This page describes how we protect your data and how the system is designed.
4.1 Local-first by design
On the desktop app, your code, files, project database, secrets, and agent memory live on your own computer. They are not stored on LilBuz servers by default. The smaller the amount of your data we hold, the smaller the attack surface - so local-first is a security feature, not just a convenience.
4.2 How secrets and tokens are handled
- Secrets you save (API keys, environment variables) and integration access tokens (GitHub, Stripe, etc.) are stored encrypted on your device.
- Integration tokens are used only to perform the actions you request (e.g. push to your repo, deploy your build) and are not logged in plain text or shared.
- When the agent runs git operations, your token is used locally to authenticate to your repo - it isn't printed or sent anywhere except the provider you connected.
4.3 Data in transit
Connections to our cloud backend, AI providers, and the services you connect use encrypted transport (HTTPS/TLS). Deployments to your chosen host are made over the host's secure channels (e.g. SSH for a VPS).
4.4 Authentication
Accounts are protected by your credentials or Google sign-in, with session management and token refresh handled by our cloud backend (Supabase). We recommend using a strong, unique password, and enabling two-factor authentication (2FA) where it's available.
4.5 AI processing boundary
When the agent runs, your prompt and the relevant project context are sent to AI model providers (e.g. Anthropic) over encrypted channels to generate output, then returned to you. We send the context needed for the task rather than your entire project wholesale. Our AI providers are bound by agreements not to train on your content (see Privacy 1.5).
4.6 Your shared-responsibility role
Security is a partnership. You help keep your projects safe by:
- keeping your device, OS, and the LilBuz app updated;
- protecting your account credentials and enabling 2FA where available;
- reviewing AI-generated code before deploying it (the agent can make mistakes);
- managing access to repos, hosts, and databases you connect;
- not committing real secrets into code that you publish.
4.7 Reporting a vulnerability
If you discover a security issue, please report it responsibly to security@lilbuz.ai. Please don't publicly disclose it until we've had a reasonable chance to fix it. We appreciate good-faith security research and will work with you to resolve valid reports.
4.8 Incident handling
If a security incident affecting your personal data occurs, we will investigate, take steps to contain it, and notify affected users and authorities without undue delay and within the timeframes required by applicable law.
4.9 Contact
Security questions: support@lilbuz.ai, LilBuz AI (Wyoming LLC).