Privacy Policy

Privacy Policy.

The short version: we collect almost nothing for the browser and searxly.app (our support site at support.searxly.app requires accounts). We tell you exactly what the few exceptions are.

Last updated: July 2026 · This is plain language, not legal boilerplate. If anything here ever conflicts with how the product actually behaves, the product's behavior is the source of truth and we'll fix the wording. The one-sentence version: we designed Searxly so there's almost nothing about you to collect in the first place (except on our separate support site, which requires accounts).

1. Our approach

Searxly is private by architecture, not by promise. There are no accounts, no analytics SDKs, and no telemetry in the app. We don't build an ad profile of you, and we have no business model that depends on your data. Most of what the app does happens entirely on your own device, where we never see it. Where a feature does touch the network, this policy names it and says what it reveals.

2. What stays on your device

The following is stored on your device and is never sent to a Searxly server:

  • Browsing history & bookmarks — kept locally. You can turn history off, and turn on encryption-at-rest (CryptoKit + your device keychain) for stored data.
  • Passwords — in Searxly Maximum, the password vault (macOS) is local and encrypted; entries are never synced to us. The standard app does not include a password vault.
  • Biometric templates — Face ID, Touch ID and Secure Enclave data never leave your device. See the Biometric Data Policy.
  • Wallet keys — on macOS, wallet keys are generated from a standard recovery phrase and encrypted on your device. They never leave it; we cannot access your funds, see your phrase, or sign on your behalf.
  • Search on macOS — your searches run through a search engine on your own Mac (see section 3).
  • Agentic Tools (macOS) — the local tool server your own AI can connect to runs entirely on your Mac, and is off by default (see section 4).

3. Search & address-bar suggestions

How search reaches the web depends on your platform:

  • On macOS, Searxly runs a SearXNG search engine locally on your Mac. Your query is aggregated on-device, and the engine fetches results from upstream sources directly from your machine (or through Tor in Searxly Maximum). We do not receive, store, or log your searches.
  • On iPhone & iPad, the search engine can't run on the device, so the app searches through our hosted instance at search.searxly.app. Your query and IP reach that server the same way any request reaches any website. We run SearXNG, which is built not to keep search logs or user profiles — we don't associate queries with your identity, build ad profiles from them, or sell them. The server keeps only minimal, short-lived operational data (as any server does) to run the service and prevent abuse.
  • Address-bar suggestions — as you type, search-query completions are fetched from your configured search instance: on macOS that's your local engine, so they never leave your Mac; if you set a remote instance (or on iPhone & iPad, where “Online Suggestions” is off by default), they're sent there. There's no third-party autocomplete, and website/history suggestions are always computed locally.

4. On-device AI & Agentic Tools

Searxly's own AI features run on your device, not in a Searxly cloud:

  • On iPhone & iPad, optional AI features — a short AI Overview above results, page summaries, and “ask about this page” — run entirely on-device using Apple Intelligence. Nothing is sent to any server, which is why they also work in private tabs. (Page translation likewise uses Apple's on-device translation.)
  • On macOS, Searxly has no built-in AI assistant. Instead it exposes its private browsing as tools your own local AI can call over the Model Context Protocol, through a small server that is off until you turn it on, bound to loopback, and protected by a token. Tool calls run locally — private search routes only through your own engine, and page reads or browser actions happen on your device — and every call is written to an activity log you can read. If you connect a cloud model yourself, whatever your client sends to that provider is between you and them; Searxly still runs the tools locally and sends nothing itself.

5. Safe-browsing warning

Searxly can warn you before a known-malicious or deceptive site. The check runs against a blocklist bundled inside the app, entirely on your device — deliberately not Google Safe Browsing, which would send every address you visit to a third party. Nothing about the sites you visit leaves your device. It's on by default, and you can turn it off.

6. VPN (macOS)

Searxly's base edition includes an optional managed VPN. When you turn it on, your internet traffic is routed through our VPN server before it reaches the sites you visit — so that server necessarily carries your traffic in transit. We operate it on a no-logs basis: we don't keep records of the sites you visit through the VPN. The server processes only the minimal connection data needed to run the service and prevent abuse. Access can be gated by a pass — connecting proves a signature from your wallet and an on-chain check, which our gateway sees and uses only to verify access, not to profile you.

You can also pay for a pass by card. Card payments run on Stripe's own hosted checkout — Searxly never sees or stores your card number. Stripe processes the payment details and the email you give it for a receipt as an independent controller under its own privacy policy; we receive only confirmation that a payment succeeded, so we can activate your pass. Paying in crypto involves no card and no payment processor, and is the more private option.

7. Wallet & on-chain features (macOS)

If you use the built-in wallet, your keys stay on your device (see section 2). To function, it reads public information and uses a few third parties:

  • Blockchain nodes (Base RPC) — to read balances and broadcast transactions you approve, through public Base RPC providers. Like any on-chain request, they see the request and your IP.
  • Transaction history — fetched from a public block-explorer API (Etherscan); it sees the address you're viewing and your IP.
  • Price feeds (CoinGecko, DexScreener) — for token prices and charts.
  • Optional name resolution — if you turn on ENS / Basenames, .eth and Base names are resolved through a public Ethereum/Base RPC.
  • Swaps — a swap you start is routed through the 0x aggregator and on-chain routers; our gateway prepares it from your wallet address and a signature you approve, and uses them only to carry out that action.

We never custody your funds, act as a broker or exchange, or sign on your behalf. On-chain swaps carry a small fee, described in our Terms.

