Last Updated: 2026-05-23
Promptimize takes security and privacy seriously. This document outlines our security model, data handling practices, and privacy guarantees.
flowchart LR
A[Microphone] -->|Captured| B[Extension Host Memory]
B -->|Encoded| C[WAV Buffer]
C -->|Sent via HTTPS| D[OpenAI Whisper]
D -->|Response| E[Text Result]
C -.->|Immediately Discarded| F[Garbage Collected]
style F fill:#f99,stroke:#f00
Key Points:
- ✅ Audio exists only in memory (RAM)
- ✅ Never written to disk
- ✅ Sent over encrypted HTTPS
- ✅ Immediately discarded after transcription
- ✅ No recording history
- ✅ No replay capability
See ADR-0009: No Persistent Audio Storage for rationale.
Where keys are stored:
- ✅ VSCode SecretStorage API
- ✅ Platform-specific secure storage:
- macOS: Keychain
- Windows: Credential Manager
- Linux: Secret Service API (gnome-keyring, kwallet)
Where keys are NOT stored:
- ❌ NOT in
settings.json - ❌ NOT in plain text files
- ❌ NOT in extension storage
- ❌ NOT in workspace files
- ❌ NOT in git repositories
How keys are used:
- ✅ Read only when needed
- ✅ Sent only to OpenAI (HTTPS)
- ✅ Never logged (transcriptions and prompts are also excluded from logs)
- ✅ Never displayed (masked in UI)
- ✅ Never sent to telemetry
Masking:
// API key: sk-abc123...xyz789
// Displayed as: sk-abc1...z789
getMasked(): string {
return `${key.substring(0, 7)}...${key.substring(key.length - 4)}`;
}See ADR-0008: VSCode SecretStorage for implementation.
All external communication uses HTTPS:
- ✅ OpenAI Whisper API:
https://api.openai.com - ✅ OpenAI GPT-4 API:
https://api.openai.com - ✅ Certificate validation enforced
- ✅ TLS 1.2 or higher required
- ❌ No Google Analytics
- ❌ No Mixpanel
- ❌ No Sentry
- ❌ No telemetry of any kind
Data flow:
You → Extension → OpenAI
NOT:
You → Extension → Our Servers → OpenAI ❌
Whisper API:
- Audio file (WAV, temporary)
- Language hint (optional)
- Prompt hint (optional)
GPT-4 API:
- Transcribed text
- System prompt (instructions)
- Context (editor language, project type)
According to OpenAI's Privacy Policy and API Data Usage Policy:
- API data NOT used for training: Data sent via API is not used to train models (as of March 2023)
- 30-day retention: API data retained for 30 days for abuse monitoring, then deleted
- No human review: API requests not reviewed by humans (unless flagged for abuse)
Important: Users should review OpenAI's policies themselves as they may change.
Request flow:
- Extension requests microphone via
getUserMedia() - Browser/OS shows permission dialog
- User grants or denies
- Result stored by OS (not by extension)
Permission scope:
- ✅ Only when recording
- ✅ Released immediately after recording
- ✅ No background recording
- ✅ User must explicitly start each recording
macOS:
- System Settings → Privacy & Security → Microphone
- VSCode/Cursor must be enabled
Windows:
- Settings → Privacy → Microphone
- VSCode/Cursor must be enabled
Linux:
- Varies by distribution
- Usually handled by browser permission system
| Threat | Mitigation |
|---|---|
| API key theft | SecretStorage encryption, never logged |
| API key exposure | HTTPS only, masked in UI |
| Audio interception | HTTPS encryption in transit |
| Audio exfiltration | No persistent storage, immediate cleanup |
| Transcription interception | HTTPS encryption |
| Malicious prompt injection | Input validation, no code execution |
| Rate limit abuse | Per-user rate limiting, max duration |
| Threat | Responsibility |
|---|---|
| Compromised OpenAI | OpenAI's infrastructure security |
| OS keychain compromise | Operating system security |
| Browser/VSCode compromise | Electron/VSCode security |
| Network MITM | TLS/certificate infrastructure |
| Physical access | User's device security |
Nothing.
The extension collects ZERO data:
- ❌ No usage statistics
- ❌ No error reports
- ❌ No telemetry
- ❌ No analytics
- ❌ No user identification
- ❌ No tracking
When you use the extension, OpenAI receives:
- Your audio recordings (via Whisper API)
- Your transcriptions (via GPT-4 API)
- Your API key (for authentication)
- Your IP address (inherent to HTTP)
Governed by: OpenAI Privacy Policy
For EU users:
- ✅ No data controller (we don't collect data)
- ✅ Data sent to OpenAI (user consent required)
- ✅ Right to erasure (delete API key from settings)
- ✅ Data portability (transcriptions in plain text)
- ✅ Transparency (this document)
Important: Using this extension means sending data to OpenAI (US company). Users should review OpenAI's GDPR compliance.
API Key Security:
- ✅ Generate a new API key specifically for this extension
- ✅ Set spending limits in OpenAI dashboard
- ✅ Rotate keys periodically
- ✅ Never share your API key
- ✅ Monitor usage in OpenAI dashboard
Device Security:
- ✅ Keep OS and VSCode updated
- ✅ Use disk encryption (FileVault, BitLocker)
- ✅ Lock screen when away
- ✅ Use strong password/biometric auth
Recording Privacy:
- ✅ Be mindful of what you say
- ✅ Don't record sensitive passwords/keys
- ✅ Remember: audio goes to OpenAI
- ✅ Use in private environment
Code Security:
- ✅ Regular dependency updates
- ✅ No hardcoded secrets
- ✅ Input validation everywhere
- ✅ Error messages don't leak secrets
- ✅ Code reviews for security issues
API Usage:
- ✅ Always use HTTPS
- ✅ Validate SSL certificates
- ✅ Timeout all requests
- ✅ Rate limit protection
- ✅ Never log API keys
Immediate actions:
- Revoke compromised key in OpenAI dashboard
- Generate new API key
- Update key in Promptimize settings
- Review OpenAI usage logs for unauthorized activity
- Consider reporting to OpenAI if abuse detected
Responsible Disclosure:
- Email: security@promptimize.dev (create)
- Include: Description, reproduction steps, impact
- We commit to: Response within 48 hours
- We commit to: Fix within 7 days for critical issues
- Public disclosure: After fix is released
- All dependencies scanned for vulnerabilities
- No secrets in code or git history
- API keys stored in SecretStorage only
- All external calls use HTTPS
- Input validation on all user input
- Error messages don't leak secrets
- No audio written to disk
- Memory cleanup verified
- Permission handling tested
- OWASP Top 10 reviewed
- Code: MIT License (permissive)
- Dependencies: Compatible open-source licenses
- No proprietary code
- No encryption beyond standard HTTPS
- No export restrictions
- Open source, freely distributable
- ✅ Full source code on GitHub
- ✅ All dependencies visible
- ✅ Build process transparent
- ✅ No obfuscation
- ✅ Community auditable
This security document is versioned and changes are:
- Announced in release notes
- Visible in git history
- Subject to user review
Privacy Guarantees:
- ✅ No telemetry or analytics
- ✅ Audio never persisted
- ✅ API keys stored securely
- ✅ All communication encrypted
- ✅ No data collection by extension
- ✅ Open source and auditable
User Responsibilities:
⚠️ Understand data goes to OpenAI⚠️ Protect API key⚠️ Keep software updated⚠️ Use in trusted environment
Next: See ADR-0009: No Persistent Audio Storage.