Keep your data where it belongs.

Your data stays on your device.

Every question to an AI reveals something about you: health, money, relationships, work. Can privacy be the default — instead of an expert skill or an enterprise feature?

Join discode

You type a question, and your words land on a server in San Francisco. Or in Beijing. Your blood count. Your colleague's mobile number. Your contract partner's IBAN. You don't even notice. It hits your own data as much as other people's: a doctor types up a case, a lawyer a brief — and names, diagnoses and case numbers end up on someone else's servers. Whoever wants to prevent that redacts by hand today — and still misses something.

You protect your data yourself — discode gives you the tool for it: sensitive data is detected right on your device and suggested for anonymization before anything leaves. You decide per data point whether it goes along — because the answer really needs it. Privacy as the default — for everyone, not an enterprise add-on for pros.

Two layers, one decision per data point

Your anonymization assistant checks every request twice, right on your device: Layer 1 detects 16 data types via fixed patterns — email, phone, IBAN, credit card and more. Layer 2, HEIMDALL, is a small AI model in your browser that recognises names, companies and places — without anything leaving your device for it. Before sending, the PII review shows you every find: yellow gets anonymized (default), grey stays in plain text. Anonymized means replaced with plausible look-alikes — not a blacked-out bar but realistic placeholders, so the answer stays coherent in context. You decide, per data point.

More details

The 16 patterns: email, phone (AT/DE/intl.), IBAN (MOD-97 verified), credit card (Luhn), tax ID, VAT ID, IP, postcode+city, street, date of birth, names, insurance and account number. ~100 tech/company names (Google, SAP, React …) are ignored to avoid false positives. HEIMDALL = Home-Data-Anonymizing-Language-Layer (GLiNER, ONNX Runtime), loaded into the browser once.

Vault & Fail-Closed

The model only sees placeholders — you see real data. The mapping lives solely in the request's memory: no log, no cache, no database. After the answer it's discarded. And if anonymization fails? Then nothing is sent. No half measures.

More details

Fail-closed: on a pipeline error the system aborts with an error (503) instead of silently forwarding unanonymized.

Learns as it goes — and stays with you.

If the assistant misses something and you anonymize it yourself, it remembers that — on this exact device. Because what it recognises and learns, we upload nowhere; it exists only with you. The honest flip side: switch devices and the assistant starts over there. No sync, no backup with us — that's not an oversight but the consequence of “your data stays on your device”.

Chinese models? You decide.

Some of the best models come from China — and some data should never end up there. That's why there's a toggle: “Include Chinese LLMs”. Off means off — the routing then excludes every model hosted in China, no matter how well it scores in benchmarks. Out of the box the toggle is off: Chinese models aren't used by default — you enable them yourself only when you want to.

Our commitments

No training on your data: Most API tiers don't use your content for training anyway — and because sensitive data is replaced before sending, it never reaches a model that could learn from it. Full control: Your data is viewable, exportable and deletable at any time — no forms, no waiting, no justification needed.

Honest limits: unusual formats aren't always detected — but what you mark yourself afterwards, the assistant learns (on-device). Indirect identifiability isn't detected. On uploads, text is checked, images aren't. AI answers aren't checked for newly generated PII.