Privacy Policy

Last updated: November 25, 2024

Overview

Cirklu is a zero‑exposure API key manager. Our browser extension encrypts your keys locally in your browser and stores them only in your browser storage. We do not transmit your keys to our servers.

Website Access & Content Scripts

Cirklu requests <all_urls> permission in the Chrome extension manifest. This section explains why we need this access and exactly what our extension does on websites you visit.

Why We Need Access to All Websites

Cirklu is designed to work seamlessly across any website where you need to use an API key - including developer dashboards, API documentation sites, testing tools, and custom internal platforms. To provide secure key injection and paste detection on any site, we require broad website access.

This permission does NOT mean we read or collect your browsing data. We only activate features when you explicitly interact with input fields that may need API keys.

What Our Content Script Does

Our content script runs on websites you visit and provides these opt-in features:

  • Ctrl+K Quick Access: When you press Ctrl+K (or Cmd+K on Mac) while focused on an input field, Cirklu opens a command palette to securely paste a saved key from your vault.
  • Smart Paste Detection: When you paste text that matches known API key patterns (e.g., OpenAI keys starting with sk-, Stripe keys starting with sk_live_), Cirklu offers to save the key to your encrypted vault. You can dismiss or accept this offer.
  • Secure Key Injection: When you choose to paste a key from your vault, Cirklu decrypts it in memory and injects it into the target input field using secure methods that avoid clipboard exposure.
  • Shared Link Decryption: When you open a Cirklu share link (e.g., https://cirklu.com/share/...), the content script enables client-side decryption of the shared key using the passphrase you provide.

What We DO NOT Do with Website Access

We respect your privacy and do NOT use website access for:

  • No browsing history tracking: We do not log, store, or transmit URLs of websites you visit.
  • No page content reading: We do not read, analyze, or extract content from web pages (except to detect input fields where you may paste keys).
  • No form data collection: We do not capture or store data you enter into forms, except for API keys you explicitly choose to save.
  • No ads or tracking pixels: We do not inject advertisements, tracking scripts, or analytics into web pages.
  • No background monitoring: Our content script only activates when you trigger a keyboard shortcut or paste an API key pattern. It does not continuously monitor your activity.
  • No third-party data sharing: Information about which websites you use Cirklu on is never transmitted to our servers or third parties.

How to Verify Our Claims

Cirklu is committed to transparency:

  • Open Source (Coming Soon): Our extension codebase will be publicly available for audit. You can inspect exactly what our content scripts do.
  • No Telemetry by Default: We do not send usage analytics or telemetry data about which websites you visit or which keys you use.
  • Local-First Architecture: All key detection, encryption, and injection happens locally in your browser. No website interaction data is sent to Cirklu servers.
  • Browser DevTools Inspection: You can open Chrome DevTools → Network tab to verify that Cirklu does not make background requests to external servers when you use keys on websites.

Content Script Permissions Summary

Manifest Permission:

"host_permissions": ["<all_urls>"]

Purpose:

Enable secure key injection and paste detection on any website where you may need to use API keys (developer platforms, testing tools, custom internal sites).

Data Accessed:

  • Input field detection (to identify where you want to paste keys)
  • Pasted text matching API key patterns (to offer save functionality)
  • No browsing history, page content, or form data is collected or transmitted

Disabling Content Script Features

If you prefer not to use content script features on certain sites:

  • Ignore prompts: Simply dismiss or ignore paste detection prompts. They will not interfere with your workflow.
  • Use popup only: You can manage all your keys through the extension popup without ever using Ctrl+K or paste detection on web pages.
  • Chrome Site Settings: Use Chrome's built-in site permissions to disable the extension on specific domains (Right-click extension icon → "This can read and change site data" → "On specific sites").

Bottom Line: We request <all_urls> permission to enable key management on any website you choose, but we do not abuse this access. Your privacy and security are our top priority.

Google API Services Usage

Cirklu's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Data Accessed from Google Services

When you enable optional cloud backup via Google Drive, Cirklu accesses:

  • Google Drive - File Access: Read and write access to files created by Cirklu only (using https://www.googleapis.com/auth/drive.file scope). We only access a dedicated "Cirklu" folder that our app creates.
  • User Profile Information: Basic profile information (email address) to identify your Google account for sync purposes.

Note: Cloud backup is completely optional. You can use Cirklu without ever connecting to Google Drive.

