Privacy Policy for PebbleFlow

Last Updated: February 23, 2026

30-Second Summary

Your privacy is under your control. PebbleFlow is an AI platform that lets you run the same features across multiple environments -- Browser Extension, macOS, iOS, Android, and PC desktop applications. The apps are designed to give you complete choice over how your data is handled by performing all storage and orchestration using the secure local processing and storage resources on your device. The user interface is consistent across platforms and offers similar privacy and security choices, though specific capabilities vary by environment (for example, the Browser Extension cannot interact directly with your operating system).

  • Fully Local Option: Run AI models on your device with local providers, use local speech recognition and text-to-speech (Kokoro, Whisper), store everything locally -- no data ever leaves your machine.
  • Cloud AI: Use powerful cloud AI models, cloud-based voice services (ElevenLabs, Resemble.ai), and encrypted backups to Google Drive -- with full transparency about what goes where.
  • Voice Reader and Transcriber: PebbleFlow offers both local and cloud options for reading text aloud and transcribing speech -- including built-in browser voices, ElevenLabs, Resemble.ai, local Whisper models for transcription, and the local Kokoro neural reader.
  • Mix and Match: Choose cloud AI but local voice, or local AI with cloud backup. It's your choice.

What we (the company) collect: Your email address, display name, and avatar image -- solely to identify you for licensing and subscription purposes. That's it.

What we DON'T collect: Your conversations, browsing history, API keys, files, settings, or any content you create or view. We don't run analytics or telemetry.

What the apps do for you: The apps run on your device and act as your personal tool. They store your data locally, connect to AI providers and other services on your behalf using your credentials, and process your requests. When the apps send data to a cloud service, they are doing so in response to your requests.

The details are below. This notice explains what we collect, how the apps handle your data, every third-party service involved, and every choice you have.

Understanding "We" vs. "The Apps"

This privacy notice distinguishes between PebbleFlow the company ("we," "us," "our") and PebbleFlow the software ("the apps," "the software"). This distinction matters:

PebbleFlow the company is the organization that develops and distributes the software. We are a data controller only for the narrow set of data we collect directly: your email address, display name, and avatar image, used solely to identify you for licensing and subscription management.

PebbleFlow the apps are software that runs on your device. They are not data processors, because they are not persons or organizations -- they are tools that operate under your control. When the apps store your conversations, read a web page, or connect to an AI provider, they are doing so for you, on your device, at your direction. The apps act as your agent, not ours.

PebbleFlow is available as a Browser Extension (Chrome, Edge, Brave, Safari, and other Chromium browsers), desktop applications (macOS, Windows, Linux), and mobile apps (iOS, Android). The same core features and privacy choices are available across all platforms, though platform-specific differences exist (for example, the Browser Extension runs within the browser sandbox and cannot interact directly with your operating system, while desktop and mobile apps can access native system features like calendars and reminders with your permission).

Why this matters:

  • When we request permissions (e.g., browser permissions, calendar access), those permissions enable the apps to do things for you -- not for us to access your data.
  • The apps' local data (conversations, settings, files) belongs to you and stays on your device. We have no access to it.
  • When the apps connect to third-party services (AI providers, Google APIs, etc.), they do so as your client, using your credentials, on your behalf. We are not an intermediary in those data flows.

This notice covers both: what we (the company) collect, and how the apps (the software) handle data on your device so you can make informed decisions about your privacy.

Overview

PebbleFlow is a suite of AI tools available as a browser extension, desktop application (macOS, Windows, Linux), and mobile app (iOS, Android). We are committed to protecting your privacy. This policy explains what data we (the company) collect, what data the apps (the software) process on your device, and your rights regarding both.

Key Principle: Your data stays on YOUR device by default. PebbleFlow is designed with privacy as a core principle. We do not operate servers that collect your data from the apps, and we do not have access to your conversations, browsing history, or personal information. The apps are on-device software that give you complete control over which cloud services you use, which websites you visit, and which AI models power your experience.

