Privacy

A tool that watches your screen has to earn your trust.

Recall watches the shape of your work on screen, never your microphone or camera. Local-first, encrypted at rest, no third parties, no training on your work. Pause and forget at any time.

On your device
Capture · Group · Notice
local processing, encrypted at rest
Cloud sync
None
no server copy of your history
Priya Sharma
Solo founder · privacy-first SaaS
TrustEvaluating new tools
15:55
Second opinion

Check it yourself, like Priya does.

Priya is evaluating Recall before installing it on her work laptop. The product looks useful, but one question comes first: what does it see, what stays local, and what can she delete?

If a tool watches my screen, I want a straight answer before I let it in.

Tell me what Recall sees. Then let a second opinion stress-test the claim.

That is why we make the privacy model readable. You can ask any AI assistant to review the claims, find gaps, and tell you what still needs proof.

Priya · Solo founder
Quick check before I install. What does Recall actually see while I work?
Recall
Honest answer: app names, document titles, time on task, and switching patterns. Capture runs on your device, and what it captures stays there. There is no cloud sync, so your history never leaves your machine.
Priya
That is the answer I needed. Now I want to stress-test the privacy claims.
the trust question, asked before install

Want a second opinion?

Use the prompt below to have ChatGPT, Claude, or Perplexity review Recall’s published privacy claims.

This reviews our published privacy architecture, not proprietary implementation code.

Six promises

The defaults are the policy.

Local-first, encrypted at rest

Capture and grouping run on your machine. The local store stays on your device, with no cloud sync behind it. What leaves the device is opt-in, scoped, and visible to you.

Screen only, never your mic

Recall reads what you can see on screen across tabs and apps. It never opens the microphone, the camera, or the system audio. No voice, no calls, no video.

No third party gets your work

No third party receives your work content. Zero analytics SDKs, zero tracking pixels, zero ad networks. We do not sell, share, or syndicate your context.

No training on your work

Your sessions are not used to train any model, ours or anyone else's. The patterns Recall learns about your day stay scoped to you.

Pause and forget in one tap

One toggle pauses capture. Uninstall Recall and everything it stored locally is deleted with it. Forgetting never needs our permission.

No manager dashboard

Recall is for the person doing the work. There is no team-wide view of who opened what or for how long. Surveillance is not a feature.

What Recall captures

The shape of the work, not the words.

  • Active app and document title, when it helps the thread
  • Tab URL stems and titles you stay on, not every flicker
  • Time-on-task patterns across tools
  • Context cards you confirm or correct
What Recall does not capture

The lines we will not cross.

  • Microphone audio, calls, or voice of any kind
  • Camera, webcam, or video feeds
  • Keystrokes, passwords, or clipboard contents
  • Content of password, payment, or 2FA fields
  • Private message bodies, DMs, or email content
  • Banking, medical, or other surfaces flagged sensitive
  • Anything while Recall is paused
Compliance and guarantees

The same answer in every jurisdiction.

If your team or your legal review needs the boring details, here they are. No asterisks, no enterprise-only carve-outs. The defaults are the policy.

EU / UK

GDPR ready

You have the right to access, export, or delete every byte Recall holds about you, on demand and without friction. Data minimization is the default, not a setting.

United States

CCPA aligned

California residents can request a full export or full deletion at any time. We do not sell personal information, full stop, in any state.

On disk

Local store, no server copy

The Recall store lives on your device and nowhere else. There is no cloud sync and no server copy to breach, subpoena, or leak.

Vendors

No work-content sub-processors

No third party receives your work content. Providers used for basics like app distribution, payments, email, hosting, or licensing do not receive the context of your work. AI features run against your own provider key, or against a local model.

Architecture at a glance

The whole privacy spec, on one screen.

Six layers, each with a one-line scope. If you are reviewing Recall for your team, paste this into your AI of choice and ask it the hard questions. The answers should not require us in the room.

