Data & Privacy

Privacy-First Design

WebLLM is designed with privacy as a core principle. Users maintain full control over their data, provider choices, and retention policies.

Data Storage

What Gets Stored

The extension stores locally (in IndexedDB):

Conversation history - Requests and responses
Provider configurations - API keys, priorities
Permissions - Which sites can use WebLLM
Settings - User preferences

What Doesn’t Get Stored

❌ No data sent to extension developers
❌ No analytics or tracking
❌ No third-party services
❌ No cloud sync (unless user explicitly enables)

Storage Location

All data stored in:

IndexedDB - Browser’s local database
Encrypted at rest - API keys encrypted
Per-profile - Separate for each browser profile
User-controlled - Can export or delete anytime

Data Retention Policies

Users configure how long to keep history:

Retention Options

Data Retention Settings:
├── Keep history: [7 days | 30 days | 90 days | Forever]
├── Auto-delete after expiration: [✓]
└── Clear all data now [Button]

Automatic Cleanup

When auto-delete enabled:

Runs daily at midnight
Deletes conversations older than retention period
Keeps settings and permissions
Notification shown after cleanup

Manual Cleanup

Users can:

Clear all conversation history
Delete specific conversations
Remove provider configurations
Revoke all permissions
Reset extension to defaults

Privacy Modes

1. Local-Only Mode

Highest privacy - Use only local models:

✅ Data never leaves browser
✅ No internet required (after model download)
✅ Zero cost
✅ No API keys needed

Limitations:

Smaller models (1-4B parameters)
Slower inference
Limited capabilities

2. Personal API Keys

High privacy - Use your own API accounts:

✅ Direct connection to provider
✅ No intermediaries
✅ You control API key
✅ You see API usage

Data considerations:

Prompt data sent to AI provider
Subject to provider’s privacy policy
You pay directly

3. Application-Provided API

Standard privacy - App provides API access:

⚠️ Application sees requests
⚠️ Subject to app’s privacy policy
✅ Convenient (no setup)
✅ Often free for users

Data Flow Transparency

Usage Notifications

Every time a site uses WebLLM:

[WebLLM Icon] example.com is using AI
Action: Summarizing article
Provider: Local Model (Llama 3.2)
[View Details] [Block Site]

Notification shows:

Which site is making request
What action (summarize, translate, etc.)
Which provider is being used
Option to block immediately

Permission Prompts

First time a site uses WebLLM:

Allow example.com to use WebLLM?

This site wants to:
• Summarize articles
• Extract information
• Translate text

[Always Allow] [Allow Once] [Block]

Audit Log

View complete history in extension:

Recent Activity:
├── example.com - Summarize - 2m ago - Local Model
├── docs.site.com - Translate - 5m ago - Anthropic
└── app.site.com - Extract - 10m ago - OpenAI

[Export Log] [Clear History]

Security Measures

API Key Protection

Encrypted storage - Keys encrypted in IndexedDB
Never exposed - Not accessible to web pages
Secure input - Masked in UI
Revocable - Delete anytime

Origin Isolation

Per-origin permissions - Each site separately approved
No cross-origin access - Sites can’t see each other’s requests
Sandboxed execution - Content script runs isolated

Request Validation

Before processing any request:

✓ Validate origin has permission
✓ Check request size limits
✓ Sanitize inputs
✓ Rate limit per origin
✓ Timeout enforcement

No Tracking

The extension:

❌ Doesn’t collect analytics
❌ Doesn’t phone home
❌ Doesn’t share data with developers
❌ Doesn’t use third-party services
✅ 100% local operation

WebLLM extension is designed to help with GDPR compliance:

Data Minimization

Only stores what’s necessary
Automatic deletion policies
User-controlled retention

Right to Access

Export all stored data as JSON
View complete audit log
Inspect provider configurations

Right to Erasure

One-click data deletion
Removes all conversation history
Clears all permissions

Right to Portability

Export conversation history
Export settings
Import to another profile/browser

Privacy Comparison

Traditional AI Integration

User → Website → Website Server → AI Provider
       ↑────────────────────────↑
       Website sees everything

❌ Website sees all prompts
❌ Website pays (or charges you)
❌ No control over provider
❌ Data stored on website’s servers

WebLLM

User → Website → Browser Extension → AI Provider
                 ↑──────────────────↑
                 User controls everything

✅ Website only sees results (if you allow)
✅ You control API keys/costs
✅ You choose provider
✅ Data stored locally or sent to provider directly

Best Practices

For Users

Use local models when possible - Maximum privacy
Review permissions regularly - Revoke unused access
Set retention policies - Don’t keep data forever
Monitor activity - Check audit log periodically
Use personal API keys - More privacy than app-provided

For Developers

Minimize data collection - Only request what’s needed
Be transparent - Explain why you need AI
Respect user choices - Handle denial gracefully
Don’t log prompts - If user uses their API key, respect it
Provide fallbacks - Work without WebLLM if unavailable

Privacy FAQ

Q: Can websites see my API keys? A: No. API keys never leave the extension and are not accessible to web pages.

Q: Can the extension developers see my data? A: No. Everything is stored locally. No data is sent to us.

Q: What does the AI provider see? A: When using API providers, they see the prompts sent to them (subject to their privacy policy). When using local models, nothing leaves your browser.

Q: Can I use WebLLM offline? A: Yes, if you use local models. Download the model once, then it works offline.

Q: How do I delete all my data? A: Extension Settings → Data Retention → “Clear all data now”

Q: Can websites track my usage? A: Websites only see what you explicitly allow. The extension doesn’t share usage patterns between sites.

Next Steps

Understand Provider Management
Learn about Extension Architecture
Explore the Developer SDK