Local-first, privacy-focused toolkit for AI-assisted therapy and self-reflection. Features: - Persistent session memory via local markdown files - 3 therapeutic modalities (CBT, ACT, DBT skills) - 3 therapist personas (warm, direct, coach) - Optional AES-256 encryption (Mac/Windows) - Built-in safety protocols and crisis response - Cross-platform setup scripts Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
7.9 KiB
Security Guide
This guide covers privacy and security options for your AI therapy data.
Security Tiers
| Tier | What It Does | Best For |
|---|---|---|
| Standard | Local files, no sync | Most users |
| Encrypted | Password-protected folder | Shared computers, privacy-conscious |
| Maximum | Encrypted + local LLM | High-stakes privacy needs |
Standard Security (Default)
Your therapy files are stored locally in plain markdown. This is sufficient for most users on a personal computer.
What's protected:
- Files never leave your machine (unless you sync them)
.gitignoreexcludes sensitive files from version control- No telemetry or data collection
What's not protected:
- Anyone with access to your computer can read the files
- If your computer is compromised, files are exposed
- Cloud backups (iCloud, OneDrive) may sync the folder
Recommendations:
- Use your OS login password
- Enable full-disk encryption (FileVault on Mac, BitLocker on Windows)
- Exclude the therapy folder from cloud sync
Encrypted Storage
For shared computers or heightened privacy needs.
macOS: Encrypted Disk Image
macOS includes built-in encryption. No additional software needed.
During setup: Select "Encrypted" when prompted for security level. The script creates an encrypted sparse bundle automatically.
Manual setup:
# Create encrypted disk image (500MB, grows as needed)
hdiutil create -size 500m -encryption AES-256 -type SPARSEBUNDLE \
-fs "APFS" -volname "TherapyVault" ~/therapy-vault.sparsebundle
# Mount (prompts for password)
hdiutil attach ~/therapy-vault.sparsebundle
# Your files go in /Volumes/TherapyVault/
# Unmount when done
hdiutil detach /Volumes/TherapyVault
Daily usage:
- Double-click
mount-therapy.commandon Desktop (created by setup) - Open Claude Code:
cd /Volumes/TherapyVault/ai-therapy && claude - When done, double-click
unmount-therapy.command
Password recovery: Not possible. If you forget your password, your data is gone. Use a password manager.
Windows: VeraCrypt
VeraCrypt is free, open-source, and provides strong encryption.
Install: Download from veracrypt.fr
Create encrypted container:
- Open VeraCrypt
- Click Create Volume
- Select Create an encrypted file container
- Select Standard VeraCrypt volume
- Choose location:
C:\Users\[you]\therapy-vault.hc - Encryption: AES (default is fine)
- Size: 500MB or more
- Password: Choose a strong one
- Format the volume
Mount the volume:
- Open VeraCrypt
- Select a drive letter (e.g.,
T:) - Click Select File, choose your
.hcfile - Click Mount, enter password
- Your files go in
T:\ai-therapy\
Unmount when done:
- Select the mounted drive in VeraCrypt
- Click Dismount
Auto-mount script (optional):
Create mount-therapy.bat:
@echo off
"C:\Program Files\VeraCrypt\VeraCrypt.exe" /v "%USERPROFILE%\therapy-vault.hc" /l T /a /q
echo Therapy vault mounted on T:
pause
Maximum Privacy: Local LLM
For users who need data to never leave their machine.
Why Local?
Cloud LLMs (Claude, GPT) process your messages on remote servers. Even with good privacy policies, your words pass through their infrastructure.
Local LLMs run entirely on your computer. Nothing is transmitted.
Trade-offs
| Cloud LLM | Local LLM | |
|---|---|---|
| Privacy | Subject to provider policies | Complete |
| Quality | State-of-the-art | Good, not quite as capable |
| Speed | Fast | Depends on hardware |
| Hardware | Any computer | 16GB+ RAM recommended |
Setup with Ollama
Ollama is the easiest way to run local LLMs.
