TEKIMAX/Transcript Vault

Security & privacy

Local-only posture, age encryption, on-device AI, and the limits we are honest about.

Local only

The desktop app runs entirely on your Mac:

  • No telemetry
  • No analytics
  • No accounts
  • No background network calls

The only outbound traffic is whatever you start yourself: clicking a "rotate this key" link out to a provider's dashboard, or pulling a local AI model from Ollama for the optional explainer feature.

The marketing site has a small download counter behind dl.tekimax.ai/get that records aggregate totals only (per-day, country bucket, referrer host, UTM tags). It sees only what a Cloudflare edge already sees on any request; it never stores IPs, user agents, or per-request rows. You can see the current counter at fulfillment.tekimax.ai/download/stats.

Encryption

Transcripts in the vault are encrypted with age using X25519 + ChaCha20-Poly1305.

  • Identity key — generated on first run, stored in your macOS login Keychain, protected by your login password. The shipping Developer ID build does not use the Data Protection Keychain (that requires a provisioning profile and a different distribution path); the file-based login Keychain is what actually ships.
  • Vault location~/Library/Application Support/dev.tekimax.transcriptvault/
  • At rest — every file in the vault is age-encrypted. The decrypted contents only ever exist in memory during a view or restore action, and only inside the Transcript Vault process.

The AI helper never sees a cleartext key

If you turn on the optional on-device AI helper, the app talks to a local LLM via Ollama on localhost. You pull the model yourself; no prompt ever leaves your Mac.

Before any transcript excerpt is handed to the model, it is run back through the same secret detector and every match is masked (first-4 + last-4, fixed star count). The literal token is never re-emitted in plaintext, not even to the local LLM. There are unit tests covering this in core/src/secrets.rs.

If you don't install Ollama, the feature is just hidden, everything else works the same.

What we are honest about

  • Detection is heuristic. It can over-flag (a Base64-looking string that isn't a key) and it can miss (a key in a non-standard wrapper). Treat the report as a strong hint, not a court ruling.
  • Deleting a transcript does not rotate a key. Removing the file removes the copy on your machine, the key remains valid at the provider until you rotate it there. The app tracks rotation state for exactly this reason.
  • Encryption protects data at rest, not against a compromised user account. If someone is already logged in as you on your Mac with your Keychain unlocked, they can read the vault. Use FileVault and a screen lock.
  • The licence check is offline. A determined adversary with a debugger can patch a binary. We deter casual sharing, not state-level attackers.

Reporting a vulnerability

Please email security@tekimax.ai with details. We'll acknowledge within two business days. Don't open a public issue for a security bug.

Privacy questions

privacy@tekimax.ai.

How it works

Find, rotate, encrypt. The three-step loop that stops leaked AI-chat keys from sitting on disk.

FAQ

Free vs Pro, supported assistants, refunds, and the questions we hear most.

On this page

Local onlyEncryptionThe AI helper never sees a cleartext keyWhat we are honest aboutReporting a vulnerabilityPrivacy questions