Privacy isn’t a promise. It’s a structure.

Readablog’s privacy posture isn’t a paragraph in a policy document. It’s a set of design decisions enforced in code.

Your model lives on your device

Your reading profile is stored locally on your phone. The server only sees what you choose to send with each request, and only what’s needed to rank content.

Location precision is a dial, not a checkbox

Five settings: none, country, region, city, or precise. You choose. You can change it any time.

Per-service flags

Built into the spec: different services can be granted different permissions over the same model. You’re not handing your whole profile to every app that asks.

Integrity is enforced, not documented

Every WOTF model carries a checksum. The server re-computes it on every request and rejects models that don’t match. Tampered or corrupted profiles don’t get processed.

No PII in your interest topics

The system that turns your written interests into topic strands has an explicit rule built into its instructions: never include personally identifiable information in the output. It’s a guardrail wired into the AI pipeline itself, not a policy.

Tokens live in the OS-protected store

Your authentication tokens are stored in the iOS Keychain or the Android Keystore. Never in plaintext, never in a file an app could read by mistake.

PKCE-only OAuth

No bundled client secret. No shared key to leak. The modern, secure flow for public mobile clients.

More structural details and the full posture coming soon. Head back to the Home page or learn how the model works.