How We Use Google User Data

Cirklu uses Google Drive data exclusively for:

  • Encrypted Backup Storage: Storing your encrypted API keys in a dedicated Cirklu folder in your Google Drive for cross-device synchronization.
  • Sync Functionality: Reading encrypted backup files from Google Drive to restore your keys on other devices.
  • Data Integrity: Maintaining a manifest file to track which encrypted keys exist in your backup.

Zero-Knowledge Architecture: All API keys are encrypted on your device using AES-256-GCM before being uploaded to Google Drive. Your master encryption key never leaves your device. Google cannot decrypt or read your stored API keys.

Data Sharing with Third Parties

We do not share your Google user data with any third parties. Specifically:

  • Your encrypted backup files remain in your personal Google Drive and are never transmitted to Cirklu servers or any other third party.
  • We do not sell, rent, or share your Google account information with anyone.
  • We do not use your Google data for advertising or analytics purposes.
  • Your Google Drive OAuth token is encrypted and stored locally in your browser only.

Data Storage & Protection

Google Drive data security practices:

  • Local Encryption First: All data is encrypted using AES-256-GCM on your device before any upload to Google Drive.
  • Encrypted Token Storage: Your Google Drive OAuth access token is encrypted with your master key and stored in browser local storage only.
  • No Server Storage: Cirklu servers never receive, process, or store your Google Drive files or access tokens.
  • Minimal Permissions: We only request the minimum required scope (drive.file) which limits access to files created by Cirklu only.
  • Your Control: Files are stored in your personal Google Drive account. You maintain full ownership and control.

Data Retention & Deletion

You have complete control over your Google Drive data:

  • Retention Period: Encrypted backup files remain in your Google Drive until you explicitly delete them. We do not automatically delete your backups.
  • Disconnect Cloud Backup: Click "Disconnect" in Cirklu settings to revoke access and stop syncing. This removes the stored OAuth token from your browser.
  • Delete Backup Files: Navigate to the "Cirklu" folder in your Google Drive and delete the folder to permanently remove all backup files.
  • Revoke OAuth Access: Visit your Google Account Permissions page and remove Cirklu to revoke all access.
  • Complete Data Deletion: Uninstalling the Cirklu extension removes all local data. Separately delete the Google Drive folder to remove cloud backups.

For assistance with data deletion, contact us at connect@cirklu.com.

Data We Process

  • API keys (encrypted): Encrypted client‑side using AES‑256‑GCM before storage in chrome.storage.local. Keys never leave your device unencrypted and are never sent to Cirklu servers.
  • Key metadata: Non‑sensitive metadata (e.g., provider label, masked key suffix like ••••1234, timestamps, environment) stored locally to power UX.
  • Share links: When you create a share, only an encrypted URL fragment and a key hash are stored locally to manage expiration and duplicates. Decryption occurs client‑side.
  • Telemetry (minimal): Non‑sensitive usage events (e.g., button clicks) may be attempted; failures are tolerated and no keys/plaintext are included. Telemetry is currently no‑op by design.

Where Your Data Lives

  • Local‑only by default: Keys and metadata are stored in the extension’s local storage. Master keys are generated client‑side and, when a master password is set, wrapped with your password‑derived key and stored locally.
  • No server storage of keys: Cirklu does not store your API keys on our servers. Our website uses Firebase for auth/infrastructure but does not receive your keys.

Security Model

  • Client‑side encryption: Keys are encrypted with AES‑256‑GCM using a master key held in memory while unlocked. With a master password, the master key is wrapped using PBKDF2‑derived KEK and stored locally.
  • Zero‑exposure design: Paste/autofill uses a secure injection path; we avoid clipboard use and zeroize buffers after use.
  • Auto‑lock: Session auto‑locks after inactivity; unlocking requires your master password. We cannot recover your password.

What We Don’t Collect

  • No plaintext API keys
  • No server‑side copies of your encrypted keys
  • No content of forms where you paste keys

Third‑Party Services & Cloud Backup Providers

Optional Cloud Backup Services

Cirklu offers optional encrypted cloud backup via Google Drive or Dropbox. You choose which provider to use, if any.

Google Drive (Optional)

  • Scope: drive.file - Access only to files created by Cirklu
  • Purpose: Store encrypted backup files in a dedicated Cirklu folder
  • Data stored: Encrypted API keys (AES-256-GCM) and metadata manifest
  • Google cannot decrypt your keys - zero-knowledge architecture

Dropbox (Optional)

  • Permissions: files.metadata.read/write and files.content.read/write
  • Purpose: Store encrypted backup files in a dedicated Cirklu folder
  • Data stored: Encrypted API keys (AES-256-GCM) and metadata manifest
  • Dropbox cannot decrypt your keys - zero-knowledge architecture

Important: Both cloud providers store only encrypted data. Your master encryption key never leaves your device. Neither Google, Dropbox, nor Cirklu can read your stored API keys.

