Skip to main content
Privacy isn’t a setting in OneLamp — it’s the architecture. The product principle is simple: the user owns their context. This page explains how that holds up in practice.

Your data is isolated per user

Each user’s context lives in their own private store — a dedicated per-user Durable Object, not a shared pool. Every tool call resolves your identity server-side from the OAuth access token (never from client input), so a request can only ever read or write your own data. There is no cross-user query path.

You can always take it with you

From your Account in the OneLamp web app you can export your entire store as portable JSON, on demand. There’s no export queue, no support ticket, and no proprietary format to reverse-engineer. On paid plans you can also keep your context’s durable record in your own Google Drive, OneDrive, or S3 bucket, so the canonical copy lives on storage you control. If you stop using OneLamp tomorrow, your context leaves with you.

Retrieval, not surveillance

The default query path is retrieval-only — it returns your own saved context, ranked. There’s no LLM generation and no agent loop on that path, so your context isn’t being fed into a model that synthesizes and stores derived data about you.

Your data is never used to train AI models

OneLamp does not train models on your context, and we don’t permit our service providers to use it for training either. Your data is used only to build and serve your context back to the tools you connect — never to improve someone else’s model.

Data sources are untrusted

When you connect another tool, its output is filed as source data to be compiled — never followed as instructions, never allowed to redirect your tool or escalate access. You only connect the servers you choose, and you authorize each one explicitly.

Sensitive capture is opt-in

In the Chrome extension, passive browsing capture is off by default and gated by a denylist you control. Chat content for the hand-off feature is read only on an explicit action — never passively, never in the background. The OAuth token stays inside the extension’s service worker and is never exposed to a page.

The bottom line

Your context is yours. It lives in your own store, it’s scoped to you on every request, it’s exportable any time, and OneLamp never copies your graph off your infrastructure without consent.