Privacy and Data: Your Data Is Yours

PebbleFlow is built for privacy. Your conversations, API keys, and files stay on your device. Period.

What We Know About You

Just a few things, used only for licensing and subscription:

  • Your email address
  • Your display name
  • Your profile picture
  • Your subscription status (plan, Stripe customer ID, active/cancelled state) — so we can route you to the right billing portal

That's all.

What We Don't Know

  • Your conversations or chat history
  • Your API keys
  • Your files or documents
  • Your browsing history
  • Your settings or preferences
  • Your location (unless you explicitly allow it)
  • Anything you search for or create

We don't run analytics, telemetry, or tracking. We can't see what you're doing, and we don't try to.

How Your Data Flows

┌─────────────────────────────────────────────────────────────────────┐
│ You type → PebbleFlow (runs locally on your device)                │
│           ↓                                                         │
│     Runs AI, manages tools, handles documents                      │
│           ↓                                                         │
│     → Sends to AI Provider API (Claude, GPT, etc.)                │
│     → Provider processes → Returns response                        │
│     → Response stays on your device                                │
└─────────────────────────────────────────────────────────────────────┘

SEPARATE: PebbleFlow Auth Server
├─ Sees: Your email, name, avatar (for licensing)
├─ Doesn't see: Conversations, keys, files
└─ Only touches: Profile info for subscription checks

Bottom line: Conversations and API keys go directly to AI providers. PebbleFlow servers only see your email for licensing. Nothing else.

API Access vs Consumer Platforms

ChatGPT.com, Claude.ai, Gemini — these are consumer platforms:

  • You agree to their terms, which may retain conversations for training or safety
  • Your chat history lives in their cloud by default
  • You're using their infrastructure

PebbleFlow with API keys — you're using developer/API terms instead:

  • You pay providers directly (OpenAI, Anthropic, Google)
  • You're under their API agreement, not consumer terms
  • Conversations stay on your device unless you explicitly sync them
  • Many providers offer strict data handling: process your request, then delete it

OpenRouter's Zero Data Retention — available for Claude and other models:

  • Provider sees the request, processes it, immediately discards everything
  • No retention, no logging, no training data
  • Like whispering to an AI that has amnesia the second you're done

The choice is yours. Different data governance for different comfort levels.

Your Personalization Follows You

Everything that makes PebbleFlow yours stays on your device:

  • System prompts — your custom instructions for each mode
  • Variables — location, time, user profile data you define
  • Modes — the AI personalities you've customized
  • Skills — your saved, reusable workflows
  • Memory — what the AI remembers about you between chats

Switch AI models anytime. Your setup doesn't change. No vendor lock-in.

Export anytime: Your customization isn't trapped in one provider's ecosystem. It travels with you.

How Private Sync Encryption Works

Private sync (to Google Drive) uses strong encryption:

AES-256-GCM encryption — military-grade symmetric encryption

  • Your passphrase → PBKDF2 hashing (100,000 iterations) → encryption key
  • Your conversations and settings are encrypted locally before upload
  • The encrypted blob goes to Google Drive
  • Your passphrase never leaves your device

Even if someone accessed your Google Drive, they can't read your data without the passphrase. It's mathematically infeasible to decrypt. Learn more about Private Sync.

How Sign-In Works (OAuth Security)

PebbleFlow uses PKCE — a secure authentication flow designed for apps without the ability to keep secrets:

  1. You click Sign In
  2. Browser opens a login page (we don't see your password)
  3. You grant permission to PebbleFlow
  4. Provider sends back a token
  5. Token stays on your device

OAuth client secrets (like Google's or GitHub's) are not in the app code. They live on Cloudflare Workers:

  • Secrets never exposed to the browser or your device
  • Provider tokens go through a secure server proxy
  • You get a safe, encrypted connection

For iOS and local APIs: PKCE handles everything. No relay needed.

Where Your Data Lives

API Keys

  • Stored on your device only
  • Never sent to PebbleFlow servers
  • Sent directly to the AI provider when you make a request
  • We never see them, can't access them, don't store them

Conversations

  • Stored on your device by default
  • Optionally synced to your Google Drive via Private Sync
  • If synced, encrypted before leaving your device (we can't read it even if we wanted to)

Settings

  • Stored on your device
  • Synced with private sync if you enable it

Voice Data

  • Local options (Whisper, Kokoro, browser speech): Never leave your device
  • Cloud options (ElevenLabs, Resemble.ai): Sent to those services using your API keys (not through PebbleFlow)

Total Control

Mix and match however you want:

  • Use cloud AI with local voice ✓
  • Use local AI with cloud backup ✓
  • Go completely offline ✓
  • Use only cloud services ✓

It's your setup. You decide what's comfortable.

Full Transparency

Read our Privacy Policy for the complete technical details. See Terms of Use for usage terms and API key policies.

Questions? We're here to help — check Troubleshooting or reach out.

This guide is maintained by the PebbleFlow team using Slate, our built-in editor.