Privacy
Token counts and tags only — never prompt or response content.
Nomira is built so that prompt and response content never leaves your machine or enters Nomira's data store — this is the core of the product, not a setting.
What Nomira reads
- Local coding-assistant logs you already have:
- Claude Code:
~/.claude/projects/<project>/<session>.jsonl - Codex:
~/.codex/sessions/YYYY/MM/DD/rollout-*.jsonl - It parses these read-only. It does not modify, upload, or delete them.
What Nomira stores (team mode)
Only usage metadata, enforced by the database schema itself: provider · model · token counts (by type) · cost · business tags (feature/workflow/tier) · project · developer · timestamps · subscription allowance %.
There is no column for prompt text, response text, file contents, or message bodies. The ingest endpoint actively rejects any event that carries a content-bearing field (prompt, response, content, text, messages).
Where data lives
- Local CLI: nothing is stored or transmitted; output is printed.
- Team store: a local SQLite file (default
~/.nomira/usage.db). - Dashboard: served from
127.0.0.1by default; you control where it runs.
Data egress
None by default. Nomira does not phone home. If you choose to POST events to a remote collector, the payload is the content-free usage event described above.
Why this matters
Nomira's positioning is "the trusted auditor." A tool that exfiltrated prompts or spend data could not honestly hold that role, and could not be used by privacy-conscious or regulated teams. The privacy invariant is therefore a design constraint, verified by tests (tests/test_team.py).