Capture layer
App title, tab title, URL stem, switching and time-on-task patterns.
Sensitive exclusions
Passwords, payment fields, 2FA, banking and medical surfaces.
Local store
Local database on your machine. No cloud sync, no server copy, nothing to breach on our side.
Cloud boundary
Account and license state only. Redacted telemetry if you choose to send a bug report. No work content leaves the device.
Controls
Pause in one tap. Uninstall deletes everything Recall stored locally.
Model policy
No training on your work content. No third-party processors touch your work content, ever.
The Settings screen

You can see exactly what it sees.

Two permissions, both visible and revocable. Recall runs locally by default, and nothing about that is buried three menus deep.

Recall Settings showing local-by-default permissions, Accessibility and Screen Recording, both granted.
Where the work lives

Local first is not a marketing line.

Capture, grouping, and the patterns Recall learns about your day all run on your device. The boundary below is the one we will not cross without you.

Your device

Stays here, by default

  • Active app, document title, window state
  • Time-on-task patterns and switching shape
  • Session groupings and the labels you confirm
  • Encrypted local store, on this machine and nowhere else
Cloud, if you choose

Almost nothing.

  • Your account profile and license state
  • Redacted telemetry, only when you send a bug report

There is no work content to clone, leak, or delete from our side. Your history lives on your machine and leaves with the app if you uninstall it.

Technical boundary

What Recall can know, and what it should never keep.

Metadata can still be sensitive. That is why Recall keeps the useful signal narrow, local by default, and visible to you.

What Recall reads

App names, window or document titles, URL domains and stems, time-on-task, switching patterns, and context labels you confirm or correct.

What Recall does not keep

No microphone audio, camera, system audio, keystrokes, clipboard contents, passwords, payment fields, 2FA fields, or raw screen recordings.

What leaves the device

Nothing. Recall has no cloud sync and no online storage. The one exception is telemetry you choose to attach to a bug report, and sensitive data is redacted from it before it is sent.

What you control

Pause capture at any time, correct the context labels Recall builds, and uninstall to delete everything it stored. Your history never outlives the app.

Work contentThe actual contents of your work: message bodies, email bodies, documents, calls, voice, video, passwords, payment details, or raw screen content.

Session metadataThe minimal structure Recall uses to help you return: app and window context, rough timing, switching patterns, and labels you approve.

Common questions

What people ask before they install.

Where does my data live?

On your machine. Everything Recall captures is stored locally on your device. There is no cloud sync and no online storage, so your work history never leaves your machine. Uninstall Recall and the data goes with it.

Does Recall record audio, calls, or video?

Never. Recall only reads what is already visible on your screen across tabs and apps. The microphone, the camera, and system audio are never touched. Voice and video are out of scope by design.

Does Recall store screenshots?

No raw screen recordings are stored. Recall is designed to keep the work signal narrow: app and window context, timing, switching patterns, and labels you confirm. Any temporary processing is discarded and is not kept as history.

Do you collect logs or crash reports?

We do not use analytics SDKs or tracking pixels. The only telemetry we receive is what you choose to send with a bug report, and sensitive data is redacted from it before it leaves your machine.

Are you GDPR and CCPA compliant?

Yes to both. Because your work history lives only on your device, the personal data we hold comes down to your account and billing record. You can request access, export, or deletion of it at any time, and we do not sell personal information in any jurisdiction.

Do you share data with third parties or sub-processors?

No third party receives your work content. Providers used for basics like app distribution, payments, email, hosting, or licensing do not receive the context of your work. AI features that require a model run against your own provider key or against a local model.

Can my employer see this?

No. There is no team-wide dashboard, no manager view, no leaderboard. Recall is built for the person doing the work, not for someone watching them.

What if I open something sensitive?

Everything Recall captures stays on your machine, so a sensitive title never leaves your device. Redaction happens in one place: when you send a bug report, sensitive data is stripped from the telemetry before it reaches us. Private and incognito windows are currently captured like regular ones, so tap pause when you want no history at all.

Can I delete what Recall remembers?

Yes. Pause Recall at any time, and uninstall it to delete everything it stored. Your history exists in exactly one place, your machine, so removing the app removes the data with it.

Do you use my data to train models?

No. We do not use your work to train anything, ours or anyone else's. The patterns Recall learns about your day stay scoped to your device.