Privacy Policy

Last updated: 8/14/2025

Overview

Cirklu is a zero‑exposure API key manager. Our browser extension encrypts your keys locally in your browser and stores them only in your browser storage. We do not transmit your keys to our servers.

Data We Process

  • API keys (encrypted): Encrypted client‑side using AES‑256‑GCM before storage in chrome.storage.local. Keys never leave your device unencrypted and are never sent to Cirklu servers.
  • Key metadata: Non‑sensitive metadata (e.g., provider label, masked key suffix like ••••1234, timestamps, environment) stored locally to power UX.
  • Share links: When you create a share, only an encrypted URL fragment and a key hash are stored locally to manage expiration and duplicates. Decryption occurs client‑side.
  • Telemetry (minimal): Non‑sensitive usage events (e.g., button clicks) may be attempted; failures are tolerated and no keys/plaintext are included. Telemetry is currently no‑op by design.

Where Your Data Lives

  • Local‑only by default: Keys and metadata are stored in the extension’s local storage. Master keys are generated client‑side and, when a master password is set, wrapped with your password‑derived key and stored locally.
  • No server storage of keys: Cirklu does not store your API keys on our servers. Our website uses Firebase for auth/infrastructure but does not receive your keys.

Security Model

  • Client‑side encryption: Keys are encrypted with AES‑256‑GCM using a master key held in memory while unlocked. With a master password, the master key is wrapped using PBKDF2‑derived KEK and stored locally.
  • Zero‑exposure design: Paste/autofill uses a secure injection path; we avoid clipboard use and zeroize buffers after use.
  • Auto‑lock: Session auto‑locks after inactivity; unlocking requires your master password. We cannot recover your password.

What We Don’t Collect

  • No plaintext API keys
  • No server‑side copies of your encrypted keys
  • No content of forms where you paste keys

Third‑Party Services

  • Firebase (Website): Used for website auth/infra only. It does not receive your stored API keys.
  • Chrome Storage: Browser‑provided local storage for extension data.

Your Controls

  • Set a master password and lock/unlock your vault.
  • Delete individual keys or clear all data from the extension.
  • Uninstall the extension to remove all local data.

Contact

Questions or concerns? Email connect@cirklu.com

This policy reflects the behavior verified in our open codebase at the time of publication and will be updated if our architecture changes.