Quiet by design
No tracking. No analytics. No engagement metrics phoning home. The app respects your attention because it doesn't measure it.
The app respects your attention because it doesn’t measure it. That sentence is the whole privacy posture, but it has consequences — concrete ones, enforced ones, ones that show up in the way the app is built rather than only in the way it’s described.
What we don’t collect
- No third-party analytics. No Mixpanel, no Amplitude, no Segment. No SDKs phoning home to tell anyone what you tap, where you scroll, or how long you sat on a post.
- No engagement metrics, even ours. We don’t know how long you spent in Reading Mode. We don’t know how often you opened the app. We don’t want to know.
- No fingerprinting. No font enumeration, no canvas hashing, no advertising identifier, no IDFV signalling.
- No “you haven’t posted in 5 days” notification. No streaks. Ever. Lanai is for reading, and reading doesn’t have a streak.
- No “best time to post” suggestion. No engagement prediction. No reach optimisation.
- No tracking pixels in image exports. When you share a post as a picture, the picture is just a picture.
What stays on your device
- Your reading history. Lanai knows what you’ve read so it doesn’t show you the same post twice in a session. That memory is local. It never syncs anywhere.
- Your settings. Theme choice, type size, accessibility preferences, Postcard Mode toggle — local on each device, never uploaded.
- Your saved posts. The saved-for-later list lives on your device, encrypted with the rest of your app data.
- Your draft posts. Compose drafts stay local until they’re posted.
What we have to send to the network (and why)
Lanai is a Bluesky client, which means the things you post, repost, like, follow, and mute are public-protocol actions that go to the AT-Protocol relay you chose. We don’t change that — it’s the network you signed up for. We just don’t add anything to it.
Auth uses Bluesky’s App Password mechanism, stored in your device’s Keychain, keyed by your DID (the long permanent identifier) rather than your handle (the short changeable one). Handles change; DIDs don’t. When the AT Protocol’s OAuth story stabilises, Lanai will move to it. Until then, App Password keyed by DID is the honest choice.
The architectural part
Most apps describe their privacy posture and then ask you to trust the description. Lanai’s posture is enforced at the package boundary. The on-device AI work lives in one package called LanaiIntelligence, and only that package is allowed to import the on-device frameworks. Every other package — Compose, Timeline, Profile, Settings — has to go through a small public interface to use any AI capability. The capabilities themselves never leave your device.
The result is auditable. No content sent off-device for AI isn’t a marketing line; it’s the only behaviour the package is capable of.
Stricter than Apple, by choice
Apple’s own apps use Private Cloud Compute for some on-device AI work — a mode where data is sent to a hardened cloud cluster, processed, and discarded. It’s a thoughtful design. Lanai doesn’t use it.
That isn’t a complaint about Apple’s choice; it’s a different choice. Private Cloud Compute makes capabilities possible that aren’t possible on-device alone. Lanai trades those capabilities for the simpler promise: nothing leaves your device. It’s a smaller surface and an easier sentence to honour.
The bright lines
A short list of things we won’t do, no matter the business reason:
- No third-party analytics in any product surface.
- No re-ranking the Following feed.
- No notification engineered to bring you back when you’ve been quiet.
- No subscription that paywalls a feature you’d reasonably expect to be free.
- No watermark on a post-as-image export that says posted via Lanai unless you’ve explicitly enabled one.
- No selling, sharing, or transferring of user data to any third party. None.
This list isn’t long. That’s the point.