data is collected, how it is used, what is stored, what is not stored, and what choices users have.
Scope
This Privacy Policy applies to:
The Glaucon website and web application and associated subpages.
Registered account use of chat, workspaces, and file-processing features (guest/anonymous chat is not offered).
Account creation, login, encrypted history sync, plan management, and billing flows.
Support, security, abuse prevention, diagnostics, and legal compliance activities reasonably necessary to operate the service.
It does not govern third-party sites or services that may be linked from Glaucon or embedded as external processors, such as payment processors or infrastructure providers, except as described here at a high level.
Privacy architecture summary
Glaucon is built around a layered privacy model. Account/profile data is separated from live model prompts. Signed-in chat uses v2 browser-to-enclave encryption to the TEE public key; the edge relays ciphertext to attested confidential enclaves; inference runs with OpenRouter ZDR routing inside that enclave; Lite, Pro, and Enterprise chat history and file vault default to encrypted cloud storage (local-only is optional in Settings). TEE is used for inference only — not for storage. Account email and billing never enter model payloads — providers cannot link inference content to Glaucon account identity. Full cryptographic detail: GLAUCON-CRYPTO-SPEC.md.
Live chat data flow (signed-in users)
Browser
Encrypts prompts with ECDH + AES-GCM (v2 envelope).
Decrypt in protected compute → OpenRouter zero retention → encrypt reply.
→
Browser
Decrypts response. No server-side plaintext chat history.
Identity gate: email, plan, and billing never enter the model payload.
At a high level:
Account layer: stores profile, authentication, subscription, quota, and billing-linked identifiers. Account data is kept separate from live chat prompts.
Inference layer: processes chat messages inside the TEE gateway after v2 decryption. Every live inference request uses OpenRouter with provider.zdr: true and data_collection: deny. Glaucon does not offer a non-zero-retention inference path.
History layer (end-to-end encrypted cloud sync): Lite, Pro, and Enterprise default to encrypted cloud history and file vault (AES-256-GCM ciphertext only on D1/R2); local-only history is optional in Settings. Trial accounts use device-local history only. Encryption keys are generated and held only on your device: a random per-account MEK secret encrypts your history and file vault and is wrapped exclusively by keys you control — a history passkey/biometric (WebAuthn PRF) or a 144-bit recovery code — derived in the browser. Glaucon never receives these keys and provides no server-side recovery path, so Glaucon cannot decrypt your cloud history or file vault.
Live chat layer: Signed-in users use v2 browser-to-enclave encryption to the TEE public key. The edge worker relays ciphertext to the confidential gateway without decrypting locally. Glaucon Pro subscribers may continue in economy mode on the same encrypted path after their monthly premium API budget is used, until the economy cap or next billing cycle. Pay-as-you-go token accounts use purchased tokens only and do not include economy overflow. Trial accounts receive a limited trial before upgrade.
This architecture is meant to reduce data linkage and minimize retained plaintext, but no online system can guarantee absolute security or perfect anonymity in all circumstances.
Information collected
1. Account and profile information
When a user creates an account, Glaucon may collect:
Email address.
Passwordless authentication metadata — magic link, Google OAuth, Apple OAuth, or WebAuthn passkey sign-in. The password_hash column stores sentinel values (for example magic:email, oauth:google), not user-chosen login passwords. Legacy password accounts (if any) use PBKDF2-SHA256 with an optional server-side pepper; encryption keys are never derived from login credentials.
Subscription status, plan, trial usage, purchased API budget add-ons, usage quota, usage counters, and quota reset timing.
A history salt associated with encrypted history workflows.
Sandbox display handle information in sandbox mode, where applicable.
This information is used to authenticate users, enforce subscription and quota rules, maintain account state, and support account recovery or support interactions where applicable.
2. Session and authentication data
Glaucon uses a secure session cookie for authenticated sessions. The session cookie is configured as HttpOnly, Secure, and SameSite=Strict, which helps limit client-side script access and cross-site sending.
Session records may include:
Session identifier.
Associated user identifier.
Session expiration timestamp.
This data is used solely to maintain signed-in sessions, authorize account-only features, and support secure logout and session expiration behavior.
3. Live chat and workspace inputs
When a signed-in user submits a prompt, message, or workspace input, Glaucon processes the submitted content to generate a response. Message payloads are sent from the browser in a v2 encrypted envelope (ECDH to the TEE public key + AES-GCM). The edge worker relays the envelope to the confidential gateway without decrypting it locally; the gateway decrypts inside the enclave, runs zero-retention inference through OpenRouter, and returns an encrypted response.
