Trust

Trust.

What runs where, what is collected, and what API/MCP can do.

Consent-gated Browser-local Read-only MCP
Processing boundaries

Browser-local tools keep files and pasted text in the browser.

Server jobs are labeled, capped, temporary, and deletable where supported.

Telemetry boundaries

Optional Google analytics and advertising are consent-gated.

Product telemetry uses operational metadata only.

Account and API boundaries

Account pages use session cookies and CSRF checks.

API and MCP use scoped keys, credits, limits, and the same logging guardrails.

MCP boundaries

The current MCP surface is limited to read-only lookup and report tools.

No uploads, billing actions, delete actions, automation, shell execution, or broad mutation.

Working practices
  • No raw content in analytics.
  • Narrow tools over broad actions.
  • Temporary artifacts for server jobs.
  • Public boundaries for files, API, and MCP.