Privacy Policy

Your AI provider API keys

Round Robin is bring-your-own-key (BYOK). There are two ways your keys for providers (OpenAI, Anthropic, Google Gemini, DeepSeek) can be handled — you choose in Settings.

Default: local-only

• Keys are stored only in your own browser's local storage, unencrypted. By default we do not persist them on our servers at all.
• Your browser sends a key to our server only with the request that needs it (in an x-provider-keys header), used solely to call that provider on your behalf, held in memory for that request, then discarded.
• Because they live unencrypted in your browser, anyone with access to this device, browser profile, or a malicious extension could read them. Beware on shared or public computers — clear them in Settings when done, and prefer scoped/rotatable keys.

Optional: encrypted server storage

• Off by default. If you turn it on, we encrypt your keys (AES-256-GCM) and store only the ciphertext so they're available across your sessions and devices.
• We never store your keys decrypted. On a new session we decrypt them transiently and send them back to your browser, which holds them for that session only (cleared on logout or when the session ends).
• You may set an optional PIN. If you do, your keys are encrypted with that PIN mixed in, so we cannot decrypt them without you entering it each session — not even with our own server secret. If you forget the PIN, the stored keys can't be recovered; just re-enter your API keys.
• Without a PIN, the encrypted copy can be decrypted with our server secret for convenience (so a database leak alone does not expose them, but our server can). With a PIN it cannot.
• Turning the option off (“Remove from server” in Settings) deletes the encrypted copy from our database.