Our security model is browser-first: local processing by default, minimal retention, hardened infrastructure, abuse protections, and clear disclosure channels. This page explains what that means in practice so you know exactly what we do — and what we don't do — with the data you put into our tools.
Most tools process data fully in your browser using standard Web APIs (Canvas, Crypto, WebAssembly, File System). The content you paste, type, or drop in never leaves your device and is never visible to our servers.
For tools requiring server-side processing — such as the AI-powered Languages Polisher, the Animation Studio, or Share Text — we limit data retention to what the feature genuinely requires, and we document those boundaries in our Privacy page on a per-tool basis.
We do not run on-page ads or behavioral profiling. Analytics and Google Ads measurement are opt-out respected and never tied to the contents of your input.
The site runs on Cloudflare Workers, with traffic served over TLS 1.2+ and HSTS enforced. Sensitive request paths require Cloudflare Turnstile to deter automation and abuse.
Persistent data (when a tool needs it, such as Share Text snippets or contact form submissions) is stored in regional Cloudflare KV / D1 instances inside the EU. Ephemeral assets (animation uploads, OG images) sit in R2 with automatic lifecycle deletion.
Secrets — API keys for AI providers, Turnstile, JWT signing — are stored only as Cloudflare Worker secrets and never committed to source. CI/CD deploys are signed and auditable through GitHub Actions logs.
We use rate-limiting at the edge (Cloudflare native), Turnstile challenges on submit endpoints, and a strict CORS allowlist on the API. Anomaly logs are retained for service integrity for a short rolling window, then discarded.
Server-side error logs capture request IDs, status codes, and timing — not user content. We never log message bodies, form submissions, or AI prompts.
Account-free design means there is no password database to leak. The few endpoints that require authentication use short-lived JWTs issued after a Turnstile verification, with no long-term session storage.
Where to report: email security@aibrush.co (a dedicated alias that routes to our team) with the subject line "Security disclosure". Include reproduction steps, the affected URL or endpoint, and your contact details. PGP-encrypted reports are accepted on request — write in first and we'll respond with a public key.
Response SLA: we acknowledge new reports within 24 hours on weekdays (within 72 hours on weekends or public holidays). We aim to ship a fix or mitigation within 30 days for high-severity issues and within 90 days for medium-severity issues.
Safe harbor: we do not pursue legal action against good-faith security research conducted under these rules. Please refrain from automated scanning that disrupts availability for other users, data exfiltration beyond what is needed to demonstrate the issue, and from disclosing details publicly before we have shipped a fix.
Out of scope: third-party services we don't operate (Cloudflare's own infrastructure, our LLM providers' APIs); social engineering of staff; physical security; volumetric DDoS without a working amplifier; reports requiring access to a victim's device.
Credit: responsibly disclosed findings will be recognized in our public /changelog when the reporter wishes to be named, and we will provide a written acknowledgement on request.