Data Collection and Storage

What We (the Company) Collect

We collect a minimal set of information for licensing and account management:

Data Purpose Where It's Stored
Email address Account identification and license validation PebbleFlow Cloud (Cloudflare)
Display name Account identification PebbleFlow Cloud (Cloudflare)
Avatar image Account display PebbleFlow Cloud (Cloudflare)
Subscription/billing records Payment processing Stripe / PebbleFlow Cloud

That is the complete list. We do not collect, receive, or have access to your conversations, browsing history, files, settings, API keys, OAuth tokens, or any content you create or view in the apps.

What the Apps Store on Your Device

The following data is managed by the apps on your device. This is your data, under your control -- we do not have access to it and it is never transmitted to our servers:

Data Type Purpose Storage Location
Conversation history Display your chat history across all threads Browser storage / App data folder
User profile Store your name, addresses, email, phone, and custom variables Browser storage / App data folder
Personal instructions Remember your preferences and context Browser storage / App data folder
Mode configurations Custom modes, system prompts, and tool settings Browser storage / App data folder
API keys (BYOK) Authenticate with AI services (OpenRouter/local providers) Browser storage / App data folder
Google OAuth tokens Authenticate with Google services Browser storage / App data folder
UI preferences Theme, font size, color tints Browser storage / App data folder
Skills library Custom prompt templates you create Browser storage / App data folder
Attachments & files Documents, images, and files you upload Browser storage / App data folder

Platform-specific storage locations:

  • Browser Extension (Chrome, Edge, Brave, etc.): Chrome's chrome.storage.local API
  • Desktop Apps (macOS, Windows, Linux): ~/Library/Application Support/PebbleFlow/ (macOS), %APPDATA%/PebbleFlow/ (Windows), ~/.config/PebbleFlow/ (Linux)
  • Mobile Apps (iOS, Android): App-sandboxed local storage

Encrypted Cloud Backup (Optional)

The apps offer optional encrypted backup to Google Drive. This feature is entirely opt-in and disabled by default.

How it works:

  1. Encryption: Before any data leaves your device, the apps encrypt it using AES-256-GCM encryption with a key derived from your password using PBKDF2.
  2. Upload: The apps upload the encrypted data to your personal Google Drive in a PebbleFlow folder.
  3. Zero-knowledge: We never see your encryption password or the unencrypted data. Not even Google can read your backed-up data -- they only store encrypted blobs.

What can be backed up:

  • Conversation history and threads
  • User profile and settings
  • Custom modes and skills
  • Attachments and files

Privacy controls:

  • You choose whether to enable backup
  • You control your encryption password
  • You can delete backups from Google Drive at any time
  • Backups are tied to your Google account, not to PebbleFlow

Data flow: Your device β†’ AES-256 encryption β†’ Google Drive. The apps handle this entirely on your device. Our servers are never involved in the backup process.

Third-Party Services

The apps connect to various third-party services on your behalf, using your credentials and at your direction. We (the company) are not an intermediary in these data flows -- the apps communicate directly with each service from your device.

OpenRouter API

When you use cloud AI features, the apps send your messages to OpenRouter (openrouter.ai), which routes requests to various AI model providers (Anthropic, OpenAI, Google, Meta, and others).

  • What the apps send: Your conversation messages, system prompts, and any page content you explicitly share with the AI
  • What is NOT sent to us: Your API key is sent directly from the apps to OpenRouter -- we never see it
  • User profile data: Your personal instructions and profile variables (name, location, etc.) are included in the system context the apps send to the AI model to personalize responses
  • Services routed through OpenRouter: Perplexity research queries, image generation requests, and other AI model requests are routed through OpenRouter
  • Their privacy policy: https://openrouter.ai/privacy

Perplexity (Research - Optional)

The apps can use Perplexity for deep research and web search. Perplexity requests are routed through OpenRouter.

  • What the apps send: Your research queries and any context you provide
  • What is NOT sent: Your full conversation history or personal profile
  • Purpose: Provides AI-powered web research with source citations
  • Routing: Requests are sent via OpenRouter (see above)
  • Their privacy policy: https://www.perplexity.ai/privacy

Image Generation Services (Optional)

When you use image generation features, the apps send your prompts to the image model provider. Image generation requests are routed through OpenRouter.