Depending on user actions, submitted content may include:
Chat messages.
Structured workspace fields for research and document-assisted workflows.
Extracted text from uploaded files.
User-selected model (all available models are routed through OpenRouter with ZDR flags).
Adaptive web-search queries when the turn needs current facts (OpenRouter ZDR). Search requests contain query text only — not your account email, billing identity, or profile metadata.
Glaucon does not store plaintext live chat content on its own servers as ordinary chat history in the standard live inference path. However, live content is still transmitted for processing to OpenRouter (and, on the TEE path, to the configured TEE gateway) and may exist transiently in memory or ephemeral processing systems during request handling.
4. File uploads and local file processing
Users may attach files, including PDFs, text files, images, and spreadsheet files, subject to product limits and supported formats. Glaucon performs some file processing locally in the browser, including PDF text extraction and spreadsheet parsing, and strips EXIF metadata from supported image uploads before transmission.
Glaucon may therefore process:
File names and file types.
Extracted text content from supported files.
Sanitized image payloads where applicable.
Limited file-related warnings, such as local PII warnings generated on-device.
Users are responsible for ensuring they have the right to upload and process any file they submit.
5. Encrypted history data
If a user enables encrypted cloud history on an eligible plan (Pro), Glaucon stores only ciphertext, IV values, and update timestamps in its database for that feature. Because the encryption keys are derived and held only on your device and are never transmitted to Glaucon, the service cannot read or decrypt this content: there is no server-side key and no recovery backdoor. The same applies to encrypted file vault contents. If you lose every device key and your recovery code, the encrypted data is unrecoverable — by design, not by policy.
If a user selects browser-local history instead, chat history may be stored on the user’s device through browser storage mechanisms or in-memory client state depending on feature and browser behavior. Users should understand that local device access and browser environment security remain partly under the user’s own control.
6. Billing and payment information
Glaucon uses Stripe for subscription checkout, Pro subscriber API budget add-ons, subscription activation, subscription state changes, and customer/payment linkage. Glaucon may store limited Stripe-related metadata, including:
Stripe customer ID.
Stripe subscription ID.
Subscription plan and status.
Checkout and billing state needed to activate or deactivate plans.
Glaucon does not state in the current implementation that it stores full payment card numbers on its own systems; payment processing is handled through Stripe flows.
7. Usage, quota, security, and technical data
Glaucon collects limited technical and operational data needed to run the service safely and reliably. This may include:
Rate-limit keys derived from hashed IP information.
Request metadata needed to detect abuse, enforce quotas, and secure the service.
Error, debug, and diagnostic events used to investigate failures or service integrity issues.
Browser and device context needed for security controls, rendering, or compatibility.
This operational data is used for fraud prevention, abuse prevention, reliability, diagnostics, and legal compliance.
How Glaucon uses information
Glaucon uses collected information to:
Provide chat, workspace, and document-analysis functionality.
Authenticate users and maintain account sessions.
Enforce plan limits, trial access, API budget balances, and subscription access controls.
Process subscription purchases, API budget add-on purchases, confirmations, and billing events through Stripe.
Save encrypted history when the user enables that feature.
Store browser-local or session-local state when the user chooses local history or client-side workflows.
Detect abuse, prevent fraud, enforce security, and maintain service reliability.
Comply with legal obligations and respond to lawful requests.
Improve product quality, troubleshoot issues, and maintain operational integrity, using data reasonably necessary for those purposes.
Glaucon does not sell users’ personal information in the ordinary sense of selling personal data for money to third-party data brokers.
Inference routing and third-party processing
Zero-retention routing through OpenRouter
All live model inference in Glaucon is routed exclusively through OpenRouter. Every chat completion request includes OpenRouter provider flags that require zero-data-retention processing and deny data collection (provider.zdr: true, data_collection: deny). Glaucon does not expose a user-selectable non-zero-retention inference path, and the worker does not call model providers outside this OpenRouter configuration for live chat.
Glaucon’s intent is that prompts and completions are processed without routine retention for training and without Glaucon storing plaintext server-side chat history. Adaptive web search sends query text to the search provider via OpenRouter (ZDR); your account identity is not included in search requests.