Install:
# macOS/Linux
curl -fsSL https://ollama.ai/install.sh | sh
# Windows: Download from ollama.ai
Pull a capable model:
# Good balance of quality and speed
ollama pull llama3.1:8b
# Better quality, needs more RAM (16GB+)
ollama pull llama3.1:70b
# Smaller, faster, less capable
ollama pull llama3.1:3b
Use with your therapy setup:
Option 1: Ollama's built-in chat
cd ~/ai-therapy
cat CLAUDE.md # Copy this as system prompt
ollama run llama3.1:8b
# Paste your CLAUDE.md content when prompted
Option 2: Use a local LLM frontend like Open WebUI
Limitations:
- No automatic file reading (you may need to manually paste session context)
- Less capable than Claude/GPT for nuanced therapeutic responses
- Slower on modest hardware
Setup with LM Studio
LM Studio provides a GUI for running local models.
- Download from lmstudio.ai
- Search for and download a model (Llama 3.1, Mistral, etc.)
- Load the model
- Paste your CLAUDE.md as system prompt
- Chat locally
API Privacy Comparison
If using cloud LLMs, understand their policies:
Claude API (Anthropic)
- Training: Data not used for training by default
- Retention: Prompts retained for 30 days for trust & safety, then deleted
- Policy: anthropic.com/privacy
OpenAI API
- Training: API data not used for training by default (since March 2023)
- Retention: Data retained for 30 days for abuse monitoring
- Policy: openai.com/policies/privacy-policy
Key Difference from Consumer Products
API access (what Claude Code uses) has different policies than consumer chat interfaces:
- Consumer ChatGPT may use data for training (unless opted out)
- API access typically does not
Excluding from Cloud Sync
If you use iCloud, OneDrive, Dropbox, or similar, exclude your therapy folder:
iCloud (macOS)
Don't store therapy files in ~/Documents or ~/Desktop if they sync to iCloud.
Recommended locations:
~/ai-therapy(outside synced folders)- Encrypted disk image anywhere (iCloud can't read encrypted content)
OneDrive (Windows)
Right-click the therapy folder → Free up space or move outside OneDrive folder.
Recommended locations:
C:\Users\[you]\ai-therapy(not in OneDrive folder)- Encrypted VeraCrypt container
General Rule
Store therapy files outside any cloud-synced folder, or use encryption.
Backup Recommendations
Even private data needs backup. Options:
Encrypted Backup
- Keep your encrypted container/disk image in a backed-up location
- The backup is useless without your password
- Consider a separate backup of the password in a password manager
Manual Export
Periodically copy your therapy folder to an encrypted USB drive stored securely.
What NOT to Do
- Don't backup unencrypted therapy files to cloud services
- Don't email yourself session notes
- Don't store passwords in plain text alongside encrypted files
Threat Model
Consider what you're protecting against:
| Threat | Mitigation |
|---|---|
| Casual snooping (family, roommate) | Encryption |
| Device theft | Full-disk encryption + container encryption |
| Cloud provider access | Local storage, no sync |
| LLM provider access | Local LLM |
| Legal subpoena | Consult a lawyer; encryption helps but has limits |
| Sophisticated attacker | Beyond scope; seek professional security advice |
For most users, encrypted local storage with a cloud LLM provides excellent privacy.
Security Checklist
Minimum (everyone):
- Store therapy files locally, not in cloud-synced folders
- Use your OS login password
- Enable full-disk encryption (FileVault/BitLocker)
Recommended (shared computer or privacy-conscious):
- Use encrypted container (built into setup)
- Unmount encrypted volume when not in use
- Use a password manager for your encryption password
Maximum (high-stakes privacy):
- All of the above
- Use local LLM (Ollama, LM Studio)
- Air-gapped computer for sessions (extreme)
Questions about security? Open an issue on GitHub.