Privacy is not a setting

When the query ends, Argand lets it end.

Argand should work without building a file on you. This page explains the promise in plain English first, then shows what you can audit right now.

On privacy

Privacy is not a setting.

Anonymous searches leave with the request. Argand does not keep a search history, build a profile of you, or remember yesterday's question so it can shape today's answer.

Anonymous searches end with the request

Anonymous searches are gone when the request ends. Argand keeps no query logs and stores no record of what you searched for.

You own your identity

If you use an account later, the goal is portability: sign in with an identity you control and keep your data in storage you can move. The technical pieces are DIDs and Solid Pods, explained below.

Contextual ads only

I do not know who you are, so I cannot target you. Ads can relate to the search itself, and nothing more.

Argand does not follow you around the web

Argand loads its own code and avoids analytics pixels, third-party tracking scripts, and tag managers.

Open about telemetry

Argand does use anonymous click telemetry to improve rankings, but the purpose is documented and the scope is narrow.

Your data is not for sale

I'm not in the business of aggregating data to sell it. That's not the business model and it never will be.

Audit this page

What you can verify right now.

Argand is pre-launch. The search engine itself isn't live yet. But this page already follows the rules. Open your browser's DevTools and check.

  • 0 Third-party scripts. The Content Security Policy refuses to load any script that isn't served from argand.org. Inspect the Network tab.
  • 0 Cookies. Because this page sets no analytics or session cookies, there is no consent banner to dismiss. Check Application > Storage in DevTools.
  • 0 Tracking pixels or beacons. The page does not load third-party analytics or advertising beacons.

Every sentence on this page was written by a person, not generated by an AI — though that's the one claim here a browser can't prove, so you'll have to take my word on it. Everything in the list above you can check yourself, right now. The source for this page is public at git.argand.org/nicweyand/argand-landing. The search engine itself is still being built privately and goes public at launch; until then, the quality scores are reproducible from the public test sets.

What "anonymous click telemetry" actually means. An exhaustive list. Nothing hidden.

Short version: Argand records four narrow numbers per click, none of which can be tied back to you. The technical detail below is for the curious. The privacy guarantee holds either way.

When a result is shown, clicked, or dismissed, Argand records four things to learn from. This is the complete list, with the precise shape used in storage:

  • query_bucket, a daily-rotated 128-bit keyed‑BLAKE3 hash of the query. The same query produces a different bucket every day. Reversing it back to the original query is roughly 2128 work per candidate.
  • vertical, one of code, scholar, nimbus, maps, news. Web is excluded by design.
  • action, one of shown, accepted, dismissed.
  • confidence_band, bucketed as low / mid / high. The raw float score is never stored.

What is never recorded:

  • Argand stores no session id, user id, DID, or other client identifier.
  • IP addresses are not stored, even in scrambled form.
  • The event does not include a User-Agent, Accept-Language, Referer, or cookie.
  • Individual events have no timestamps; aggregates are bucketed by day.
  • Raw query text is never stored.

Aggregates with cohort size below k = 50 return nothing at all. Not even a noisy answer. A query so rare that only three people ever issue it cannot be fingerprinted by its accept rate, because the accept rate is never exposed.

Content policy: what Argand filters, and how. Tags, not censorship. With one carve-out.

Argand's policy is to block on quality (spam, ads, scams, low-quality AI pages), and to tag sensitive content so users can choose what to filter. We do not censor by topic. There is one carve-out:

Category Treatment Source
CSAM Hard exclude
Legally required. Reported to NCMEC. NCMEC hash list + Microsoft PhotoDNA
Terror content Default-filtered tag
You can opt the filter off. GIFCT shared hash database (PDQ, TMK+PDQF)
NSFW / explicit Opt-in filter
Off by default for adult accounts. Argand visual-service detection
Spam, scams, low-quality AI pages Quality penalty
Demoted, not removed. Argand quality-service classifiers

CSAM is non-negotiable: indexing it is illegal under 18 USC 2252A and matches are mandatory-reportable under 18 USC 2258A. Everything else is a label, not a gate. You decide what to filter.

Identity, explained

Argand accounts use open standards, not Argand logins.

Most online accounts work like this: the website gives you a username and password, the website stores everything you do there, and if you ever want to leave you start from scratch somewhere else. Argand accounts work the opposite way. You bring your identity in, you own your data, and you can leave with all of it at any time.

DID

Decentralised Identifiers

A username that nobody can take from you.

A DID is a username, but instead of being owned by a single company, it's a small piece of cryptography that you own. Bluesky already uses DIDs, and the same idea can work across other services that choose the standard. You can move from one provider to another without losing your identity. There is no Argand-controlled login database that can be hacked, sold, or deleted out from under you.

The short version: you bring your own username. Argand never owns it.

Pod

Solid Pods

Your personal cloud storage, but actually yours.

A Solid Pod is a small chunk of online storage that belongs to you, not to any one website. When you use a Solid-aware service, your saved preferences, history, and settings go into your Pod. The site reads and writes there, with your permission, but it never holds a master copy. You can host your Pod yourself, on a provider you trust, or somewhere else entirely. Argand reads what you want it to and writes nothing else.

The short version: your settings live in your storage. Argand is a tenant.

So what does that actually buy you?