Other Services

  • Firebase (Website): Used for website auth/infra only. It does not receive your stored API keys.
  • Chrome Storage: Browser‑provided local storage for extension data.

Email Collection (Optional)

Cirklu may offer you the option to subscribe to product updates and news about new service integrations. Email subscription is completely voluntary and separate from your API key storage.

What Email Data We Collect

If you choose to subscribe to our emails, we collect:

  • Email Address: The email address you voluntarily provide for communication purposes.
  • Communication Preferences: Your selected preferences for what types of emails you want to receive (product updates, research invitations, early access notifications).
  • Subscription Metadata: Date of subscription and source (e.g., first-run welcome, settings page, 30-day milestone).

Note: Email subscription is presented at opportune moments (after saving your first key, at the 30-day milestone, or in settings) but is always optional. You can skip, dismiss, or decline at any time.

How We Use Your Email

We use collected email addresses exclusively for:

  • Product Updates: Notify you about new service integrations, features, and important product announcements.
  • Research Opportunities: Invite you to participate in user research or beta testing (if you opt in to this preference).
  • Early Access: Provide early access to new features and integrations (if you opt in to this preference).

Email Data is Completely Separate from Your Vault

Your email address is never linked to your API keys, vault data, or usage patterns. Specifically:

  • Email subscriptions are stored in a separate database collection (email_subscribers) with no connection to encrypted key storage.
  • We cannot and do not correlate your email with which API keys you store, which services you use, or how you use Cirklu.
  • Your email data is stored on Firebase servers, while your encrypted API keys remain local to your device or in your personal cloud storage (Google Drive/Dropbox) if you enable cloud backup.
  • Email subscription is processed independently from vault operations and does not affect the zero-knowledge architecture of key storage.

Email Data Sharing

We do not sell, rent, or share your email address with third parties. Specifically:

  • Your email is used only by Cirklu for the communication purposes you opted into.
  • We may use an email service provider (such as SendGrid or Mailchimp) to deliver emails, but these providers are bound by contract to only use your data for sending our emails.
  • We do not use your email for advertising, analytics, or any purpose other than direct communication about Cirklu.
  • We will never share your email with other companies for their marketing purposes.

Managing Your Email Subscription

You have complete control over your email subscription:

  • Update Preferences: Open Cirklu extension → Settings → Email & Updates to modify which types of emails you receive.
  • Unsubscribe Anytime: Click the "Unsubscribe" button in Settings, or use the unsubscribe link at the bottom of any email we send.
  • View Your Data: Check your current subscription status and preferences in the extension settings at any time.
  • Export Your Data: Request a copy of your email subscription data (email address, preferences, subscription date) from the Settings page.
  • Delete Your Data: Click "Delete All Data" in Settings to permanently remove your email address and all subscription data from our systems.

Data Retention

  • Active Subscriptions: We retain your email and preferences for as long as you remain subscribed.
  • After Unsubscribing: Your email record is marked as unsubscribed and we will not send further emails. The record may be retained for a short period to honor your unsubscribe request and prevent accidental re-subscription.
  • Permanent Deletion: You can request permanent deletion of your email data at any time through the extension settings or by contacting us at connect@cirklu.com.

Your Rights (GDPR Compliance)

If you are in the European Economic Area, you have the following rights regarding your email data:

  • Right to Access: Request a copy of your stored email data.
  • Right to Rectification: Update your email address or preferences.
  • Right to Erasure: Request deletion of your email data.
  • Right to Withdraw Consent: Unsubscribe at any time without penalty.
  • Right to Data Portability: Export your email subscription data in machine-readable format.

To exercise these rights, use the controls in extension settings or contact us at connect@cirklu.com.

Your Controls

  • Set a master password and lock/unlock your vault.
  • Delete individual keys or clear all data from the extension.
  • Manage your email subscription preferences or unsubscribe at any time in Settings.
  • Uninstall the extension to remove all local data.

Contact

Questions or concerns? Email connect@cirklu.com

This policy reflects the behavior verified in our open codebase at the time of publication and will be updated if our architecture changes.