← Spatial Agents
🔒

Privacy by Design

Spatial Agents is architected so that intelligence generation happens entirely on your device. This isn't a policy choice — it's a structural guarantee built into the system design.

Your queries, your analysis, and your intelligence products never leave your device. There is no server to send them to.

How It Works

The data pipeline has two distinct phases with very different privacy properties:

Phase 1 — Public Data Ingestion

AIS vessel positions, ADS-B aircraft states, and satellite orbital elements are public data feeds. This data is broadcast openly and received by anyone with a radio or internet connection. Ingesting it creates no privacy concern.

Phase 2 — Intelligence Generation

Situation reports, anomaly detection, and causal reasoning are generated by Apple's on-device Foundation Models. The model runs locally on your iPhone, Mac, or Vision Pro. Prompts are never sent to a server. Results are never uploaded.

No Accounts

Spatial Agents does not require user accounts, login, or authentication. There is no user database. There are no analytics. There is no telemetry. The app does not know who you are.

No Cloud Processing

The optional Mac server tier runs on your own hardware (your Mac on your network). It serves data to your own devices. Even in this configuration, intelligence generation happens on-device — the server provides raw data, not analysis.

Open Source

The entire server-side codebase is open source under the MIT license. You can audit every line of code that runs on your hardware. There are no obfuscated binaries, no proprietary backends, and no third-party services beyond the public data feeds themselves.

What Data Leaves Your Device

Outbound Connections

AIS feed: WebSocket connection to aisstream.io — sends your API key and bounding box subscription. Receives vessel positions.

ADS-B feed: HTTPS requests to OpenSky Network — sends bounding box coordinates. Receives aircraft states.

Severe weather: HTTPS requests to api.weather.gov (NWS) — receives active CONUS weather alerts (CAP / GeoJSON). No identifying information sent.

Airspace restrictions: HTTPS requests to tfr.faa.gov — receives active FAA Temporary Flight Restriction polygons. No identifying information sent.

Region geocoding: When you swap the active region to a new city, the typed city name is sent to nominatim.openstreetmap.org (OpenStreetMap's geocoder) so the server can resolve it to coordinates. Sent only on swap, not continuously.

Nothing else. No analytics, no crash reports, no usage metrics, no telemetry of any kind.