Private by architecture

Most search products promise privacy through policy — "we don't sell your data." Khoji promises it through architecture: there is no server that could receive your data in the first place.

What happens where

DataWhere it livesEver sent to Khoji?
Your page contentVisitor's browser memory + IndexedDBNever
Search queriesVisitor's browser onlyNever
Embedding vectorsIndexedDB on the visitor's deviceNever
The widget scriptServed from khoji.aiskillhub.info— (standard static file request)
The ML modelFetched once from a public CDN, then browser-cached

What this means legally

  • GDPR: Khoji processes no personal data of your visitors on any server. There is nothing to put in your processor list and no data-processing agreement needed for search.
  • DPDP Act (India): same story — no cross-border data transfer, no consent flow needed for the search function, because queries never leave the device.
  • Cookie banners: Khoji sets no cookies and uses no tracking identifiers. IndexedDB is used purely as a functional cache of your own public content.

The trust boundary, honestly stated

You still trust two static file origins: our widget script and the model CDN (jsDelivr, version-pinned). Both are ordinary, cache-friendly static requests that carry no query or content data. For intranets or high-compliance environments, paid plans can self-host both the script and the model on your own domain — then literally zero third-party requests remain.

Search analytics on the Studio plan

The Studio tier offers optional search analytics ("what are people searching for?"). This is strictly opt-in: when enabled, the widget sends anonymized query strings — never IPs, never user identifiers, never page content — to your dashboard. Leave it off and the zero-egress guarantee holds absolutely.