PebbleFlow is locally-executing software. We don't process, store, or access your data. All processing happens on your device, in your browser, under your control.
PebbleFlow is a local software application that runs entirely in your browser. Unlike SaaS platforms, the company has no servers that receive, process, or store your data. Any connections to third-party AI services are made directly from your device using your credentials. We are a software vendor, not a cloud service.
PebbleFlow is a locally-executing software application. Unlike SaaS platforms, PebbleFlow the company does not process, store, or have access to the data handled by the extension. All data processing occurs within the user's local browser environment.
Under GDPR, PebbleFlow is a Software Vendor, not a Data Processor, as we do not handle personal data on behalf of the customer.
The extension is designed to function as a secure envelope. No confidential information, prompts, or personal data are ever sent to PebbleFlow servers.
The only data exported to our systems is limited to non-sensitive billing and account management metadata: email, display name, and avatar.
PebbleFlow does not create, receive, maintain, or transmit Protected Health Information (PHI) as defined by HIPAA. The extension functions as a local tool, similar to a local text editor or browser.
Because PebbleFlow (the company) never has routine access to the data being processed by the user, it does not qualify as a Business Associate or Subcontractor.
Any connection to third-party LLMs is established directly from the user's device. PebbleFlow does not act as a proxy or intermediary for these data streams. Your API keys, your credentials, your direct connection.
PebbleFlow does not host, store, or manage customer data. As such, a SOC 2 Type II audit—which focuses on cloud service controls—is not applicable to our business model. Our security focus is on:
We are fully GDPR compliant through Data Minimization and Privacy by Design. By ensuring that we never receive personal data, we eliminate the risks associated with data residency and international transfers.
PebbleFlow is a Zero-Entry-Point client application. By executing entirely within the browser's secure sandbox and initiating only outbound, user-authorized connections to existing SaaS providers, PebbleFlow delivers AI capabilities without expanding the organization's external attack surface.
PebbleFlow's architecture eliminates entire categories of risk by design.
PebbleFlow does not act as a server—it is a client-side agent. The extension does not open any ports on the user's device or the corporate firewall. Connections to Google Workspace or Cloud LLMs are initiated outbound from the browser, using the same HTTPS/TLS protocols already approved by the organization. Because there is no "PebbleFlow Cloud" acting as a proxy, an attacker cannot breach PebbleFlow's infrastructure to gain access to the customer's internal network.
PebbleFlow operates within the Chrome/Edge extension sandbox. This provides process isolation—the software cannot access the user's file system or other applications outside the browser—and permission scoping, where the extension only interacts with the specific web pages and APIs explicitly granted by the user.
PebbleFlow (the company) is never a party to the data exchange. In the standard model, data flows directly from the browser to the LLM provider. In the local model, data never leaves the user device. In both scenarios, PebbleFlow's servers only handle metadata related to subscription status—never the content of prompts or documents.
Browser connects directly to cloud AI providers and Google Workspace. PebbleFlow auth receives only billing metadata.
All AI processing via local Ollama server. Only outbound connection is license validation. Zero data export.
Understanding where your data lives and who can access it.
Your device connects directly to AI providers (OpenRouter, Ollama, Google, etc.) using your credentials. PebbleFlow is never in the middle of this connection.
PebbleFlow was designed from the ground up as a privacy-first agent platform. Here are the concrete protections built into every layer of the product.
PebbleFlow was architected by Fellows of Information Privacy (FIP), CISSP-certified security experts, CIPP-certified privacy professionals, and AIGP-certified AI governance professionals, in consultation with data protection counsel — making it the first truly privacy-by-design agentic platform built from the ground up.
| # | Privacy Principle | What We Built | How It Works |
|---|---|---|---|
| 1 | Data Minimization | Radical Data Minimization | We collect only your email address and display name for account billing. No usage data, no browsing history, no conversation content, no analytics, no telemetry — nothing else. Ever. |
| 2 | Notice & Consent | Just-in-Time Action Consent | Before the AI performs any impactful action or connects to an external third party, PebbleFlow displays a clear notification showing intent, action details, and risk level — requiring your explicit approval. |
| 3 | Data Portability | Full Data Portability | Your data belongs to you and can be exported at any time through the built-in backup and restore system. You are never locked in — take your conversations, settings, and configurations with you. |
| 4 | Confidentiality & Integrity | Zero-Knowledge Encrypted Cloud Sync | AES-256-GCM encryption with PBKDF2 key derivation (100,000 iterations). Data stored in your Google Drive, encapsulated in encryption not even Google can read. Lose your passphrase, and not even we can recover it. |
| 5 | Purpose Limitation | Zero Analytics & Telemetry | No analytics services, no tracking pixels, no event collection, no error reporting that phones home. We have zero visibility into how you use the product. |
| 6 | Consent & Transparency | Incremental Permission Requests | OAuth scopes are requested only when you first use a specific feature — not upfront. Clear explanation of what is being requested and why, every time. |
| 7 | Right to Erasure (Art. 17) | Right to Erasure | Comprehensive data deletion tools from surgical precision to full purge. Erase individual conversations, clear caches, or wipe all data entirely — you control what goes. |
| 8 | Storage Limitation | Keep What Matters, Discard the Rest | Unlike platforms that force all-or-nothing deletion, PebbleFlow lets you flag what to keep and automatically discard the rest. Configurable retention policies clean up accumulated data over time. |
| 9 | Privacy by Design & Default | Local-First Architecture | Run AI models locally with Ollama, on-device speech recognition (Whisper) and TTS (Kokoro), store everything locally. Operates completely offline — zero data needs to leave your machine. |
| 10 | Storage Limitation | Zero Data Retention Model Selection | Filter and select AI models with ZDR policies — the provider processes your request and immediately discards it. No logging, no training, no retention. |
| 11 | Data Subject Rights | Granular Location Controls | Choose between no location sharing, city-level precision, or full address detail. Disable with one click — all cached location data is immediately and permanently cleared. |
| 12 | Transparency | Transparent AI Actions | Every tool the AI invokes requires your explicit approval. You see the intent, action details, and risk level before anything executes. Nothing hidden, nothing automatic. |
Read our full Privacy Policy for detailed information about how data flows through the extension, or get started with PebbleFlow today.