Every other "private" search still ships your query to a company that promises to behave. Searxly removes the company. A real SearXNG instance runs on your own machine — so the only thing that learns what you searched is hardware you own.
When you type a query, it goes to a SearXNG instance running on 127.0.0.1 — your own loopback address. That instance fans the query out to many engines on your behalf, pulls the results back, and de-duplicates and ranks them on your device. The only thing that ever sees your raw query is software running on your Mac.
A public "private" search engine still asks you to trust an operator not to keep logs. Running the engine yourself removes that trust entirely — here's exactly what that buys you.
You never touch Google or Bing directly. Your instance queries them and merges the answers, so each engine only ever sees a request from SearXNG — no account, no cookie, no history. There's no "you" for them to profile.
Searches are sent by POST, so they never sit in a URL, a referrer, or a server access log the way a ?q= GET request would. No tracking cookies, no fingerprinting headers.
The instance binds to localhost and is marked non-public, so the "server" holding your queries is hardware you control. Nothing to log, leak, or subpoena from us — we don't have it.
Tracking parameters are stripped from every result link, and image & video thumbnails are proxied through SearXNG — so the sites you merely preview never get a direct hit from your browser.
One click provisions the instance with a strong, auto-generated secret, sane defaults, and the Searxly theme. You don't hand-edit a config file or pick a weak key.
The engine ships inside Searxly as a self-contained, code-signed runtime — no separate downloads, no dependencies. It runs as a local process on your Mac and the app reaches it only over loopback. You can stop or wipe it at any time.
Public engines tie every query to a cookie or account and assemble a behavioral profile over time.
Your instance queries with no cookie, account, or history — each search is a clean slate, so there's no profile to build.
A hosted private-search company can quietly retain queries, or be compelled to.
There is no Searxly server in the path. We can't log, leak, or be subpoenaed for queries we never receive.
GET-based search puts your query in the address bar, browser history, and server logs.
Queries are sent in the request body, so they don't end up in a URL, a referrer header, or a third-party access log.
Loading a thumbnail or favicon can hand a third-party site your IP and a tracking hit.
Thumbnails route through SearXNG and tracking parameters are removed from result links before you ever see them.
Because the engine runs on your machine, your own connection makes the last hop out to each search engine — so those engines still see your IP, just with nothing else attached. To hide your IP too, route that traffic through a VPN or Tor. A built-in WireGuard VPN is built and ready, but shipping an in-app VPN on macOS needs an Apple entitlement that's still under review; until it clears we recommend a trusted third-party VPN (Proton VPN is a solid pick), or you can route SearXNG's outgoing traffic over Tor. We'd rather tell you this than pretend the boundary doesn't exist.
Point a network monitor at it and watch: your query goes to 127.0.0.1, not to us.