  • FLUX.2: Provided via Replicate or other hosting providers through OpenRouter
  • Google Gemini: Image generation through Google's API via OpenRouter
  • Seedream & Others: Various providers accessed through OpenRouter

What is sent: Your image generation prompts and any reference images you provide What is NOT sent: Conversation history, personal data, or unrelated content

Apple Integration (macOS/iOS - Optional)

On Apple platforms, the apps can integrate with native Apple services:

  • Apple Calendar: Read and create calendar events via EventKit
  • Apple Reminders: Read and create reminders via EventKit
  • Apple Notes: Read and create notes via AppleScript/scripting bridge

Privacy implications:

  • The apps access data stored in Apple's apps on your device, at your request
  • Data is processed locally or sent to your chosen AI provider when you request analysis
  • We (the company) do not receive or store your Apple Calendar, Reminders, or Notes data
  • Requires explicit permission grants on macOS/iOS -- these permissions enable the apps to work with your data for you

MCP Servers (Desktop - Optional)

The apps' desktop versions support Model Context Protocol (MCP) servers for extensibility:

  • What are MCP servers: Local programs that provide additional tools and capabilities to the AI
  • Data flow: MCP communication happens locally between the apps and the MCP server process on your machine
  • Privacy: Data sent to MCP servers stays on your device (unless the MCP server itself connects to external services)
  • Your control: You choose which MCP servers to install and run. We have no involvement in or visibility into MCP server usage.

Important disclaimer: MCP servers are developed and maintained by third parties. PebbleFlow cannot provide guarantees or representations regarding the security, reliability, or behavior of MCP servers. Third-party MCP servers may contain malicious code or design flaws that could compromise your data or system. We strongly recommend using only official MCP servers sponsored by the service provider (e.g., an official GitHub MCP server from GitHub) or MCP servers from other reputable, well-known parties. Exercise caution when installing MCP servers from unknown sources.

Google APIs (Optional)

If you choose to connect your Google account for Docs/Drive integration:

  • Authentication: The apps use Chrome's built-in OAuth flow (chrome.identity API) in the browser extension, or standard OAuth flows on other platforms. Tokens are stored locally on your device and sent directly to Google.
  • Data access: The apps only access Google services when you explicitly request it (e.g., "open my Google Doc" or "create a document")
  • Our role: We register the apps with Google as a developer so they can request permissions on your behalf. We never receive, store, or have access to your Google credentials or OAuth tokens. When you authorize Google permissions, you are authorizing the apps to work with Google for you -- not granting us access to your Google data.
  • Their privacy policy: https://policies.google.com/privacy

License Validation Service (PebbleFlow Cloud)

This is the one service where we (the company) are directly involved. If you purchase a subscription or use premium features, we use our own cloud infrastructure (hosted on Cloudflare) for license validation:

  • What is sent to us: Your email address, license tier, and license key
  • What is NOT sent to us: Conversation data, browsing history, settings, personal information, or any content you create in the apps
  • Purpose: Identify your account, validate license keys, and check subscription status
  • Data minimization: We store only your email identity, license tier, and license key -- the minimum required for licensing
  • Security: Our licensing services are secured by modern defenses and conform to industry best practices
  • Risk mitigation: Even in the unlikely event that an attacker gained access to this service, they would only see customer licensing status (email, tier, key). They would not be able to access any data on your local device -- your conversations, files, settings, and all app content remain on your device and are never transmitted to us.
  • Data retention: License and billing records are retained as required by law
  • Infrastructure privacy policy: https://www.cloudflare.com/privacypolicy/

Voice Features

The apps offer both text-to-speech (TTS) and speech-to-text (STT) with your choice of local or cloud processing. PebbleFlow provides a range of voice services including built-in browser voices, ElevenLabs, Resemble.ai, local Whisper models for transcription, and the local Kokoro neural reader.

