-
Notifications
You must be signed in to change notification settings - Fork 0
User Data Sovereignty
Cloud LLM providers hold the canonical copy of every conversation a user has with their systems. The user typically holds no copy — and certainly not a structured one. If the provider's UI removes a conversation, changes search, deletes an account, or changes terms, the user's records of their own thinking with the system go with it.
This is data sovereignty in the conventional sense: the question is not who can read the data, but who retains it.
Clio asserts that the user should retain a local, structured copy of their conversations with an LLM, on the same principle as data-portability rights in modern privacy frameworks (GDPR Article 20, CCPA equivalents). The provider continues to hold their copy under their terms; Clio adds a local copy under the user's terms.
This is not adversarial to the provider. It does not exfiltrate other users' data, does not bypass authentication, does not impersonate. It only captures what the logged-in user is already seeing.
A local, structured archive of LLM interactions makes several user-side practices viable that the provider's UI does not:
- Personal audit trails — review what an assistant said, when, and in what context
- Search across conversations — without depending on the provider's search ranking
- Long-term preservation — outlive provider changes, account changes, and corporate failures
- Citation in your own work — quote yourself accurately, with provenance
- Independent review — show the conversation to a third party without granting them provider-level access
These are individual-scale concerns, but they are governance-shaped. The asymmetry between provider and user — the provider has the data, the user does not — is a governance question even when no laws have been broken.
Clio does not:
- Centralize anyone else's conversations
- Bypass provider rate limits, authentication, or terms
- Provide a publishing pipeline (the user decides what to do with their archive)
- Decrypt anything (the conversations are already rendered to the user)
The boundary is clear: Clio is the user's local archiver, not a scraper, not a syndication tool.
- Privacy Architecture — how Clio enforces strict-local processing
- Provenance and Auditability — why full-DOM capture matters for audit fidelity
- Known Limitations — what Clio explicitly does not claim
Three Pillars (CIA)
- Privacy Architecture — Confidentiality
- Provenance and Auditability — Integrity
- Availability and Denial of Access — Availability
Topics
Source docs