Users should still understand that upstream model providers and OpenRouter operate under their own technical systems and terms. Glaucon cannot guarantee that any third-party processor will never retain, log, or use data in ways outside Glaucon’s control, but Glaucon’s product architecture is designed to request ZDR treatment on every inference call.
What Glaucon stores and does not store
Glaucon does store
Depending on configuration and user choices, Glaucon may store:
Account and login data.
Password hashes and salts.
Session records.
Subscription and billing-linked identifiers.
Usage counters, trial state, purchased API budget add-ons, API budgets, and plan state.
Encrypted chat-history ciphertext, IV, and timestamps when encrypted cloud history is enabled.
Security, abuse-prevention, and technical diagnostics data reasonably necessary to operate the service.
Glaucon does not ordinarily store as server-side history
In the ordinary live inference flow, Glaucon is designed not to store plaintext chat transcripts as ordinary server-side chat history. Instead, any persistent history storage is either browser-local or ciphertext-only, depending on the user’s settings.
Important qualification
Privacy and retention claims in this policy refer to ordinary operation as implemented in the product architecture shown in the current codebase. They do not mean that no data ever exists transiently in memory, on the network, in security tooling, in third-party payment systems, or as required by law, nor do they override technical incident response, fraud prevention, or legal process where applicable.
Cookies, local storage, and browser-side data
Glaucon uses cookies and browser-side storage for product functionality. These mechanisms may include:
Authenticated session cookies used to keep users signed in.
Browser-local history storage when that mode is selected.
Local settings, dismissals, UI preferences, and workflow state stored on-device where the app uses browser storage.
Disabling cookies or browser storage may impair some features, especially login, account persistence, chat history behavior, and product settings.
Legal bases and purpose limitation
Where privacy laws require a legal basis, Glaucon generally processes information on one or more of the following grounds, as applicable:
To perform the service requested by the user, including chat, account management, encrypted history sync, and billing support.
To pursue legitimate interests in operating, securing, improving, and defending the service, provided those interests are not overridden by applicable user rights.
To comply with legal obligations, law enforcement requests, tax obligations, fraud prevention duties, or dispute resolution needs.
Based on consent where a feature depends on a user’s optional selection, such as enabling encrypted cloud history.
Glaucon seeks to limit use of collected data to the purposes described in this policy and not to repurpose data in ways materially inconsistent with those purposes without additional notice.
Sharing of information
Glaucon may share information with the following categories of recipients to operate the service:
Infrastructure and hosting providers, including Cloudflare-based systems used to deliver the web application and worker infrastructure.
OpenRouter and upstream model providers used to process prompts and return responses under Glaucon’s zero-retention configuration.
Payment processors, including Stripe, for checkout, subscription, billing, fraud controls, and payment operations.
Security, diagnostics, and abuse-prevention tools reasonably required to protect the service and users.
Professional advisers and acquirers where reasonably necessary for legal, tax, audit, corporate transaction, or restructuring purposes.
Governmental or legal authorities when required by law, court order, subpoena, or good-faith belief that disclosure is necessary to comply with legal obligations or protect rights, safety, and platform integrity.
Glaucon does not describe itself in the current implementation as a data broker, advertising network, or behavioral ad platform, and this policy does not authorize such use.
Data retention
Retention varies by data type and user choice.
Account, subscription, and security data may be retained for as long as reasonably necessary to maintain the account, comply with legal obligations, resolve disputes, enforce agreements, or protect the service.
Encrypted cloud history remains stored until deleted by the user, removed under product rules, or deleted in connection with account deletion or service changes, subject to backups or legally required retention.
Browser-local history remains on the user’s device until the user deletes it, clears storage, changes browser state, or the browser removes it.
Rate-limit and abuse-prevention data may be retained briefly or longer depending on security needs, implementation details, and legal requirements.
No retention period in this policy should be read as a guarantee of immediate deletion from every cache, backup, log, or processor environment.
User controls and choices
Users may have the ability to:
Use Glaucon with a registered account (required for chat).
Create or avoid creating an account.
Choose among available models (all routed through OpenRouter with zero-retention settings).
Enable or avoid encrypted cloud history.
Use browser-local history instead of cloud-synced encrypted history.
Delete encrypted history through the product’s history delete functionality.
Log out and clear sessions.
Manage subscription status through the account and billing flows.
Users are responsible for understanding the privacy implications of their chosen settings, especially when enabling cloud history or local device storage modes.