Text-to-Speech (Reading AI Responses Aloud)

You can choose between:

  1. Browser-Based TTS (Local - Maximum Privacy)

    • Uses your browser's built-in Web Speech API
    • Audio is synthesized entirely on your device
    • No data is sent anywhere -- complete privacy
    • Voice quality depends on your operating system's voices

  2. Kokoro TTS (Local Neural - Maximum Privacy)

    • Uses the Kokoro neural TTS model running locally on your device via WebAssembly
    • Model (~330MB) is downloaded once and cached locally
    • No data is sent anywhere -- complete privacy with high-quality voice
    • Supports multiple voice options (10 built-in voices)

  3. ElevenLabs TTS (Cloud - BYOK)

    • Uses ElevenLabs API for natural-sounding voices
    • Requires your own ElevenLabs API key (stored locally by the apps)
    • What the apps send: The text of the specific message being read aloud, plus your API key
    • What is NOT sent: Conversation history, context, or any other data
    • Supports streaming for low-latency playback
    • Their privacy policy: https://elevenlabs.io/privacy-policy

  4. Resemble.ai TTS (Cloud - BYOK)

    • Uses Resemble.ai API with voice cloning capabilities
    • Requires your own Resemble.ai API key (stored locally by the apps)
    • What the apps send: The text of the specific message being read aloud, plus your API key
    • What is NOT sent: Conversation history, context, or any other data
    • Their privacy policy: https://www.resemble.ai/privacy-policy

Speech-to-Text (Voice Dictation)

You can choose between:

  1. Browser-Based STT (Local - Maximum Privacy)

    • Uses your browser's built-in Web Speech API
    • Audio is processed entirely on your device
    • No audio data is sent anywhere -- complete privacy
    • Recognition quality depends on your browser and OS

  2. Whisper (Local - Maximum Privacy)

    • Runs Whisper models locally on your device via WebAssembly
    • Multiple model sizes available (39MB to 488MB), downloaded once and cached
    • No audio data is sent anywhere -- complete privacy with AI-quality transcription
    • Supports 99 languages (multilingual models)

  3. ElevenLabs STT (Cloud - BYOK)

    • Uses ElevenLabs real-time transcription API
    • Requires your own ElevenLabs API key (stored locally by the apps)
    • What the apps send: Audio stream from your microphone, plus your API key
    • What is NOT sent: Conversation history, context, or any other data
    • Their privacy policy: https://elevenlabs.io/privacy-policy

Voice Model Storage

  • Local voice models (Kokoro, Whisper) are cached on your device after first download
  • Storage location: ~/Library/Application Support/PebbleFlow/models/ (macOS), equivalent on other platforms
  • You can delete cached models at any time to reclaim storage

Privacy controls: All voice features can be disabled entirely in Settings β†’ Voice. You choose whether to prioritize privacy (local) or quality (cloud). Cloud voice providers require your own API key -- we never see your voice data or API keys.

API Keys and Subscription Plans

Bring Your Own Key (BYOK)

If you provide your own OpenRouter API key:

  • The apps store your key locally on your device in encrypted storage
  • The apps send your key only to OpenRouter when making AI requests
  • We (the company) never receive, store, or have access to your API key
  • You have full control over your AI usage and billing through your OpenRouter account

Privacy-Enhanced AI Funding

PebbleFlow offers an option to use a PebbleFlow-provisioned API key to which you add funds at cost. This option is designed to help protect your privacy by shielding you from direct exposure to AI providers like OpenRouter:

  • How it works: Instead of creating your own account with an AI provider, you add funds to your PebbleFlow-provisioned key. The apps use this key to access AI models on your behalf.
  • Privacy benefit: Your identity and usage are not directly associated with an OpenRouter or other provider account. PebbleFlow acts as a privacy layer between you and the AI provider.
  • At cost: Funds are passed through at cost -- we do not mark up AI usage fees on provisioned keys.
  • Your conversations remain local: Regardless of which key you use, your conversation data stays on your device. We do not have access to your conversations.

Ollama (Self-Hosted)

If you use Ollama for local AI models:

  • No API key is required
  • All AI processing happens on your local machine
  • No conversation data is transmitted to any external service
  • The Ollama server URL is stored locally
  • Privacy benefit: No data leaves your device when using local models

Subscription Plans

Subscription plans are for software access -- they unlock features and capabilities within the PebbleFlow platform. Subscriptions are not for AI credits.