8. Places & maps — Local Pack (macOS, off by default)

If you turn on Local Pack, a place-type search — for example “pharmacies in Lyon” — sends just the place category and the city you name to the Searxly gateway, which runs the OpenStreetMap/Overpass lookup server-side and returns the places and the map. The map-data providers only ever see our gateway, never you. It's city-level only — there's no “near me” and no access to your precise location — and it's disabled entirely in Searxly Maximum.

9. Feedback you send us (macOS)

If you use in-app Feedback, or submit a knowledge-panel correction, the message you write is delivered to our team channel (through a webhook to Discord, which processes it as our messaging tool). We receive only what you choose to type, plus any minimal context you include. It's entirely optional, and only ever sent when you press send.

10. App updates (macOS)

Searxly checks for updates by requesting our update feed from searxly.app. That request reveals your IP and current version to the host, like any web request. Updates are cryptographically signed and verified before they install. In Searxly Maximum the update check is fetched over Tor (and can use an .onion feed), so even the version check doesn't reveal your IP.

11. Normal browsing requests

Searxly is a web browser, so when you open a page or load a result's favicon, thumbnail, or a knowledge-card source (e.g. Grokipedia or Wikipedia), your device contacts those third-party sites directly — exactly as any browser does. Those servers see a normal request and your IP. Built-in ad & tracker blocking reduces this; we don't sit in the middle of it or log it.

12. This website

The searxly.app site is static and ships no tracking scripts and no advertising cookies — fittingly, given where we stand on advertising. See our Cookie Policy for details. Your web host may keep standard server access logs (e.g. IP, user-agent) for security and operations, as is normal for any website.

13. Support website (support.searxly.app)

Our support portal at support.searxly.app is a separate service that requires account creation to submit tickets, view history, or receive updates. This is the only place in our ecosystem where accounts exist.

When you create an account there we collect:

  • Your email address (required for the account)
  • Any information you voluntarily include in support tickets or feedback
  • Standard session and authentication data (cookies, IP for security)

This data is used only to provide support and is not linked to your activity in the Searxly browser. The browser and searxly.app itself never require accounts.

14. Editions & Searxly Maximum licences

Searxly Maximum is a paid edition, built to run locally: it has no managed VPN, no wallet, no Local Pack, and no feedback webhook. Its search runs locally and can route through Tor, and its bundled Tor runtime is signature-verified at every launch.

Activating your licence is the one and only time Maximum contacts us. When you enter your licence key, the app sends us that key together with a one-way fingerprint of your Mac's hardware ID — a salted hash, so we never receive the ID itself — and we tie your licence to that one machine. That request does not include your name, your email, or anything about your browsing, and the app never contacts us again afterwards: every later check happens on your Mac, offline, with no network at all.

We store that fingerprint against your licence, plus a receipt of when your key was issued and emailed. We keep both for as long as your licence is valid — and because Maximum licences never expire, that means indefinitely. We need them to move your licence to a new Mac, to send you your key again if you lose it, and to prove we delivered what you paid for. The lawful basis is performance of our contract with you (Article 6(1)(b) GDPR).

We treat that fingerprint as personal data: it is pseudonymous, not anonymous, because we can link it to your purchase and therefore to the email address Stripe holds for you. You can ask for a copy of it, or ask us to erase it — see section 17 — though erasing it means we can no longer move your licence to another Mac or re-send your key.

15. What we never do

We do not sell, rent, or share your data with advertisers or data brokers — ever. We don't run analytics or telemetry, and we don't build a profile of you.

16. Data retention

On-device data lives on your device for as long as you keep it, and clears when you delete it, run a panic-wipe, or enable strict privacy mode. The Searxly browser and searxly.app have no server-side accounts. The only accounts in our ecosystem are on the separate support site (see section 13). The limited server touch-points above (our search instance, the VPN/gateway, Local Pack, feedback you send, and support portal) keep only minimal, short-lived operational data as described.

One thing we keep indefinitely: if you buy Searxly Maximum, the activation record and delivery receipt for your licence (see section 14). A Maximum licence never expires, so those records have to outlive any fixed retention window — without them we could not move your licence to a new Mac, re-send your key, or show that we delivered it. They contain no name, no address, and no browsing data: only your licence, a one-way fingerprint of the Mac it runs on, and the timestamps.

17. Your controls & rights

  • Turn history off, or encrypt stored data at rest.
  • Keep Agentic Tools off entirely, or local-only, and require confirmation for any tool that touches the network.
  • Use panic-wipe or strict privacy mode to clear local data instantly.

Because the browser itself holds almost nothing about you, you control your own data directly on your device. For the limited server touch-points (including the support portal, which requires accounts), you can contact us to ask what we hold or request deletion. If you're in the EU/EEA or the UK, you keep your local data-protection rights, including access and erasure.

18. Children

Searxly is not directed to children, and any token or crypto activity is intended for adults. Age and legal requirements for crypto vary by region — please don't route around them.

19. Who we are & contact

Searxly is published by Nathan Ducatillon, a sole trader (entrepreneur individuel) trading as Searxly, registered in France under SIREN 107 502 882, with a registered office at 10 rue de Penthièvre, 75008 Paris, France. For the limited personal data described in this policy, the data controller is Nathan Ducatillon (Searxly), reachable at privacy@searxly.app; full identification is in our Legal Notice. For questions, security reports, or data requests, reach us through the channels below. These are the only official channels; anything else claiming to be Searxly isn't:

20. Changes

If this policy changes, we'll update the date above and post material changes on our official channels. We'll keep it short and honest.