Access, correction, deletion, and privacy rights
Depending on applicable law, users may have rights to request access to, correction of, deletion of, or restriction of certain personal information. Users may also have rights to object to certain processing, withdraw consent where consent is the basis, or request portability where technically applicable.
Glaucon will evaluate such requests in light of applicable law, technical feasibility, account security, fraud prevention, legal obligations, and the fact that some server-side stored history may exist only as ciphertext. A request may therefore be fulfilled, partially fulfilled, denied, or require additional identity verification.
Glaucon is built for privacy-sensitive work, but users should not assume that any internet-based tool is appropriate for every type of data. Users remain responsible for assessing whether they are permitted to use Glaucon for any specific dataset, contract, or workplace policy.
The existence of encrypted history or ZDR routing does not by itself guarantee compliance with any particular legal, regulatory, ethical, or contractual obligation.
Security measures
Glaucon uses security controls reflected in the current implementation, including AES-GCM request envelopes, CSP nonces, strict session-cookie settings, input validation, rate limiting, hashed IP-based rate-limit keys, and encrypted history storage patterns. These safeguards are intended to reduce risk, but no method of transmission, storage, or processing can be guaranteed perfectly secure.
Users should also protect their own devices, browsers, passwords, and local storage environment, because privacy outcomes depend partly on user-side operational security.
International processing
Glaucon may use service providers and infrastructure that process data in multiple jurisdictions depending on deployment, user location, and vendor configuration. By using the service, users understand that their information may be processed in jurisdictions that may differ from their home jurisdiction, subject to applicable safeguards and legal requirements.
Children
Glaucon is not intended for children under 13, and the service should not be used by minors where prohibited by applicable law or contractual restrictions. If Glaucon learns that personal information has been collected from a child in violation of applicable law, it may take steps to delete that information and restrict the account.
Changes to this policy
Glaucon may update this Privacy Policy from time to time to reflect product changes, legal developments, security practices, or operational needs. When material changes are made, Glaucon may update the effective date and provide additional notice where required by law.
Contact
Questions, privacy requests (access, correction, deletion), or complaints may be sent to:
Glaucon LLC — Privacy 605 West 9th Street, Suite 1015 Austin, Texas 78701, USA
We will respond to verified privacy requests within the timeframes required by applicable law. California residents may exercise rights under the CCPA/CPRA, and EEA/UK residents under the GDPR/UK GDPR, using the contacts above; we do not sell personal information or share it for cross-context behavioral advertising.
Sign in for encrypted live chat. New accounts get a free trial on economy models, then subscribe to Pro for the full frontier catalog and encrypted cloud sync.
Profile
Email:
Verify your email to secure account recovery and billing notices.
Plan:
Monthly usage
Included usage
0%
—
Economy overflow0%
Credits — heavier models consume more of your budget.
For security, password changes are only done through a one-time link emailed to you. The link expires in 1 hour.
Encrypted cloud uses a separate recovery code from your login password. If you reset your login password via email, sign in and follow the prompt to restore cloud history — or erase the cloud backup from Settings to stop storing unreadable data.
Encrypted cloud sync
Cloud recovery code
Your recovery code unlocks encrypted cloud on new devices. Glaucon cannot recover it for you — store it in a password manager or safe place.
Your recovery code never leaves your devices. Glaucon's servers do not have a copy and cannot show, email, reset, or recover it — that's the privacy guarantee. "Show recovery code" only works on devices that already know the code (the one you set it up on, or one you've unlocked with the code or your biometric). If you suspect the code was exposed, use Reset encrypted cloud in Settings to wipe your cloud history and generate a brand-new code.
Delete account
Permanently deletes your profile, sessions, encrypted cloud history, and cancels any active subscription. This cannot be undone.
Applies to: Glaucon web application, related websites, accounts, subscriptions, and associated services
Agreement to these terms
These Terms of Service govern access to and use of Glaucon, including the web application, website, account features, paid plans, workspaces, file-processing tools, and related services. By accessing or using Glaucon, a user agrees to be bound by these Terms and by the applicable Privacy Policy.
The service is operated by Glaucon LLC, a Texas limited liability company ("Glaucon," "we," "us," or "our"). These Terms are a binding agreement between Glaucon LLC and the user ("you").
If a user does not agree to these Terms, that user must not access or use the service. If a user accesses or uses Glaucon on behalf of an organization, that user represents that the user has authority to bind that organization to these Terms.
