Privacy is the baseline

No profile. No retention. Nothing to sell.

Privacy and quality are not in tension. Here is the architecture: how anonymous search forgets you, how accounts let you keep your own data, how ads stay contextual, and how the software itself is hardened. Plus a short footer of what you can audit on this very page.

On privacy

Privacy is the baseline. Quality is the north star.

I go to great lengths to protect user privacy in Argand. Not because I'm paranoid, or because I'm afraid, but because it's the obvious right way to build something. Every service should work this way by default, in my opinion. The good news is that privacy and quality aren't in tension. They can coexist easily, because obviously they can.

Zero retention

Anonymous searches are gone when the request ends. No query logs. No storing what you searched for.

You own your identity

Accounts use open, portable standards (DIDs and Solid Pods) instead of Argand-controlled logins. Your data lives on your device or in your own personal data Pod, not on my servers. You can take it elsewhere any time.

Contextual ads only

I don't know who you are, so I can't target you. Ads are relevant to what you searched for. Nothing more.

No tracking across the web

No analytics pixels. No third-party tracking scripts. No Google Tag Manager. Nothing loading that isn't Argand's.

Open about telemetry

Argand does use anonymous click telemetry to improve rankings. That's it. The purpose is documented, the scope is narrow.

No selling your data

I'm not in the business of aggregating data to sell it. That's not the business model and it never will be.

Audit this page

What you can verify right now.

Argand is pre-launch. The search engine itself isn't live yet. But this page already follows the rules. Open your browser's DevTools and check.

  • 0 Third-party scripts. The Content Security Policy refuses to load any script that isn't served from argand.org. Inspect the Network tab.
  • 0 Cookies. No analytics, no session, no consent banner needed. Check Application > Storage in DevTools.
  • 0 Tracking pixels or beacons. No Google, no Meta, no Plausible, no Segment, nothing.

Every sentence on this page was written by a person, not generated by an AI — though that's the one claim here a browser can't prove, so you'll have to take my word on it. Everything in the list above you can check yourself, right now. The source for this page is public at git.argand.org/nicweyand/argand-landing. The search engine itself is still being built privately and goes public at launch; until then, the quality scores are reproducible from the public test sets.

What "anonymous click telemetry" actually means. An exhaustive list. Nothing hidden.

Short version: Argand records four narrow numbers per click, none of which can be tied back to you. The technical detail below is for the curious. The privacy guarantee holds either way.

When a result is shown, clicked, or dismissed, Argand records four things to learn from. This is the complete list, with the precise shape used in storage:

  • query_bucket, a daily-rotated 128-bit keyed‑BLAKE3 hash of the query. The same query produces a different bucket every day. Reversing it back to the original query is roughly 2128 work per candidate.
  • vertical, one of code, scholar, nimbus, maps, news. Web is excluded by design.
  • action, one of shown, accepted, dismissed.
  • confidence_band, bucketed as low / mid / high. The raw float score is never stored.

What is never recorded:

  • No session id, user id, DID, or any other client identifier.
  • No IP address, scrambled or otherwise.
  • No User-Agent, Accept-Language, Referer, or cookie.
  • No per-event timestamps. Aggregates are bucketed by day.
  • No raw query text. Not anywhere. Not for any reason.

Aggregates with cohort size below k = 50 return nothing at all. Not even a noisy answer. A query so rare that only three people ever issue it cannot be fingerprinted by its accept rate, because the accept rate is never exposed.

Content policy: what Argand filters, and how. Tags, not censorship. With one carve-out.

Argand's policy is to block on quality (spam, ads, scams, AI slop), and to tag sensitive content so users can choose what to filter. We do not censor by topic. There is one carve-out:

Category Treatment Source
CSAM Hard exclude
Legally required. Reported to NCMEC. NCMEC hash list + Microsoft PhotoDNA
Terror content Default-filtered tag
You can opt the filter off. GIFCT shared hash database (PDQ, TMK+PDQF)
NSFW / explicit Opt-in filter
Off by default for adult accounts. Argand visual-service detection
Spam, scams, AI slop Quality penalty
Demoted, not removed. Argand quality-service classifiers

CSAM is non-negotiable: indexing it is illegal under 18 USC 2252A and matches are mandatory-reportable under 18 USC 2258A. Everything else is a label, not a gate. You decide what to filter.

Identity, explained

Argand accounts use open standards, not Argand logins.

Most online accounts work like this: the website gives you a username and password, the website stores everything you do there, and if you ever want to leave you start from scratch somewhere else. Argand accounts work the opposite way. You bring your identity in, you own your data, and you can leave with all of it at any time.

DID

Decentralised Identifiers

A username that nobody can take from you.

A DID is a username, but instead of being owned by a single company, it's a small piece of cryptography that you own. Bluesky and Mastodon and a growing list of other services already use DIDs. The same DID works across all of them, and you can move from one provider to another without losing your identity. There is no Argand-controlled login database that can be hacked, sold, or deleted out from under you.

The short version: you bring your own username. Argand never owns it.

Pod

Solid Pods

Your personal cloud storage, but actually yours.

A Solid Pod is a small chunk of online storage that belongs to you, not to any one website. When you use a Solid-aware service, your saved preferences, history, and settings go into your Pod. The site reads and writes there, with your permission, but it never holds a master copy. You can host your Pod yourself, on a provider you trust, or somewhere else entirely. Argand reads what you want it to and writes nothing else.

The short version: your settings live in your storage. Argand is a tenant.

So what does that actually buy you?