If you purchase a subscription plan from us:

  • You gain access to premium software features (integrations, tools, modes, and platform capabilities)
  • You may optionally choose to add funds to a PebbleFlow-provisioned API key as a separate, at-cost service for AI model access (see Privacy-Enhanced AI Funding above)
  • Your conversations remain local to your device -- we have no access to them
  • We only track subscription status for licensing purposes, not conversation content

Zero Data Retention (ZDR) Models

Many AI providers offer Zero Data Retention options, meaning they do not store or train on your conversations:

  • What ZDR means: The AI provider processes your request and immediately discards itβ€”no logging, no training, no retention
  • How to use: PebbleFlow allows you to filter and select models with ZDR policies
  • Provider policies: ZDR is determined by the AI provider (Anthropic, OpenAI, Google, etc.), not by PebbleFlow
  • Verification: Check the specific provider's data retention policy for details

For maximum privacy: Combine ZDR cloud models with local storage, or use fully local models via Ollama where no data ever leaves your device.

User Profile and Personalization

The apps allow you to create a user profile with information like:

  • Your name
  • Home and work addresses
  • Email and phone number
  • Preferred language
  • Custom variables (e.g., company name, project details)
  • Personal instructions and preferences

How this data is handled:

  • Stored locally on your device only by the apps
  • Included by the apps in the system context sent to AI models to personalize responses
  • Never transmitted to us (PebbleFlow the company). We do not see, store, or have access to your profile data.
  • You can view, edit, or delete this information at any time in Settings β†’ User Profile

Important: This in-app profile is separate from your PebbleFlow account (email, name, avatar). The in-app profile is richer and entirely local; the account information is the minimal set we use for licensing.

Example: If you set your name to "Vassia" and location to "Akron, OH" the AI will know your name and can use the apps' tools to provide location-relevant information (weather, local businesses, etc.).

Modes and Custom Configurations

The apps support multiple "modes" (e.g., General, Shopping Agent, Workplace) with different:

  • System prompts
  • AI models
  • Tool permissions
  • Temperature and iteration settings
  • Mode-specific variables

Privacy implications:

  • All mode configurations are stored locally on your device by the apps
  • Custom modes you create remain on your device
  • The apps send mode settings (including system prompts) to the AI provider as part of the conversation context
  • We (the company) do not track which modes you use or how you configure them

Tools and Capabilities

The apps include several tool categories that can be enabled/disabled per mode. These tools allow the apps to perform actions for you, at your direction. We (the company) have no visibility into which tools you use or what they access.

Web Browsing Tools

  • What the apps can do: Navigate to URLs, search the web, extract page content, click elements, fill forms, and interact with web pages (including injecting content scripts for page automation such as clicking, scrolling, form filling, and content extraction)
  • Agent browsing: When the AI agent browses the web on your behalf, it appears to web services as you -- there is no reliable way for websites to distinguish between your direct browsing and agent-directed browsing. You should treat the agent as an extension of your own browser and manage and observe its actions accordingly.
  • Privacy: The apps only access page content when you explicitly ask the AI to analyze or interact with it
  • Data flow: Page content is sent by the apps to the AI provider (OpenRouter or local models) for analysis
  • Visual indicators: When the agent interacts with pages, the apps show visual overlays (cursor animations, highlights) so you can see what the agent is doing

File Operations Tools (Desktop Only)

  • What the apps can do: Read, write, edit, and manage files on your device
  • Availability: These tools are only available in the desktop applications (macOS, Windows, Linux) -- not in the Browser Extension or mobile apps
  • Privacy: The apps only access files when you explicitly request it
  • Data flow: File content may be sent by the apps to the AI provider when you ask for analysis or editing

API Integration Tools

  • What the apps can do: Make HTTP requests to external APIs
  • Privacy: The apps only make requests you explicitly authorize
  • Data flow: API responses may be processed by the AI on your behalf

Google Docs Tools

  • What the apps can do: Create, read, and edit Google Docs/Sheets
  • Agent access: When the AI agent works with your Google documents, it acts on your behalf and appears to Google as you. You should manage and observe its actions with this understanding.
  • Privacy: Requires you to explicitly connect your Google account. The apps access Google services using your credentials -- we do not see your Google data.
  • Data flow: Document content may be sent by the apps to the AI provider for analysis/editing

