Skip to content

Third-party data

Ostler reads parts of your life that contain information about other people – emails they sent you, messages they wrote, faces in your photos, contact details, calendar attendees. This is normal. It is your inbox, your contacts, your life as it actually exists. This page explains what Ostler does with that data, why we ask you to acknowledge it explicitly at install time, and what to do when someone asks to be removed.

What this page is for

The install screen asks you to acknowledge that some of your data is about other people. This page is the long-form version of that screen: what we mean by "third-party data", what stays on your Mac, and what your obligations look like in practice.

Why this acknowledgement exists

Most digital tools that read your inbox or your messages avoid the topic entirely. Some of them are sending the data to a server you do not control; some of them simply do not document the question.

Ostler is a personal-records keeper – the same shape, in software, as a private address book, a personal diary, or a journal. Every record of another person you have on your Mac is data you collected as part of your own life. Your inbox holds emails you received. Your contacts list holds people you know. Your photos library holds moments you lived through.

Under UK and EU privacy law, processing personal data about other people is regulated, even on your own device. The regime that applies to "people keeping personal records about their own life" (Article 2(2)(c) of the UK GDPR / GDPR – the "household exemption") is intentionally lighter than the regime that applies to a business processing customer data, but it still expects you, the user, to have made an informed choice. Ostler's install-time acknowledgement is that informed choice, captured cleanly so it cannot be relied on by accident.

What "third-party data" means in Ostler

The categories Ostler may read, where they touch other people:

Category Where Ostler reads it What it contains about others
Email Apple Mail's local store Senders, recipients, body text, signature blocks, attachment metadata
Messages iMessage and WhatsApp local stores Sender names / numbers, message bodies, group membership
Contacts iCloud Contacts Names, companies, positions, phone numbers, emails, notes
Calendar Calendar.app local store Attendees, organisers, location, meeting bodies
Photos Photos library metadata Faces, locations, dates of photos that include people
Voice transcripts Conversation captures you record What other people said in those conversations

Every one of those categories may include information about people who never themselves agreed to be in your records. That is the normal shape of personal life: your address book has been holding other people's phone numbers for decades; your inbox has been holding other people's words since email existed. Ostler's job is to organise what you already have, not to reach further than that.

What stays on your Mac

Everything Ostler reads from these sources stays on your Mac, in encrypted local databases under a passphrase only you hold. Creative Machines never receives any of it. There is no cloud account holding it.

For the architectural detail, see What stays local. For the narrow exceptions – software updates, optional cloud routing for non-personal questions, public metadata enrichment – see What leaves the device.

What you should know up front

The install screen captures three points of acknowledgement:

  1. You are keeping these records for yourself. Ostler is the tool that helps you organise and search what you already have. It does not collect new records of third parties on your behalf. Every email it processes is one that already arrived in your inbox; every contact is one already in your address book.

  2. Anyone you have records of can ask to be removed. This is the right of erasure. If someone you have records of asks not to appear in your Ostler instance, you can delete that person from Ostler entirely. The deletion removes their data from your wiki, your knowledge graph, your search index, and your assistant's memory. The original underlying records (the email in Apple Mail, the message in WhatsApp) are not touched – Ostler does not write into those sources – but Ostler stops processing them.

  3. Nothing leaves your Mac. With the narrow exceptions documented in What leaves the device, no data about anyone in your records is transmitted off-device.

Deleting a person

If someone asks you to remove them from your Ostler instance, the flow is:

Companion app > Settings > People > search the person > tap > Delete this person

That deletion is destructive and atomic across the stores Ostler maintains:

  • Removes the person's wiki page.
  • Removes references to them from your knowledge graph (RDF triples on both sides of the relationship).
  • Drops vectors keyed to them from the local search index.
  • Replaces references to them in past conversation transcripts with [redacted person]. The conversations themselves are preserved – they are your recollection of those conversations – but the deleted person's identifier is removed.
  • Records the deletion in an append-only audit log at ~/.ostler/posture/erasures.json, encrypted with the same key as the rest of your posture data.

Once deleted, repeated attempts return the same "already deleted" result – the deletion is idempotent, so a follow-up request from the same person produces no change.

v0.1.0 vs v0.1.1

The install-time acknowledgement screen ships in v0.1.0. The "Delete a person" UI lands in v0.1.1, alongside the matching Hub endpoint. If someone emails you asking to be removed before that release lands, deleting their data is still possible by hand: open the wiki, knowledge graph, and conversation memory and remove the relevant records. The v0.1.1 UI exists to make that flow one-click instead of manual.

What Ostler will not do

Even with broad data access, Ostler does not:

  • Sell, share, or transmit any of your records to advertisers or partners.
  • Train models on your data. The model that runs locally is the model that ships with the install; the data you process never feeds back into a training set.
  • Build a graph that crosses households. Your Ostler instance only sees data on your Mac. There is no aggregation of multiple users' data, anywhere.
  • Identify strangers from voice or face data. Speaker identification matches a voice against people you have already labelled; it does not search a global database.
  • Surface data that you have deleted. Deletions go through the audit-logged erasure flow; there is no soft-delete or hidden retention.

Withdrawing the acknowledgement

The install-time acknowledgement is recorded under the tickbox id third_party_data_personal_records in ~/.ostler/posture/consent.json. If you decide later that you do not want Ostler to process records of third parties, the right move is to uninstall – the acknowledgement is what makes the rest of the install meaningful, so withdrawing it means the install no longer has a basis to exist.

Run ostler-uninstall and confirm the prompt; the uninstaller removes the encrypted databases, the local Hub, and any cached data. See What stays local for what remains and what does not after uninstall.

Where the wording lives

The exact text shown at install is the canonical source of truth and is reproduced byte-for-byte from legal/consent_strings.py (the THIRD_PARTY_DATA_NOTICE constant) in the Ostler Hub repo. A cross-repo wording-drift CI guard rejects any change that is not also synchronised across the install script and the Rust assistant binary, so the wording on your install screen always matches what this page describes.

If you find any discrepancy between this page and the install screen, please contact us – it is treated as a wording-drift bug, not a content question.