The service
Glaucon is the privacy-first, E2EE, TEE, & ZDR AI solution for professionals, with zero-retention inference through OpenRouter on every live request. Chat requires a registered account. New accounts receive a limited trial, then a Pro subscription. Signed-in live chat uses browser-to-enclave encryption through a hardware-backed Trusted Execution Environment (TEE). The service includes AI chat, dynamic reasoning modes, file parsing and document-assisted workflows, optional web research, encrypted history options, and paid plans through Stripe.
Glaucon may add, remove, suspend, or modify features, models, pricing, quotas, limits, and interface elements at any time. Chat and core features require a registered account.
Eligibility
A user must be at least 18 years old, or the age of majority in the user’s jurisdiction if higher, to use Glaucon for paid, professional, or account-based purposes. If a user is under that age, the user may not use the service unless applicable law permits and a parent or guardian has validly agreed, but Glaucon may still restrict or prohibit such use.
A user may not use Glaucon if that user is barred from using the service under applicable law, sanctions restrictions, export control restrictions, or other legal limitations.
Accounts and security
An account is required to use Glaucon chat. Users must create an account with accurate, current, and complete information, including an email address and password. The user is responsible for maintaining the confidentiality of login credentials, securing devices and browsers used to access the service, and promptly reporting suspected unauthorized account use.
Glaucon may suspend, restrict, or terminate an account if Glaucon reasonably believes that the account has been compromised, is being used in violation of these Terms, creates security risk, or is involved in fraud, abuse, or unlawful conduct.
Privacy, routing, and data handling
Glaucon is designed so account identity, billing, and usage controls are separated from live model prompts, and plaintext live chat content is not stored by Glaucon as ordinary server-side history. Signed-in live chat uses v2 E2EE to a hardware TEE gateway; the edge relays ciphertext only.
By using Glaucon, a user acknowledges that:
Every live inference request is sent through OpenRouter with ZDR provider flags enabled inside the TEE gateway, but upstream processors may still handle data according to their own technical systems and applicable terms.
Adaptive web search runs through OpenRouter under the same ZDR configuration; search queries do not include account identity.
Encrypted cloud history stores ciphertext and related metadata, while browser-local history may store data on the user's own device.
Signed-in live chat routes through a confidential TEE gateway so the edge relays ciphertext only; inference still reaches OpenRouter with ZDR flags.
Payment and billing data are processed through Stripe-based flows.
Additional details about data handling appear in the Privacy Policy, which is incorporated into these Terms by reference.
No professional advice
Glaucon provides software tools and AI-generated outputs for information, drafting assistance, organization, and analytical support. Glaucon does not provide legal advice, investment advice, accounting advice, tax advice, medical advice, employment advice, regulatory advice, or any other licensed professional service.
No attorney-client, fiduciary, auditor-client, physician-patient, broker-client, or other special professional relationship is created through use of the service. Any output generated through Glaucon must be independently reviewed by a qualified human professional before being relied upon for important personal, business, or compliance decisions.
AI output limitations
AI systems can be inaccurate, incomplete, misleading, outdated, or inconsistent. A user must not treat Glaucon output as a substitute for independent judgment, source verification, or professional review.
A user is solely responsible for:
Evaluating the accuracy and suitability of outputs.
Verifying facts, calculations, and conclusions.
Deciding whether and how to use outputs in any workflow, communication, or transaction.
Ensuring that final work product complies with applicable law, contract, ethics rules, and professional standards.
User content and responsibility
A user may submit prompts, text, files, workspace fields, chat instructions, and other content to the service. The user retains responsibility for all such content and for the consequences of submitting or using it.
A user represents and warrants that:
The user has all rights, permissions, and authority necessary to submit the content to Glaucon and to authorize any processing requested by the user.
The content and the user’s use of the service do not violate any law, regulation, court order, confidentiality duty, contract, export restriction, sanctions rule, privacy right, intellectual property right, or third-party right.
The user will not submit content that the user is prohibited from sharing with Glaucon or its processors.
If a user chooses to use Glaucon with confidential or contract-restricted material, the user is solely responsible for determining whether that use is permitted and appropriate.
Acceptable use
A user may not use Glaucon to:
Violate any law or regulation.
Infringe intellectual property, privacy, confidentiality, publicity, or other rights.
Commit fraud, deception, impersonation, identity theft, or social engineering.