Profile Configuration Tools

  • What the apps can do: Allow the AI to modify your user profile and settings
  • Privacy: Disabled by default; only available in Helper mode
  • Data flow: Changes are made locally to your device storage by the apps

Slate and Document Editing (Maximum Privacy)

The apps include a "Slate" feature for editing code and documents with ZERO cloud storage:

  • What it does: Opens an in-app editor for code, markdown, and HTML files
  • Privacy: All editing happens locally on your device. Files are stored entirely within your browser storage or app data folder -- nothing is stored in the cloud.
  • Data flow: Document content may be sent by the apps to the AI provider for suggestions or modifications only when you explicitly request it

Permissions Explained

The apps request various platform permissions so they can function as your tool. These permissions grant capabilities to the apps running on your device -- they do not grant us (the company) access to your data. The specific permissions requested vary by platform (browser extension, desktop, mobile), but all serve the same purpose: enabling the apps to work for you.

Browser Extension Permissions

Permission What It Enables the Apps to Do for You
sidePanel Display the assistant in Chrome's side panel
storage Save your settings, conversations, and user profile locally on your device
activeTab Read page content when you ask the AI to analyze it
scripting Extract text from web pages and interact with page elements at your request
tabs Access tab URLs and titles for context-aware assistance. Tab URLs and titles ARE included in conversation context sent to AI providers when you ask questions about your browser state or request tab-related actions. This enables features like "summarize my open tabs" or "find the tab where I was reading about X".
tabGroups Organize tabs opened by the AI into conversation-specific groups
unlimitedStorage Store unlimited conversation history and attachments locally on your device
alarms Keep the apps' background service running for reliable responses
identity Optional Google sign-in so the apps can access Google services for you (tokens stay on your device)
declarativeNetRequest Enable the apps to communicate with your local AI server (modifies Origin header for localhost only)
offscreen Allow the apps to process PDFs and images in the background without displaying extra windows
<all_urls> Allow the apps to read and interact with content from any page you want the AI to analyze

Desktop & Mobile Permissions

Desktop and mobile apps request platform-appropriate permissions for similar functionality:

  • File system access: Read and write files on your device at your request
  • Calendar & Reminders: Access Apple EventKit (macOS/iOS) for calendar and reminder integration
  • Notes: Access Apple Notes via AppleScript (macOS) for notes integration
  • Network: Connect to AI providers, Google APIs, and other services on your behalf
  • Microphone: Capture audio for speech-to-text when you use voice dictation

None of these permissions allow us (PebbleFlow the company) to access, collect, or view your browsing data, page content, files, or tabs. The permissions operate entirely within the apps on your device.

Data Sharing

We (the company) do not sell, trade, or transfer your personal information to third parties. The only data we hold is your email, name, and avatar for licensing purposes.

Data the apps transmit on your behalf:

The apps send data to third-party services at your direction. These are direct connections from the apps on your device -- we are not an intermediary:

  1. To OpenRouter (or your chosen AI provider): When you send a message, the apps send your conversation context (including messages, system prompts, user profile, and any shared page content) to generate a response
  2. To local AI providers (if configured): When using local models (e.g., Ollama), the apps send data to your local server only -- nothing leaves your device
  3. To Google: When you use Google Docs/Drive features, the apps send requests directly to Google's APIs using your OAuth token
  4. To ElevenLabs / Resemble.ai: When you use cloud voice features, the apps send text or audio using your own API key
  5. To external APIs: When you explicitly use API integration tools, the apps make HTTP requests on your behalf

Data we (the company) receive:

  1. From subscription users: If you purchase a subscription, we receive your email, name, avatar, and billing information (not conversation content)

Data Retention

App data (on your device):

  • Local data: Stored by the apps on your device until you clear it or uninstall
  • Clearing conversations: You can delete individual threads or all conversation history from the UI
  • Clearing settings: You can reset settings to defaults or delete custom modes/variables
  • Clearing all data: Uninstalling the apps immediately and permanently removes all local data
  • No server backups: We do not create server-side backups of your app data. Once deleted locally, data cannot be recovered.
  • Export before deletion: Use Settings β†’ Backup & Restore to export your data before clearing or uninstalling

Company-held data:

  • Account data: Your email, name, and avatar are retained while your account exists. Contact us to request deletion.
  • Subscription data: If you cancel a subscription, billing records are retained as required by law

Your Rights

You have the right to:

  • Access: View all your data (it's stored locally on your device)
  • Edit: Modify your user profile, settings, and conversations at any time
  • Delete: Remove individual conversations, custom variables, or all data
  • Export: Export your conversations, settings, and configurations using the built-in export feature (Settings β†’ Backup & Restore)
  • Portability: Import/export settings to move between devices or create backups
  • Opt-out: Use the apps without a subscription (BYOK model with your own API key)

Children's Privacy

PebbleFlow is not intended for children under 13. We do not knowingly collect information from children under 13.

Security

The apps employ several security measures to protect your data:

  • Local storage encryption: Platform storage APIs use the operating system's encryption
  • No server-side storage: We don't store your app data on our servers, reducing breach risk
  • Direct API communication: The apps send API keys directly to providers, never through our servers
  • OAuth tokens: Google tokens are managed by the apps and stored securely on your device using the platform's encrypted storage APIs
  • Token isolation: OAuth tokens are stored locally in your user profile. If you export your profile, tokens are included in the export.
  • Cloud voice API keys: ElevenLabs and Resemble.ai API keys are stored locally on your device and never transmitted to us

Your responsibilities:

  • Keep your API keys secure and never share them
  • Use strong passwords for your Google account
  • Regularly review your user profile and settings
  • Only install PebbleFlow from the official Chrome Web Store, App Store, or authorized distribution channels
  • Understand that when you direct the apps to share content with an AI provider, that content is subject to the provider's privacy policy

Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date. Significant changes will be communicated through:

  • Update notes in app stores (Chrome Web Store, App Store, etc.)
  • In-app notifications (if applicable)
  • Email (for subscription users)

Google API Services User Data Policy

PebbleFlow's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Limited Use Disclosure

PebbleFlow's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • The apps only request access to Google user data necessary to implement features you've explicitly requested
  • We do NOT use Google user data for serving advertisements
  • We do NOT allow humans to read Google user data, except:
    • When necessary to provide the service (AI analysis you request via the apps)
    • For security purposes (detecting abuse)
    • When required by law
  • We do NOT transfer Google user data to third parties, except:
    • To your chosen AI provider (OpenRouter, Anthropic, etc.) when you explicitly request analysis of Google Docs, Gmail, or other Google content via the apps
    • As necessary to comply with applicable law
    • As part of a merger, acquisition, or sale of assets (with user notification)

Your Google authentication tokens are stored locally on your device by the apps and transmitted directly to Google's servers -- never to our servers. When you grant Google permissions, you are authorizing the apps to access Google services for you, not granting us access to your Google data.

Contact Us

If you have questions about this privacy policy, please contact us at:

Summary

Question Answer
What do you (the company) collect? Email, name, and avatar -- for licensing only
Do you collect my conversations? No -- the apps store them locally on your device; we never see them
Do you see my API key? No -- unless you use a PebbleFlow-provisioned key (at-cost, privacy-enhanced)
Do you have access to my Google account? No -- the apps connect to Google directly using your tokens
Do you track my browsing? No
Do you use analytics? No
Where is my data stored? On your device (browser storage, app data folder, or app sandbox)
Is my user profile sent to AI models? Yes -- the apps send it to personalize responses, but not to our servers
Why do the apps request so many permissions? So they can browse, read files, and use services for you -- not for us
Can I use PebbleFlow completely offline? Yes -- with local AI models and local voice (Kokoro, Whisper)
Can I back up my data? Yes -- encrypted backup to Google Drive with AES-256 (optional)
Can Google read my backups? No -- the apps encrypt before upload; only you have the key
Can I use voice privately? Yes -- browser TTS/STT, Kokoro TTS, and Whisper STT all run entirely on your device
What are Zero Data Retention models? AI models that don't store or train on your conversations
Does PebbleFlow work on all my devices? Yes -- browser extension, macOS, iOS, Android, Windows, and Linux
Can I export my data? Yes -- via Settings β†’ Backup & Restore
What happens if I uninstall? All local data is deleted
What are subscription plans for? Software access and features -- not AI credits