GemmaKit
Request access

The boundary is the privacy story.

GemmaKit runs inference locally. Prompts, completions, local documents, model artefacts, and embeddings stay on the customer device. The licence service receives entitlement and billing metadata only, and that metadata contains no prompt or completion content.

What stays. What leaves.

A two-column ledger you can hand to security review.

  Stays on device

  • +Prompts and conversation history
  • +Streamed and buffered completions
  • +Local documents passed into prompts
  • +Model paths, model files, and converted runtime artefacts
  • +Any embeddings your app computes locally
  • +Bearer tokens used by the local server
  • +System and developer messages

  Leaves the device

  • Org key public id and proof of secret during activation
  • Org id, app id, app version, platform, and GemmaKit version
  • Generated device id and optional customer-supplied device display name
  • Certificate id, key id, subscription id, billing state, and timestamps
  • Network metadata normally received by a web service

One path crosses the network.

Diagram of which channels exist and what they carry.

Customer device Your app prompts completions local documents GemmaKit server 127.0.0.1:11436 local bearer + CORS model file on disk prompt stream Licence agent licence service off-device licence metadata no prompt content
01 Processing 02 Network 03 Retention 04 Subprocessors 05 Contact

Local processing

All chat completions are computed on the customer device. The runtime loads the converted Gemma 4 text artefacts from disk and serves the OpenAI-compatible Chat Completions endpoint over 127.0.0.1. Prompts and completions are not sent to the licence service.

Network channels

The only GemmaKit-managed off-device channel is the licence channel. Activation, refresh, revocation, and active-device reporting send licensing metadata to the service. There is no completion-logging channel and no remote model registry.

Retention

The licence service retains organisation key hashes, audit logs, device activity rows, revoked certificate ids, and billing-window metadata for as long as required for billing, audit, charge disputes, and abuse investigation. It does not store prompt content because prompt content is not sent to it.

Subprocessors

The licence service is operated by GemmaKit on Vercel. Stripe processes payment, subscription, invoice, and billing-portal data. The production subprocessor register is finalised with the master Privacy Notice before commercial launch.

Contact

Privacy questions go to privacy@gemmakit.app. Security disclosures go to security@gemmakit.app. This page is a plain-language summary; the master Privacy Notice is the authoritative document.