Generate, facilitate, or distribute malware, phishing content, credential theft tools, spyware, destructive code, or other harmful code.
Probe, scan, exploit, scrape, or overload the service in a way that disrupts service integrity or harms others.
Use the service to make solely automated decisions about employment, credit, insurance, housing, education, medical treatment, or law enforcement without appropriate lawful safeguards and human review.
Upload or process material in violation of obligations owed to clients, employers, counterparties, courts, regulators, or other protected parties.
Misrepresent AI-generated output as verified fact where doing so could mislead others in a material way.
Glaucon may investigate suspected misuse and may suspend or terminate access, preserve relevant records, or cooperate with law enforcement where reasonably appropriate.
User responsibility
Glaucon is general-purpose AI productivity software. It is not certified for any specific regulated industry or professional licensing regime. Users are solely responsible for ensuring their use complies with applicable laws, contracts, and workplace policies.
The presence of ZDR routing or encrypted history does not by itself create compliance with any statute, regulation, or contractual security schedule.
Subscriptions, pricing, and billing
Glaucon offers a free trial, Glaucon Pro ($20/mo), and Enterprise plans by agreement. Plan features and model access are described on the plans page and at checkout. All live inference uses the same zero-retention OpenRouter routing path.
New accounts receive a limited trial (currently 15 messages on economy models) before requiring a Pro subscription. Pro subscriptions include a monthly premium API budget and may continue in economy mode after that budget is used, subject to economy caps and billing-cycle resets.
If a user purchases a paid subscription:
The user authorizes Glaucon and its payment processor to charge the applicable subscription fees, taxes, and any other disclosed amounts.
Subscriptions may renew automatically unless cancelled before the next billing cycle according to the applicable checkout or account flow.
Plan features, prices, and included model access may change prospectively.
Failure of payment, chargeback activity, fraud concerns, or account abuse may result in downgrade, suspension, cancellation, or access restriction.
Unless otherwise required by law or separately agreed in writing, subscription fees are non-refundable after the applicable service period begins. A user is responsible for reviewing the current plan terms on the plans page and at checkout.
Quotas, limits, and availability
Glaucon may enforce trial limits, API budgets, rate limits, file limits, feature limits, model limits, or environment-specific restrictions. The current implementation includes account-based trial tracking, subscription API budgets with optional economy overflow for Pro, per-minute rate limiting, file-count and file-size limits, and plan-gated model access.
Glaucon does not guarantee uninterrupted availability, specific response times, or error-free operation. Maintenance, outages, third-party dependency failures, model changes, abuse controls, infrastructure incidents, and legal or security events may affect service availability or performance.
Intellectual property
Glaucon and its related software, interface, branding, logos, design elements, compilations, and service materials are protected by intellectual property and other applicable laws. Subject to these Terms, Glaucon grants the user a limited, non-exclusive, non-transferable, revocable right to access and use the service for its intended purposes.
A user may not copy, modify, distribute, sell, lease, sublicense, reverse engineer, decompile, create derivative works from, or exploit the service except as permitted by law or by Glaucon in writing.
As between Glaucon and the user, the user retains rights in user-submitted content, subject to the rights necessary for Glaucon and its processors to operate the service, provide outputs, enforce the Terms, maintain security, and comply with law.
Feedback
If a user provides feedback, suggestions, bug reports, ideas, or improvement proposals regarding Glaucon, Glaucon may use them without restriction or compensation, except to the extent prohibited by law. This does not transfer ownership of the user’s underlying confidential content, but it does permit use of the feedback itself to improve the service.
Suspension and termination
Glaucon may suspend, restrict, or terminate access to all or part of the service at any time, with or without notice, if Glaucon reasonably believes that:
The user has violated these Terms.
The user has created legal, financial, operational, or security risk.
Continued service would harm Glaucon, its users, its processors, or third parties.
The account is inactive, unpaid, fraudulent, or subject to a legal restriction.
A user may stop using the service at any time and may cancel a subscription through the available account or billing workflow, subject to the billing rules in these Terms and at checkout.
Disclaimers
The service is provided on an as is and as available basis to the fullest extent permitted by law. Glaucon disclaims all warranties, whether express, implied, statutory, or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title, non-infringement, quiet enjoyment, accuracy, security, availability, and results from use of the service.
Without limiting the foregoing, Glaucon does not warrant that:
The service will be uninterrupted, secure, or error-free.
