Security And Data Handling

Draft-First AI

AI-generated content is not saved as a final todo automatically. Lisdo creates a draft, shows the source context and suggested category, and requires user review before a todo is saved.

Secrets

BYOK API keys and provider secrets are stored in Keychain, not in SwiftData or CloudKit records. Hosted BYOK keys may sync through the user's Apple Keychain sync settings so both iPhone and Mac can process drafts. OAuth tokens, CLI paths, and local-only provider settings stay local and should not appear in production logs.

Sync Boundary

SwiftData and CloudKit sync app records such as categories, captures, drafts, todos, todo blocks, and pending queue metadata. Original images and audio files are not synced by default; the expected synced payload is extracted text and metadata. If Mac CLI direct media processing is enabled, the original image or audio may be temporarily synced as a pending raw attachment, then deleted after processing reaches a final state.

Provider Boundary

When you organize a capture, Lisdo sends only the content needed for that draft to your configured provider. For an OpenAI-compatible BYOK endpoint, this can include source text, OCR text, category instructions, and the strict JSON draft request.

Future Mac CLI or local-model modes are designed to run on your Mac. If direct raw media processing is enabled for a local command, that command may receive the raw media needed for the job. Use only CLI tools and local services you trust.

No Tracking Or Ads

Lisdo is not built around advertising or cross-app tracking. The static website does not require analytics scripts to read these policy pages.

Reporting A Security Issue

Please use the contact options on the Support page and include the affected platform, app version, and a short description of the issue.