How It Works
Decoy splits analytical work into two layers. The cloud plans. Your machine does the work. The data never leaves your device, and the maths is right because it never goes through a cloud model's arithmetic. This page walks through what each side does, what it sees, and what it doesn't. If something doesn't add up, write to us.
The Architecture
Most privacy tools for AI strip your sensitive data, send the prompt to the cloud, and pass the answer back. Same architecture as before, with a redaction step bolted on. Decoy is different.
Decoy splits analytical work into two layers. The cloud is given a tokenised prompt and explicit instructions: do not compute. Return a structured plan describing the work that needs to be done, expressed as operations over the tokens you were given. The cloud's job is to think about the shape of the problem.
Your machine does the actual work. A local engine parses the plan, substitutes tokens for real values, and runs the operations against ground truth. Multiply, add, max, percentile, filter. The maths happens in your browser, deterministically, never in the cloud.
The cloud handles reasoning. Your machine handles arithmetic. Two layers, each doing what they're best at.
The Full Flow
If you want the technical detail, here is what actually happens between you typing a question and seeing an answer.
This is how it works today. The MVP is a paste-based web app, which is honest but clunky. Post-MVP we're working toward a different shape: a paste shortcut, a browser extension, eventually OS-level integration so Decoy disappears into the workflow. The architecture stays the same. The surface gets quieter.
What The Cloud Sees
The cloud gets a tokenised prompt and returns a JSON plan. No real values cross the network in either direction. Below is the exact exchange from the demo on the home page.
Acme Corp bought 4,200 units in Q3 at $89 per unit. Their account manager Sarah Chen reports they're considering doubling their order in Q4. Forecast Q4 revenue per account, total Q4 revenue, and flag the highest-risk account if any one of them churned.
[C_8847] bought [N_2201] units in [P_03] at [N_2202] per unit. Their account manager [P_4419] reports they're considering doubling their order in [P_04]. Forecast [P_04] revenue per account, total [P_04] revenue, and flag the highest-risk account if any one of them churned.
{ "forecasts": [ { "account": "[C_8847]", "manager": "[P_4419]", "growth_assumption": "double in [P_04]", "formula": { "operation": "multiply", "operands": ["[N_2201]", "[N_2202]", 2] } }, { "account": "[C_8848]", "manager": "[P_4420]", "growth_assumption": "flat in [P_04]", "formula": { "operation": "multiply", "operands": ["[N_2203]", "[N_2204]", 1] } }, { "account": "[C_8849]", "manager": "[P_4421]", "growth_assumption": "+30% in [P_04]", "formula": { "operation": "multiply", "operands": ["[N_2205]", "[N_2206]", 1.3] } } ], "total": { "operation": "add", "operands": ["forecast[0]", "forecast[1]", "forecast[2]"] }, "highest_risk": { "operation": "max_of_forecasts", "rationale": "[C_8848] [P_4420] flat [P_04]" } }
The middle column is everything the cloud received. The right column is everything the cloud returned. There are no real values in either. The cloud cannot reconstruct your data because it never had it, and the cloud cannot answer the question because it was never asked to. It composed a plan. Your machine ran it.
What We Didn't Expect
Because the cloud never does the arithmetic, the answer can't be wrong in the way LLM answers usually are. There's no hallucinated total, no confident misranking, no "this number sounds right" guess. The cloud composes a plan. Your machine runs it against real values. The answer is whatever the formula returns.
In our proof-of-concept test, the cloud's plan included a rationale field where it picked the highest-risk customer account. The cloud picked Beta Industries at $201,600, and missed that Acme Corp at $747,600 was the real exposure. The local executor caught it because it was running max_of_forecasts against the actual numbers, not against the cloud's guess.
Privacy was the goal. Better answers were the surprise. Both fall out of the same architecture.
What We Don't Do
We don't run a server in the data path. Decoy is a static web app. There is no Decoy backend that sees your prompts, your API key, or your data. We literally couldn't read your data if we wanted to, there's no place we'd read it from.
We don't store anything between sessions by default. The mapping between tokens and real values is held in your browser's memory and destroyed when you close the tab or end the session. Optional opt-in session resume uses your browser's IndexedDB only, never our servers, because we don't have any.
We don't intermediate your LLM provider. You bring your own API key. Your prompts go directly to Anthropic, OpenAI, or Google. Their privacy policy applies, not ours.
We don't see your usage. No analytics, no telemetry, no tracking pixels. We don't know what tasks you reach for Decoy on, who you are, or how often you use it. If you tell us, we'll know. If you don't, we won't.
We don't claim to solve every privacy problem. If your industry requires data residency, formal certification, audit logging, or specific frameworks like IRAP, the v1 web app is not the right shape for that yet. Talk to us. We're building toward it, and you might be the first one we build it with.
Open Questions
Magnitude leakage. A very large number can be identifying even when tokenised. "$400M revenue from a Sydney audio company" maps to one company. We have an opt-in bucketing mode in development for high-sensitivity tasks. Right now you should know it exists as a consideration.
Free-text generation. The planning + execution split fits analytical tasks. It doesn't fit "write me an email about [C_8847]." We're not solving that with Decoy in v1. There may be a different shape of product for it later.
Schema robustness. The cloud model occasionally returns a malformed JSON plan. Decoy retries with a tighter prompt and falls back to a human-readable plan if that fails. This is rare but it happens. We log it locally and we're improving it.
Operation coverage. The closed set (multiply, add, max, percentile, filter, etc.) covers most spreadsheet-like work. It doesn't cover advanced statistics, ML-style operations, or anything requiring custom code. We add primitives as new patterns emerge from real use.
Regulated Industries
Decoy v1 is a single-user web app. It is not currently SOC 2, ISO 27001, IRAP, or HIPAA assessed. It does not yet offer the audit logging, admin controls, or data residency guarantees that procurement teams in finance, healthcare, defence, and government need.
We're building toward all of that. The architecture supports it. The certifications take time and money. The bigger picture is what comes after: Decoy as the layer that lets agent stacks, AI platforms, and internal copilots work on data they currently can't touch. Frontier reasoning, available to organisations that today have to say no.
If you work somewhere where those things are required, or if you're building the kind of platform that needs a privacy layer to ship into regulated environments, we'd genuinely like to hear from you.
If Something's Off
If you've read this page and you've spotted a hole in our reasoning, an architecture concern, a privacy claim that doesn't quite hold, or just a question we should be answering and aren't, tell us. We'd rather have the conversation than have you wonder.
[email protected]