Security & Privacy
How we protect your API keys
Our Security Promise
Client-Side Only
Keys stay in your browser
No Backend Storage
We never see your keys
Secure Proxy via Vercel
Browser → Vercel → AI Provider
How Your Keys Are Stored
Your API keys are stored exclusively in your browser's localStorage. This is a secure, browser-native storage mechanism that keeps data isolated to your device. We have no database, no backend storage, and no way to access your keys.
localStorage.getItem('VIBE_GEMINI_API_KEY')
// → Only accessible from YOUR browser
How API Calls Work
When you generate content, your browser sends your request to a Vercel serverless function that forwards it to the AI provider. Your API key is sent over HTTPS, held in memory only for that single request, and never stored, logged, or persisted anywhere on the server.
Your key lives in memory for one request — never stored, never logged
Don't Trust Us — Verify Yourself
You don't have to take our word for it. Here's how to verify that your keys are safe:
1. Open Developer Tools
Press F12 or Right-click → Inspect
2. Go to Network Tab
Filter by "Fetch/XHR" requests
3. Generate Content & Watch
You'll see requests going to /api/generate — a Vercel serverless function that forwards to your AI provider. The source code is open on GitHub.
Additional Protections
Content Security Policy
Blocks XSS attacks, only allows AI provider connections
No Cookie Tracking
We don't track you across sites
Frame Protection
Cannot be embedded in other sites
Key Masking
Keys are hidden after entry (••••...last4)
Delete Your Data Anytime
Open the Settings modal (gear icon in sidebar) and go to the Data tab to delete all your API keys and data with one click. Since everything is stored locally, deletion is immediate and permanent.
Have security questions? Check our GitHub repository or open an issue.