  • You can leave at any time and take everything with you. There is no "export tool" to wait for. Your stuff was never in our database to begin with.
  • One identity, many services. The same Argand account works across every Argand service. It will also work across other services that support these open standards.
  • Argand can't profile you. We don't hold the data needed to build a profile, because the data lives with you. The privacy promise has a structural reason to hold.

How Argand pays the bills

Ads live at the bottom. Always.

Most search engines put ads in the slot you look at first, which is also the slot that should hold the best result. Argand does not. Ads get exactly two spots. One sits below the search box on the homepage, when you have not searched for anything yet. The other sits at the very bottom of the results page, after Argand has already tried to actually help you. Each ad matches the query you typed, not a profile of you, and the toggle below works the same way it will at launch.

Preview This is what a results page will look like at launch. Try the toggle.
Sponsored result One slot, at the bottom. Turning it off changes nothing else on the page.
how to make perfect crispy roast potatoes 3 results + 1 sponsored
  1. The food-lab guide to the crispiest roast potatoes

    seriouseats.com

    Par-boil in salted water with a pinch of baking soda, shake the pot to rough the surface, then roast hot in beef dripping or duck fat. The shake step is doing most of the work.

  2. BBC Good Food: ultimate roast potatoes

    bbcgoodfood.com

    A canonical British roast potato recipe. Maris Piper or King Edward, goose fat, 200°C. The recipe people actually link to at Christmas.

  3. r/AskCulinary: why my roast potatoes never crisp

    reddit.com

    Discussion thread on the usual suspects: not enough fat, wet potatoes, crowded tray, oven not hot enough. Useful comments under the top reply.

  4. Sponsored Matched on roast potatoes. No profile used.
    Patch's Potatoes — heirloom russets, shipped overnight

    patchs-potatoes.example

    Hand-graded russets from a one-mascot farm. The kind that crisp up properly. Free shipping on bags of five pounds and up. (Yes, this is a joke. Patch is a potato.)

  • No behavioural data. The advertiser bids on the query, not on you. Two people searching the same thing see the same ad.
  • One click, no penalty. The toggle above does exactly what it says. The list of organic results, and their order, is identical with ads on or off.
  • Same plumbing as a regular result. The sponsored link routes through /yw/ the same way every other result does. The destination site gets the click. No tracking pixels follow you there.

Patch's Potatoes is not a real business. Patch is the mascot. The query and results are illustrative. Argand is not live yet. The ad placement rule and the toggle both ship at launch.

The AI-era threat nobody talks about

Safer software, by design.

AI assistants now help millions of programmers pick which little pieces of open-source code to drop into their projects. Attackers have noticed. When an AI confidently invents the name of a useful-sounding piece of code that doesn't actually exist, an attacker can race to publish something with that exact name and trick the AI (and the person trusting it) into installing it. Argand defends against that at five layers, so the results you see and the recommendations made on your behalf stay safer.

Here is the new attack. An AI coding assistant confidently suggests a code package whose name does not actually exist. An attacker rushes to publish malware under that exact name, so the next person who trusts the suggestion installs it. Argand blocks this in layers.

Tap, swipe, or use the arrow keys.

Prefer to read? The five layers in words

The threat is new, so here is the shape of it. AI coding assistants now help millions of programmers decide which small pieces of open-source code to pull into a project. Sometimes an assistant gets confident and invents the name of a useful-sounding package that does not actually exist. An attacker who is watching can publish malware under that exact name within minutes. The next person who trusts the suggestion installs it without ever suspecting anything was wrong. Argand answers this in five layers, all of which run before you type a query.

Layer T0 checks that the package is real. When anything asks Argand for a code package, whether it is a person, an AI assistant, or another service, Argand confirms the package actually exists on its official source before it hands back the name. Imagined packages get filtered out before they ever reach you, so a name that was never published has no way to slip through.

Layer T1 shows you the risk facts upfront. Every code package Argand surfaces arrives with a set of plain signals attached. You can see how new the package is, how its maintainers have behaved over time, whether its downloads are climbing or crashing, whether the name sits suspiciously close to a far more popular package, whether ownership changed hands recently, and whether it matches anything already known to be malicious. You see exactly what Argand sees, with nothing hidden.

Layer T2 gives anything suspicious extra scrutiny, and never buries it silently. A package that looks suspect is passed through quick rules first. If it gets past those, a small machine-learning model trained on known-bad examples takes a look. A careful AI second opinion is held in reserve for the harder cases. Whatever the verdict turns out to be, Argand labels the result instead of quietly deleting it, so you can always see what was flagged and the reason behind it.

Layer T3 keeps brand-new packages from being auto-recommended to AI assistants. When an assistant asks Argand for a recommendation, Argand will not suggest a package that has not yet crossed a real usage floor. The floor is at least a thousand downloads a week. You can still search for a brand-new package yourself and find it. It simply will not be handed to an assistant until real people have been using it for a while.

Layer T4 catches bad actors later too. Packages Argand already trusts get re-checked constantly against fresh security advisories, takedown notices, and signals like a sudden change of owner. If something that used to be safe goes bad after Argand picked it up, it is demoted or removed right away. The cleanup does not wait for some quarterly sweep.

All five layers do their work before you ever type a query, so they cost nothing at search time. The upshot is plain. People and the assistants helping them both end up safer, while an attacker who tries to slip something past Argand finds that it is not a free shot.

Reporting a vulnerability? See the security policy, the machine-readable security.txt, and the warrant canary.