Privacy
Last updated: 2026-04-21
tldr; To sync your team across devices, we store your messages, channels, files, and workspace data on our servers, encrypted in transit and at rest. Your Claude Code prompts go directly to Anthropic under your own account — we never see them. We don't run analytics, trackers, or session replay. You can export or delete your data at any time.
Who we are
tldr; A small Stockholm company called Ano Instruments AB runs this product. We're the ones responsible for your data under GDPR.
Ano Instruments AB ("Ano", "we", "us") is a company registered in Sweden. For the purposes of the EU General Data Protection Regulation (GDPR), we are the data controller for personal data we collect from you directly (such as your account email) and the data processor for content you and your teammates put into a workspace. You can reach us at .
What we store
tldr; Account info, your workspace content (messages, channels, files, agent configs), and minimal server logs. We store it so your team can actually use a chat app — read history, join from a second device, onboard a new teammate.
- Account data. Your email, display name, workspace memberships, and authentication metadata (handled via WorkOS for SSO where applicable). Legal basis: performance of the contract to provide Ano to you.
- Workspace content. Messages, channels, direct messages, threads, reactions, uploaded files and attachments, coworker (agent) configurations, and tool-call metadata. This content is stored on our infrastructure (Postgres-backed, via the Zero sync engine) so it can be delivered to every device and teammate in the workspace. Legal basis: performance of the contract, and legitimate interest in running a reliable sync service.
- Local client cache. Your device also keeps an encrypted SQLite copy of the content you have access to, so the app opens instantly and works offline. That copy lives on your disk.
- Waitlist email. If you sign up for beta access before you have an account, we store your email to send you an invite and occasional beta updates. Legal basis: your consent.
- Request and diagnostic logs. Our servers record IP address, timestamp, user agent, and request path for incoming requests, plus error traces for failed operations. Rotated on a short schedule. Legal basis: legitimate interest in keeping the service secure and debuggable.
- Support correspondence. If you email us, we keep the thread so we can follow up. Legal basis: legitimate interest in responding to you.
What we don't store or see
tldr; We don't see your Claude Code prompts or the model's responses — those go straight between your device and Anthropic. We don't run analytics, ad pixels, session replay, or cross-site trackers.
- Claude Code prompts, tool inputs, tool outputs, and model responses. Claude Code runs under your own Anthropic account. These flow directly between your device and Anthropic and never touch our servers. We only see the final message your client chooses to post into a channel.
- Analytics, ad pixels, session replay, fingerprinting. None of it. No Google Analytics, Segment, Hotjar, or similar.
- Tracking cookies. The website does not set tracking cookies. A small number of strictly necessary cookies may be used for session state and sign-in.
End-to-end encryption
tldr; Not yet. During the beta, your messages are encrypted in transit and at rest on our servers, but we hold the keys. End-to-end encryption is something we're building toward, not something we offer today.
Today, workspace content is encrypted in transit (TLS) and at rest on our infrastructure, but the keys are managed by us so that server-side features (search, moderation, onboarding a new device, administrative export) can work. End-to-end encryption is on our roadmap; we'll update this page when it ships.
Third parties and processors
tldr; We use a handful of well-known providers to run the service (hosting, database, auth, email). We don't sell your data and we only share what each provider needs to do its job.
To deliver Ano we rely on a small set of sub-processors, including: a cloud hosting provider (application and database hosting); WorkOS (authentication and SSO); a transactional email provider (for sign-in, invites, and notifications); standard source control and build infrastructure; and Anthropic — but only on your side of the connection, under your own account. Where providers are located outside the EU/EEA, transfers are covered by Standard Contractual Clauses or equivalent safeguards. On request we can share the current sub-processor list.
How long we keep data
tldr; Your workspace content sticks around for as long as your workspace does. When you delete something, or close your account, we delete it (with a short grace period for backups).
- Workspace content: retained while the workspace exists. Deletions you make in the app propagate to our servers; residual copies in encrypted backups are overwritten within 30 days.
- Account data: retained while your account is active. Deleted within 30 days after you close it, unless we're required to keep it for legal reasons.
- Waitlist emails: retained until you unsubscribe or request deletion.
- Request and diagnostic logs: rotated on a short schedule, typically within 30 days.
- Support email: kept as long as it's reasonably useful to help you.
Your rights
tldr; You can ask for a copy of your data, fix it, delete it, or tell us to stop processing it. Email us and we'll handle it.
Under GDPR you have the right to access, correct, delete, restrict, or object to our processing of your personal data, and the right to data portability. To exercise any of these rights, email . We respond within 30 days.
If your workspace is controlled by your employer, some of these requests may need to go through your workspace administrator — we'll help route them.
You also have the right to lodge a complaint with the Swedish data protection authority (Integritetsskyddsmyndigheten, IMY) or your local supervisory authority in the EU/EEA.
Security
tldr; TLS everywhere, encryption at rest, isolated infrastructure, no third-party trackers. More detail lives on the security page.
Ano is served over HTTPS (HSTS enforced) with a strict Content-Security-Policy and no cross-origin state. Workspace content is encrypted at rest. See /security for the full picture.
Children
tldr; Ano isn't for kids. If you're under 16, please don't sign up.
Ano is not directed to children under 16. We don't knowingly collect personal data from children. If you believe we've received data from a child, email us and we'll delete it.
Changes to this policy
tldr; If we change anything meaningful, we'll update this page and the "last updated" date, and email users about material changes.
We update the date at the top when we make changes. For material changes we'll also notify waitlist subscribers and account holders by email before the change takes effect.