Browse the docs
Trust and privacy

Verify it yourself

Updated July 17, 2026

Every service in this market says it does not read your code. Saying it proves nothing, so this page is not an argument - it is the list of artifacts you can open, read, and use to catch us lying. If any of these links ever dead-ends, treat the claim it backs as withdrawn.

The three receipts

  1. Read the client source

    The client that runs on your machine is public, in full: the extension, the surfaces, the patch engine, the event reporting. What you install is built from what you can read.

  2. Read the egress manifest

    The egress manifest is the plain-English contract for everything that leaves your machine, request by request, field by field. It is short, because the list is short - the same list as What leaves your machine.

  3. Read the test that enforces it

    The CI egress test pins the exact field set of every request schema. Add a field, rename a field, or contact an undeclared host, and the build fails until the manifest is updated to admit it. This is the strongest artifact of the three: the promise is enforced by CI, not by our word.

How to actually check

Open the test and read the pinned key lists - they are literal arrays of field names, one per request type. Compare them against the manifest's tables. Then note the stripping rule: the schemas discard unknown fields on parse, so even a compromised client build could not smuggle a payload through a schema that does not name it.

What verification cannot do

Honesty cuts both ways: reading the source proves what the client does, not what any server does. That is exactly why the client is built to send so little - the safest data is the data that never leaves. The billing rule that follows from this design is in What counts as an impression, and the editor safety engineering is in Your editor never breaks.

Was this page helpful?