Outputs will be accurate, complete, lawful, or fit for any particular use.
Any privacy, anonymity, encryption, ZDR, or security feature will prevent all disclosure, access, incident, or regulatory risk.
The service is suitable for any particular regulated, privileged, or mission-critical workflow.
Limitation of liability
To the fullest extent permitted by law, Glaucon and its affiliates, officers, employees, contractors, licensors, and processors will not be liable for any indirect, incidental, special, consequential, exemplary, or punitive damages, or for any loss of profits, revenues, business, goodwill, data, contracts, opportunities, or savings, arising out of or related to these Terms or the use of or inability to use the service, even if advised of the possibility of such damages.
To the fullest extent permitted by law, the aggregate liability of Glaucon arising out of or relating to these Terms or the service will not exceed the greater of:
The amount paid by the user to Glaucon for the service during the 12 months before the event giving rise to the claim, or
100 U.S. dollars.
Some jurisdictions do not allow certain limitations, so some of the above may not apply to particular users to the extent prohibited by law.
Indemnification
A user agrees to defend, indemnify, and hold harmless Glaucon and its affiliates, officers, employees, contractors, licensors, and processors from and against claims, liabilities, damages, judgments, losses, costs, and expenses, including reasonable attorneys’ fees, arising out of or related to:
The user’s content.
The user’s use or misuse of the service.
The user’s violation of these Terms.
The user’s violation of law or third-party rights.
The user’s processing of confidential, regulated, or restricted material without sufficient authority.
Governing law
These Terms and any dispute arising out of or relating to them or the service are governed by the laws of the State of Texas, without regard to its conflict-of-laws principles. The United Nations Convention on Contracts for the International Sale of Goods does not apply.
Dispute resolution and arbitration
Please read this section carefully — it affects your legal rights.
Before filing any claim, you agree to first contact Glaucon at legal@glaucon.ai and attempt to resolve the dispute informally for at least 30 days.
Except for the matters excluded below, any dispute, claim, or controversy arising out of or relating to these Terms or the service that cannot be resolved informally will be resolved by binding individual arbitration administered by the American Arbitration Association (AAA) under its Consumer Arbitration Rules. The arbitration will be conducted in English, by a single arbitrator, in Travis County, Texas, or remotely by videoconference at either party's election. Judgment on the award may be entered in any court of competent jurisdiction.
Excluded from arbitration: (a) individual claims qualifying for small-claims court; (b) claims for injunctive or equitable relief regarding intellectual property, unauthorized access, or misuse of the service, which may be brought in court.
Class action waiver. All disputes must be brought in the parties' individual capacity, and not as a plaintiff or class member in any purported class, collective, consolidated, or representative proceeding. The arbitrator may not consolidate claims or preside over any form of representative proceeding. If this waiver is found unenforceable as to a particular claim, that claim (and only that claim) must proceed in court, and the waiver remains enforceable for all other claims.
30-day opt-out. You may opt out of this arbitration agreement by emailing legal@glaucon.ai with the subject "Arbitration Opt-Out" from the email associated with your account within 30 days of first accepting these Terms. Opting out does not affect any other provision of these Terms.
Venue
For any dispute not subject to arbitration, you and Glaucon consent to the exclusive jurisdiction and venue of the state and federal courts located in Travis County, Texas, and waive any objection to such venue.
Notices
Legal notices to Glaucon must be sent in writing to: Glaucon LLC, 605 West 9th Street, Suite 1015, Austin, Texas 78701, USA, with a copy to legal@glaucon.ai. Glaucon may provide notices to you via the email address on your account or through the service; notices are deemed given when sent.
Miscellaneous
These Terms, together with the Privacy Policy, constitute the entire agreement between you and Glaucon regarding the service. If any provision is held unenforceable, it will be modified to the minimum extent necessary and the remainder will remain in effect. Glaucon's failure to enforce a provision is not a waiver. You may not assign these Terms without Glaucon's prior written consent; Glaucon may assign them in connection with a merger, acquisition, or sale of assets. Nothing in these Terms creates any agency, partnership, or joint venture. Sections that by their nature should survive termination (including ownership, disclaimers, limitation of liability, indemnification, and dispute resolution) survive.
Changes to these terms
Glaucon may modify these Terms from time to time. When material changes are made, Glaucon may update the effective date and provide additional notice where required by law.
