Privacy

Your code stays yours. Always.

Mooter is a hook in your terminal, not a proxy through someone else's servers.

T0 runs on Ollama, locally

When mooter executes on your local Ollama, your prompt and code never touch a network. One caveat: with an API key set, some T0-classified tasks run on cloud Haiku for quality — see “Routing vs execution” below.

Prompts hashed

We log a SHA-256 hash of each prompt — never the text itself.

Opt-in telemetry

Defaults OFF. When you turn it on, only aggregated stats leave.

Opt out anytime

Turn telemetry fully off with `mooter quiet --telemetry-off`. No prompt text is ever transmitted — only hashes and counts.

The herd stays on your machine

The 🐄×N counter and the “Moos that worked” digest are in-process runtime state only — counts and latencies, never prompt text, and none of it is sent anywhere. Tune it with `mooter quiet --verbose|--herd-quiet|--herd-off`; even `verbose` logs file paths, never their contents.

Open source · audit it

Every line of mooter is on GitHub under MIT. Read the code yourself.

Compliance & data laws
✓ GDPR-aligned (EU)
  • Data minimization · purpose limitation
  • Right to access · right to erasure
✓ LGPD-aligned (Brazil)
  • Consentimento expresso e granular
  • Direito de acesso, correção, eliminação
✓ CCPA-aligned (California)
  • No sale of personal information
  • Right to know what is collected
✓ Privacy-first by design
  • Telemetry default OFF
  • k-anonymity threshold ≥50
  • Differential privacy noise (ε=1.0)
✓ Open source
  • MIT License
  • Reproducible builds
  • Independent audit welcome
Read the privacy policy →

Why a hook beats a cloud router on privacy

mooter (hook, local-first)
  • T0 runs on your machine — prompt never leaves
  • T1–T3 go direct to your own provider key
  • mooter never sees or stores your prompt text
Cloud routers / proxies (e.g. LiteLLM-as-a-service, OpenRouter)
  • Every prompt transits a third-party server
  • That hop can log, cache or train on your text
  • You trust an extra party with your code

Routing vs execution — the honest distinction

mooter has two separate steps, and they have different privacy properties:

  • Routing (classification) runs 100% locally. It's pure regex in classify.js — no AI, no network. Nothing is sent anywhere to decide which model handles your prompt.
  • Execution (the model call) then runs either locally (Ollama) or in the cloud (Anthropic), using your own API key — the prompt goes direct to your provider, never through a mooter server.
  • One honest caveat: when you have an Anthropic API key configured, some tasks that classify as T0 (e.g. summarisation) still execute on cloud Haiku for quality, rather than local Ollama. This is a deliberate quality trade-off — and your CLI's divergence chip surfaces it in real time so you always know when local intent ran in the cloud.

Bottom line: mooter never proxies or stores your prompt text. But “routed to T0” does not always mean “stayed on your machine” — the divergence chip is how we keep that transparent.