Processing boundaries
Browser-local tools keep files and pasted text in the browser.
Server jobs are labeled, capped, temporary, and deletable where supported.
Trust
What runs where, what is collected, and what API/MCP can do.
Browser-local tools keep files and pasted text in the browser.
Server jobs are labeled, capped, temporary, and deletable where supported.
Optional Google analytics and advertising are consent-gated.
Product telemetry uses operational metadata only.
Account pages use session cookies and CSRF checks.
API and MCP use scoped keys, credits, limits, and the same logging guardrails.
The current MCP surface is limited to read-only lookup and report tools.
No uploads, billing actions, delete actions, automation, shell execution, or broad mutation.