Continued use of the service after updated Terms become effective constitutes acceptance of the updated Terms, except where applicable law requires a different form of consent.
Contact
Glaucon LLC 605 West 9th Street, Suite 1015 Austin, Texas 78701, USA
All encrypted files · categorized by project when assigned
All files
Executive index of every encrypted file · project vaults are filtered views
Pro · E2EE
Sign in required. The Executive Vault stores encrypted blobs bound to your history key.
Glaucon Lite or Pro required. Upgrade for encrypted file storage alongside cloud sync.
Executive Vault locked. Unlock encrypted cloud on this device to derive your file-encryption key.
AES-256-GCM end-to-end · large datasets streamed in 4 MB chunks · zero-knowledge cloud
No files yet — upload here, attach in chat, or add files inside a project vault.
Settings
General
Appearance
Text size
Chat defaults
Data controls
Glaucon Pro unlocks encrypted cloud sync across devices — ciphertext only, keys in your browser.
Encrypted cloud sync requires Glaucon Lite or Pro.
Encrypted cloud is locked on this device.
Account
Organization admin
Members
Audit log
Encrypted history
Unlock your history
Use Face ID / Touch ID to unlock your encrypted history on this device.
Enter your cloud recovery code from Account on a device where encrypted sync already works.
Confirm with email
Confirm this action
We sent a 6-digit code to your account email. It expires in 5 minutes.
If you did not request this, ignore the email and consider changing your sign-in method.
Encrypted cloud
Set up your encryption key
Create a private encryption key so your chat history can sync across devices. Only you hold the key — Glaucon cannot read or recover it.
You must save your recovery code — Glaucon cannot see, reset, or recover it.
Store it in a password manager or another safe place you will not lose.
If you lose your recovery code and cannot use Face ID / Touch ID, your encrypted history is gone forever.
No Face ID / Touch ID on this device. Your recovery code is the only backup. Without it, encrypted history cannot be unlocked on a new browser or device.
Enter your account password to create your encrypted key on this device.
Choose how to protect your encrypted cloud:
With any option you will receive a recovery code to save. You need it on new devices even if you use Face ID / Touch ID on this one.
Continue to create your encryption key and register Face ID / Touch ID on this device.
Save this recovery code as an emergency backup. Day-to-day unlock uses Face ID / Touch ID on this device.
Pure end-to-end encryption — by design. If you lose this code AND all your registered devices, your encrypted cloud history is gone forever. Glaucon's servers genuinely cannot recover it. We will never offer to email it to you, reset it for you, or restore it through support. That is the privacy guarantee.
That doesn't match. Re-check your recovery code.
Delete account
Delete your account?
This permanently removes your profile, sessions, and encrypted cloud history. Active subscriptions are canceled. Enter your password to confirm.
Erase forever
Are you sure you want to erase?
This chat or history will be erased forever. It cannot be recovered from Glaucon.
Keyboard shortcuts
Move faster in Glaucon
⌘/Ctrl + KSearch your chats
⌘/Ctrl + JStart a new chat
⌘/Ctrl + Shift + WStart a new project
⌘/Ctrl + EExport current chat as Markdown
⌘/Ctrl + EnterSend the current message
EnterSend (or new line if disabled in Settings)
Shift + EnterNew line
EscClose menus & modals · cancel edit
Double-click a threadRename it
⌘/Ctrl + /Toggle this overlay
How Cyfr works
Cyfr is optional — Glaucon is already the strongest commercial privacy stack without it. Cyfr is for the few names you never want any server to see, including ours and the AI provider's.
1 · Add a name once
A person, a company, a project — anything. Glaucon also covers the obvious variants ("Acme Corporation" protects "Acme Corp" and "Acme's" too).
2 · Swapped before anything leaves
In every message, file, and filename, the real name is replaced with a codename like ENTITY_1 — on your device, before encryption, before sending.
3 · The AI answers in code
The model reasons about ENTITY_1 perfectly well — it just never learns who ENTITY_1 is. The mapping never leaves your browser.
4 · Restored on your screen
The reply is decoded locally, so you read "Acme" — only the servers saw the codename.
Zero-effort auto-mask
Even without adding anything, emails, SSNs, card numbers, and API keys are masked automatically — only patterns that can't be mistaken for normal words. Everything is toggleable in the Cyfr panel.
Choose a plan
Lite unlocks encrypted cloud on low-cost models. Pro adds the frontier catalog, web search, and 2× usage.