Your ideas stay yours.

What stays in your browser

Saved chats, saved repos, saved handoffs, prompt pack choices, accent/theme settings, and usage counters are stored in browser storage by default. ForkFirst does not attach that information to a hosted user account.

If you use a shared machine, clear browser data after use. Browser storage can be read by someone with access to the unlocked device, malicious extensions, malware, or a future browser-side security bug.

What gets sent when you use the hosted app

When you trigger repo search, key verification, chat, idea refinement, or trending requests, ForkFirst sends the minimum needed request to its API route. That route may forward your GitHub token to GitHub or your AI key to the selected AI provider for that action.

ForkFirst should not intentionally log raw API keys, raw prompts, README text, or full handoff contents. The practical privacy model is transparent BYOK routing, not a claim that hosted usage is fully local.

Analytics

ForkFirst may use Vercel Web Analytics and strictly masked Microsoft Clarity to understand traffic, device layout problems, and where users get stuck. Analytics should describe product actions like starting a check, opening repo details, or downloading a handoff.

Analytics should not include raw idea text, API keys, full chat transcripts, README excerpts, or handoff files. Sensitive app surfaces are marked for masking.

Local runs

If you clone ForkFirst and run it locally, the same browser-to-API-route flow happens on your own machine.Your keys are then forwarded from your machine to GitHub or your selected AI provider.

Security model

Privacy and security overlap, but they are not the same page. For BYOK risks, key storage, rate limits, and vulnerability reporting, read the security model.

Read the ForkFirst security model

Contact

For privacy, support, feedback, or security-related questions, use the official project page or repository security channel.