Privacy and trust
Voyalier is local-first, but live travel research is not automatically offline.
Before any AI request runs, the “Preview an AI request” panel shows exactly what would be sent — the system prompt and the trip details — built with confirmation codes and traveler names excluded by construction, so they can never reach a provider. Nothing is sent until you choose to send it, and every completed run is recorded in a per-trip activity log.
Provider keys live in the operating-system keychain, never browser storage or the database. A key is read only to send a request you chose to send, is placed only in that request’s authorization header, and is never returned to the interface, logged, or stored anywhere else. On-device (Ollama) runs never leave the device; cloud runs go only to the provider you picked.
Sensitive stored fields — confirmation codes and traveler names — are encrypted at rest with an authenticated cipher. The encryption key is generated on your device and kept in the operating-system keychain, so decryption is transparent. You can also add an optional passphrase: it wraps the key with a memory-hard key-derivation function and removes the plain key from the keychain, so Voyalier opens locked and asks for the passphrase before your workspace appears — protecting your data even on an unlocked computer. The passphrase is only ever used locally to derive a key; it is never stored, returned, or logged, and there is no recovery if you forget it.
Live fetches — official advice, weather, and pack downloads — happen only on an explicit click, and each is labeled with its source, retrieval time, license, and freshness. The one standing exception is opt-in: if you allow automatic update checks (a one-time choice on first launch that you can reverse in the Updates panel), Voyalier asks GitHub about once a day whether a newer release exists — only release metadata is fetched, never anything about you or your trips. There is no telemetry.
In-app updates reach two GitHub-operated hosts — github.com for the release metadata and objects.githubusercontent.com for the download — and every update is cryptographically signature-verified on your device before it installs (the download runs in the Rust core, never the web view, so there is no hidden network path). Voyalier saves a database backup before each update; those backups live alongside your data in the application data directory, so a deleted trip still exists in older backups until they rotate out. Backups are never included in an exported or shared brief and can be cleared from disk.
Documents, websites, model output, and provider output remain untrusted until validated. Extracted facts never silently become accepted trip facts, and high-stakes facts (entry, visa, health, safety) are quoted from cited sources, never originated by a model.