  • You can leave at any time and take everything with you. There is no "export tool" to wait for. Your stuff was never in our database to begin with.
  • One identity, many services. The same Argand account works across every Argand service. It will also work across other services that support these open standards.
  • Argand can't profile you. We don't hold the data needed to build a profile, because the data lives with you. The privacy promise has a structural reason to hold.

How Argand pays the bills

Ads belong beneath the results.

The best spot should belong to the best result. Argand gives ads two places only. One sits below the search box on the homepage, before there is a query to disturb. The other sits at the very bottom of the results page, after the organic results have already had their say. Each ad matches the words you typed, not a profile of you.

Preview This is what a results page will look like at launch. Try the toggle.
Sponsored result One slot, at the bottom. Turning it off changes nothing else on the page.
how to make perfect crispy roast potatoes 3 results + 1 sponsored
  1. The food-lab guide to the crispiest roast potatoes

    seriouseats.com

    Par-boil in salted water with a pinch of baking soda, shake the pot to rough the surface, then roast hot in beef dripping or duck fat. The shake step is doing most of the work.

  2. BBC Good Food: ultimate roast potatoes

    bbcgoodfood.com

    A canonical British roast potato recipe. Maris Piper or King Edward, goose fat, 200°C. The recipe people actually link to at Christmas.

  3. r/AskCulinary: why my roast potatoes never crisp

    reddit.com

    Discussion thread on the usual suspects: not enough fat, wet potatoes, crowded tray, oven not hot enough. Useful comments under the top reply.

  4. Sponsored Matched on roast potatoes. Profile not used.
    Patch's Potatoes — heirloom russets, shipped overnight

    patchs-potatoes.example

    Hand-graded russets from a one-mascot farm. The kind that crisp up properly. Free shipping on bags of five pounds and up. (Yes, this is a joke. Patch is a potato.)

  • Ads use the query. The advertiser bids on the query, not on you. Two people searching the same thing see the same ad.
  • The toggle changes only the sponsored slot. The toggle above does exactly what it says. The list of organic results, and their order, is identical with ads on or off.
  • The sponsored link still points outward. The sponsored link routes through /yw/ the same way every other result does. The destination site gets the click, and tracking pixels do not follow you there.

Patch's Potatoes is not a real business. Patch is the mascot. The query and results are illustrative. Argand is not live yet. The ad placement rule and the toggle both ship at launch.

The AI-era threat nobody talks about

Safer software, by design.

AI assistants now help millions of programmers pick which little pieces of open-source code to drop into their projects. Attackers have noticed. When an AI confidently invents the name of a useful-sounding piece of code that doesn't actually exist, an attacker can race to publish something with that exact name and trick the AI (and the person trusting it) into installing it. Argand defends against that at five layers, so the results you see and the recommendations made on your behalf stay safer.

Here is the new attack. An AI coding assistant confidently suggests a code package whose name does not actually exist. An attacker rushes to publish malware under that exact name, so the next person who trusts the suggestion installs it. Argand blocks this in layers.

Tap, swipe, or use the arrow keys.

Prefer to read? The five layers in words

The threat is new, so here is the shape of it. AI coding assistants now help millions of programmers decide which small pieces of open-source code to pull into a project. Sometimes an assistant gets confident and invents the name of a useful-sounding package that does not actually exist. An attacker who is watching can publish malware under that exact name within minutes. The next person who trusts the suggestion installs it without ever suspecting anything was wrong. Argand answers this in five layers, all of which run before you type a query.

Layer T0 checks that the package is real. When anything asks Argand for a code package, whether it is a person, an AI assistant, or another service, Argand confirms the package actually exists on its official source before it hands back the name. Imagined packages get filtered out before they ever reach you, so a name that was never published has no way to slip through.

Layer T1 shows you the risk facts upfront. Every code package Argand shows arrives with a set of plain signals attached. You can see how new the package is, how its maintainers have behaved over time, whether its downloads are climbing or crashing, whether the name sits suspiciously close to a far more popular package, whether ownership changed hands recently, and whether it matches anything already known to be malicious. You see exactly what Argand sees, with nothing hidden.

Layer T2 gives anything suspicious extra scrutiny, and never buries it silently. A package that looks suspect is passed through quick rules first. If it gets past those, a small machine-learning model trained on known-bad examples takes a look. A careful AI second opinion is held in reserve for the harder cases. Whatever the verdict turns out to be, Argand labels the result instead of quietly deleting it, so you can always see what was flagged and the reason behind it.

Layer T3 keeps brand-new packages from being auto-recommended to AI assistants. When an assistant asks Argand for a recommendation, Argand will not suggest a package that has not yet crossed a real usage floor. The floor is at least a thousand downloads a week. You can still search for a brand-new package yourself and find it. It simply will not be handed to an assistant until real people have been using it for a while.

Layer T4 catches bad actors later too. Packages Argand already trusts get re-checked constantly against fresh security advisories, takedown notices, and signals like a sudden change of owner. If something that used to be safe goes bad after Argand picked it up, it is demoted or removed right away. The cleanup does not wait for some quarterly sweep.

All five layers do their work before you ever type a query, so they cost nothing at search time. The upshot is plain. People and the assistants helping them both end up safer, while an attacker who tries to slip something past Argand finds that it is not a free shot.

Reporting a vulnerability? See the security policy, the machine-readable security.txt, and the warrant canary.