Local-first by design.

What this document covers

Sephir is a Chrome / Firefox extension and a thin web dashboard at sephir.app. This page describes what the extension and the dashboard actually do with data — observed behaviour, not aspirations.

If something in the product disagrees with what's written here, the product is the bug. Email us at hello@sephir.app and we'll fix the side that's wrong.

The short version

• Conversation history lives on your device. Folders, prompts, audit logs, and message bodies are stored in chrome.storage.local. We do not sync them to our servers by default.
• BYOK requests skip our servers. When you bring an API key for OpenAI, Anthropic, Google, Mistral, OpenRouter, or Ollama, the extension talks directly to that provider from your browser. We never see the prompt or the response.
• ChatGPT Plus OAuth runs on your session. When you sign in with ChatGPT Plus, the Codex endpoint is called with your own browser cookie. Your OpenAI account is the system of record — not ours.
• Telemetry is opt-in. No usage data is collected unless you explicitly turn it on in settings. When opt-in is on, we transmit anonymous, aggregated counters — never message bodies.

Account data we store

If you create a sephir.app account (used for the lifetime licence and the eventual encrypted-sync feature), we store:

• Email address — for sign-in, receipts, and the trial-ending reminder.
• Name — display only; you can leave it blank.
• Hashed password — bcrypt via better-auth.
• Polar customer ID — to look up your licence and process refunds.

That is it. We do not store payment card numbers (Polar does) and we do not store conversation history, keys, or prompts in any of the dashboards.

Things we deliberately do not collect

• Browsing history. The extension reads page content only when you explicitly invoke a tool against the open tab.
• Tab inventory. We do not enumerate or transmit the URLs of tabs you have open.
• Provider API keys. Stored in chrome.storage.local on your device. Never sent to sephir.app servers.
• Personally-identifying device fingerprints. We do not run a fingerprinting library.

When data does leave your device

There are four narrow cases:

1. You sign in. Email + password go to sephir.app to look up your account and the licence state.
2. You make a Polar purchase or refund. Standard Polar checkout flow handles card data — we never see it.
3. You opt in to telemetry. Anonymous event counters are sent to a self-hosted endpoint. We never collect message content.
4. You email us. What you write in an email lives in our inbox like any normal email.

Third parties we use

• Polar — billing, checkout, refunds.
• Cloudflare Workers + KV — the dashboard backend and CDN.
• better-auth — authentication library (runs on our backend).

None of these vendors get your conversation history, keys, or tool outputs. They only handle account / billing surface area.

Your rights

You can delete your sephir.app account from the dashboard's account page. Deletion is immediate and irreversible. Polar retains payment records as required by tax law, but your name and email are scrubbed from our side.

You can also disable Sephir entirely by uninstalling the extension. Your local conversation history goes with it — we don't keep a server-side copy.

Changes to this document

If we materially change any of the above, the "Last updated" date at the top will change and existing accounts will get an email. We will not silently weaken the local-first posture.

Contact

Privacy questions, deletion requests, or anything that smells off: hello@sephir.app.