Private by architecture
Most search products promise privacy through policy — "we don't sell your data." Khoji promises it through architecture: there is no server that could receive your data in the first place.
What happens where
| Data | Where it lives | Ever sent to Khoji? |
|---|---|---|
| Your page content | Visitor's browser memory + IndexedDB | Never |
| Search queries | Visitor's browser only | Never |
| Embedding vectors | IndexedDB on the visitor's device | Never |
| The widget script | Served from khoji.aiskillhub.info | — (standard static file request) |
| The ML model | Fetched once from a public CDN, then browser-cached | — |
What this means legally
- GDPR: Khoji processes no personal data of your visitors on any server. There is nothing to put in your processor list and no data-processing agreement needed for search.
- DPDP Act (India): same story — no cross-border data transfer, no consent flow needed for the search function, because queries never leave the device.
- Cookie banners: Khoji sets no cookies and uses no tracking identifiers. IndexedDB is used purely as a functional cache of your own public content.
The trust boundary, honestly stated
You still trust two static file origins: our widget script and the model CDN (jsDelivr, version-pinned). Both are ordinary, cache-friendly static requests that carry no query or content data. For intranets or high-compliance environments, paid plans can self-host both the script and the model on your own domain — then literally zero third-party requests remain.
Search analytics on the Studio plan
The Studio tier offers optional search analytics ("what are people searching for?"). This is strictly opt-in: when enabled, the widget sends anonymized query strings — never IPs, never user identifiers, never page content — to your dashboard. Leave it off and the zero-egress guarantee holds absolutely.