Security

How Trickle protects your data, credentials, and network communications.

1. Local-First Architecture

Your conversations, API keys, and settings are stored in a local database on your machine. There is no cloud sync, no account system, and no server-side storage of your content. No data leaves your device except API calls to your selected AI provider and optional telemetry.

2. Data In Transit

All connections use TLS. API keys are only sent to the specific AI provider you select — never to Kiruna Labs. Keys are never included in crash reports, telemetry, or log files. All database queries are parameterized to prevent injection. HTML content is sanitized before rendering.

3. Telemetry Privacy

Network telemetry is anonymous by construction. WiFi network names are cryptographically hashed before upload and cannot be reversed. Device identifiers are stripped before transmission. Message content, API keys, and browsing history are never included. You can disable telemetry uploads entirely in Settings. See our Privacy Policy for full details.

4. Reporting Vulnerabilities

If you discover a security vulnerability in Trickle, please report it responsibly to hello@trickle.chat. We take all reports seriously and will respond within 48 hours.

Please do not open public issues for security vulnerabilities.