§ 01
What we don't collect
Your input text. Your detected secrets. Your secret map. The AI's response. The restored output. None of these are transmitted, logged, or persisted on any wharx server. They live in your browser tab and your clipboard.
Your input text. Your detected secrets. Your secret map. The AI's response. The restored output. None of these are transmitted, logged, or persisted on any wharx server. They live in your browser tab and your clipboard.
All 100+ detection patterns, the placeholder generator, the Luhn / MOD-97 / Verhoeff validators, the exposure scorer, and the restore engine. The redaction round-trip is a pure-JS pipeline that loads with the page and runs in-tab. We ship the code; you run it.
We use localStorage to remember your detection-pack selections, your most recent session, and the onboarding flag. You can wipe it from Clear or DevTools at any time. Exported JSON sessions live only on your machine.
If you sign in for Pro, we store the minimum to bill you: email, plan, Stripe customer ID, and a usage counter. Cloud-synced sessions and custom rules are encrypted at rest and only accessible by your account. We never see plaintext placeholders.
AWS (hosting, data residency in us-east-1 unless noted), Stripe (Pro billing), Cognito (auth). No analytics, no trackers, no third-party scripts on the marketing site or in the extension.
Reach security@wharx.com for vulnerability reports. Reach privacy@wharx.com for data-subject requests. We respond within 5 business days.
THE SHORT VERSION
Wharx is a tool, not a service. There is no server in the round-trip.