No Build Perch server in the data path
No telemetry, no analytics, no crash upload. Your files and chats go only to the AI provider you choose. The app phones home for two things, license checks and signed updates, and neither ever carries your content. One more happens only if you ask for it: if its bundled speech model ever goes missing, the app offers a one-time, checksum-verified re-download. Still no content.
Privacy mode, on by default
Zero-data-retention routing is on from first launch. Every OpenRouter request, including media generation and background summarization, goes only to providers that attest they do not store or train on your prompts and files. It is their attested policy, enforced by OpenRouter routing (not a guarantee we make on their behalf), and your OpenRouter account stays the authoritative control. The AI’s own tools cannot reach the toggle.
OS-native credential vault
Secrets live in the Windows Credential Manager, in two tiers. Only the OpenRouter key is readable by the interface, where the streaming chat runs. Everything else (Gmail, Discord, Notion, GitHub, Brave, Ollama Cloud, and your license key) is write-once: the interface can store or replace it but can never read it back. Only the native backend uses those, against a fixed allowlist.
Tested SSRF defenses
Every outbound fetch is checked: scheme allowlist, private/loopback IP rejection, DNS-rebinding defense, per-hop redirect re-validation, and size caps.
AI filesystem sandbox
Every AI file operation is canonicalized and prefix-checked against the workspace root, rejecting path traversal, null bytes, and symlink escapes. Enforced in Rust, regardless of the frontend.
Lock folders against the AI
Right-click any folder to lock it: the AI cannot read, write, or unlock it, no matter what it is told. The lock covers reads, writes, moves, deletes, listings, and even semantic-search results, enforced in Rust alongside the protected internal folders the AI can never touch.
Default-deny on anything that leaves
Outbound sends never auto-approve, even with auto-approve turned all the way up. Autonomous agents can only send to a pre-authorized, fail-closed destination allowlist.
Protected View for AI-authored files
Documents the AI creates (Word, Excel, PowerPoint, PDF, and text files) carry the Windows Mark-of-the-Web, so Office opens them in Protected View. Source code routes to a read-only preview, never an interpreter.
Signed updates
Update packages are cryptographically signed and verified on your machine before they install, and the update feed is a fixed first-party endpoint. Updates never read or carry your content.
Outside content is contained
Content that arrives from outside, like emails, Discord messages, and watched files, is treated as untrusted: it is fenced with unforgeable markers, URL-fetch tools are withheld for that run, and replies can only go back to the sender.
Per-run scoped folders
A workflow or agent run can be confined to a single input folder and a single output folder. Enforcement is fail-closed and can only narrow the always-on workspace sandbox, never widen it.
Sealed preview for AI-built pages
Webpages the AI builds preview under a locked-down content-security policy behind an unguessable token, with no directory listing and no traversal.
Being precise about what we don't claim
Workspace files are ordinary local files, protected by your operating system and disk. We
don't claim additional encryption-at-rest beyond the OS keychain that holds your credentials.
Our security review was conducted internally; we make no third-party penetration-test or
compliance-certification claims.
On licensing: activation and license checks send your license key and a machine fingerprint
(a one-way hash of your machine ID; the raw ID never leaves your device), plus the OS name, a
device name, and the app version at activation. Starting a trial sends only the fingerprint
and app version. Your files, chats, and prompts are never transmitted, and a signed offline
pass keeps the app working for up to 30 days without a connection.