Skip to content
Build Perch

Security & Privacy

Local-first by default. Explicit when data leaves.

Build Perch is designed so your workspace content stays on your machine, and anything that leaves is something you approved. Here's what that means in practice.

No Build Perch server in the data path

No telemetry, no analytics, no crash upload. Your files and chats go only to the AI provider you choose. The app phones home for two things, license checks and signed updates, and neither ever carries your content. One more happens only if you ask for it: if its bundled speech model ever goes missing, the app offers a one-time, checksum-verified re-download. Still no content.

Privacy mode, on by default

Zero-data-retention routing is on from first launch. Every OpenRouter request, including media generation and background summarization, goes only to providers that attest they do not store or train on your prompts and files. It is their attested policy, enforced by OpenRouter routing (not a guarantee we make on their behalf), and your OpenRouter account stays the authoritative control. The AI’s own tools cannot reach the toggle.

OS-native credential vault

Secrets live in the Windows Credential Manager, in two tiers. Only the OpenRouter key is readable by the interface, where the streaming chat runs. Everything else (Gmail, Discord, Notion, GitHub, Brave, Ollama Cloud, and your license key) is write-once: the interface can store or replace it but can never read it back. Only the native backend uses those, against a fixed allowlist.

Tested SSRF defenses

Every outbound fetch is checked: scheme allowlist, private/loopback IP rejection, DNS-rebinding defense, per-hop redirect re-validation, and size caps.

AI filesystem sandbox

Every AI file operation is canonicalized and prefix-checked against the workspace root, rejecting path traversal, null bytes, and symlink escapes. Enforced in Rust, regardless of the frontend.

Lock folders against the AI

Right-click any folder to lock it: the AI cannot read, write, or unlock it, no matter what it is told. The lock covers reads, writes, moves, deletes, listings, and even semantic-search results, enforced in Rust alongside the protected internal folders the AI can never touch.

Default-deny on anything that leaves

Outbound sends never auto-approve, even with auto-approve turned all the way up. Autonomous agents can only send to a pre-authorized, fail-closed destination allowlist.

Protected View for AI-authored files

Documents the AI creates (Word, Excel, PowerPoint, PDF, and text files) carry the Windows Mark-of-the-Web, so Office opens them in Protected View. Source code routes to a read-only preview, never an interpreter.

Signed updates

Update packages are cryptographically signed and verified on your machine before they install, and the update feed is a fixed first-party endpoint. Updates never read or carry your content.

Outside content is contained

Content that arrives from outside, like emails, Discord messages, and watched files, is treated as untrusted: it is fenced with unforgeable markers, URL-fetch tools are withheld for that run, and replies can only go back to the sender.

Per-run scoped folders

A workflow or agent run can be confined to a single input folder and a single output folder. Enforcement is fail-closed and can only narrow the always-on workspace sandbox, never widen it.

Sealed preview for AI-built pages

Webpages the AI builds preview under a locked-down content-security policy behind an unguessable token, with no directory listing and no traversal.

Being precise about what we don't claim

Workspace files are ordinary local files, protected by your operating system and disk. We don't claim additional encryption-at-rest beyond the OS keychain that holds your credentials. Our security review was conducted internally; we make no third-party penetration-test or compliance-certification claims.

On licensing: activation and license checks send your license key and a machine fingerprint (a one-way hash of your machine ID; the raw ID never leaves your device), plus the OS name, a device name, and the app version at activation. Starting a trial sends only the fingerprint and app version. Your files, chats, and prompts are never transmitted, and a signed offline pass keeps the app working for up to 30 days without a connection.