0xbufferEarly version

Privacy Policy

Last updated: June 4, 2026

This Privacy Policy explains how 0xbuffer ("the app", "we", "us", or "our") handles information when you use the desktop application. 0xbuffer is a local network proxy, traffic inspection, browser automation, and security testing tool.

This document is provided for product transparency and should be reviewed by qualified counsel before public release.

Summary

0xbuffer is designed as a local-first desktop application. The app does not require an account, does not operate a multi-tenant cloud service, and does not send captured traffic to our servers by default.

Because the app is built for traffic interception, packet capture, browser automation, and security testing, the information you choose to capture or inspect may be highly sensitive. You are responsible for using the app only on systems, networks, applications, and accounts that you own or are authorized to test.

Information the App May Process

Depending on the features you use, the app may process and store the following information on your device:

  • HTTP and HTTPS traffic metadata, including URLs, methods, headers, status codes, timestamps, client addresses, server addresses, and timing information.
  • HTTP request and response bodies, which may include credentials, tokens, cookies, personal information, files, form submissions, API payloads, or other sensitive content.
  • WebSocket connection details and message payloads.
  • Packet capture data, including source and destination IP addresses, ports, protocols, raw packet lines, raw packet data, decoded bodies, and connection summaries.
  • Browser automation data, including target URLs, crawled pages, page titles, discovered links, forms, logs, generated insights, screenshots, rendered HTML artifacts, and crawl session metadata.
  • Security testing inputs and results, such as repeater requests, brute-force or intruder configurations, scanner targets, banners, payloads, and response analysis.
  • Documents, notes, exported reports, HAR files, CSV files, SQLite exports, or other files that you create or save through the app.
  • Local settings, such as proxy ports, selected AI provider and model, update preferences, and feature configuration.
  • Certificate material generated by the app, including local CA certificate files used for HTTPS interception.

Local Storage

The app stores operational data locally on your device. This may include a local SQLite database, browser automation artifacts, an intercept browser profile, generated CA certificate files, exported files, and app settings.

The exact storage location depends on your operating system and Tauri's application data directory. The Settings area of the app may show local storage paths such as:

  • `0xbuffer.db`
  • `ai-browser-artifacts`
  • `intercept-browser-profile`
  • `0xbuffer-ca.pem`

Local files remain on your device unless you delete them, export them elsewhere, share them, synchronize them with another service, or use a feature that sends selected data to a third party.

Traffic Interception and Certificates

When HTTPS interception is enabled, the app may generate or use a local certificate authority (CA) certificate so it can decrypt, inspect, and re-encrypt HTTPS traffic routed through the proxy.

Installing or trusting this certificate allows the app to inspect encrypted traffic that passes through the configured proxy. Traffic outside the configured proxy is not intentionally intercepted by the app.

Captured traffic may include secrets or personal information. You should remove the app's CA certificate from your operating system or browser trust store when you no longer need HTTPS interception.

Optional AI Features

The app includes optional AI-assisted features that may use third-party AI providers such as OpenAI or DeepSeek when you configure an API key and choose to use those features.

When you use AI features, the app may send selected prompts, chat messages, crawl context, page summaries, logs, insights, URLs, and other analysis context to the configured AI provider so it can generate a response. The specific data sent depends on the feature and your inputs.

API keys are intended to be stored using the operating system credential store where supported. AI provider, model, and key status settings may be stored locally. Your use of third-party AI services is also governed by those providers' own terms and privacy policies.

Do not use AI features with sensitive traffic, credentials, proprietary information, personal data, or regulated data unless you are authorized to send that data to the configured provider.

Automatic Updates

The app may check for software updates using the configured update endpoint:

`https://dist.0xbuffer.com/latest.json`

Update checks may disclose standard network information to the update host, such as your IP address, request time, app version, operating system, and user agent or similar client metadata. Update downloads may also be requested from the update host when an update is available.

Information We Do Not Intentionally Collect

Unless a feature is explicitly configured to contact a third-party service, the app does not intentionally collect captured traffic, packet data, browser automation results, documents, certificates, API keys, or local database content on our servers.

The app does not require a user account for local use. The app does not intentionally include product analytics or behavioral tracking in the local desktop application.

Third-Party Services

The app may interact with third-party services when you choose to use features that require external network access, including:

  • Websites, APIs, and network services that you configure as testing targets.
  • AI providers that you configure for AI-assisted analysis.
  • The app update endpoint used to check for and download updates.
  • Operating system services such as certificate stores, keychains, file dialogs, and network interfaces.

Third-party services process information according to their own policies. You should review those policies before sending data to them.

Data Export and Sharing

The app may allow you to export traffic sessions, reports, SQLite data, documents, screenshots, or other artifacts. Exported files may contain sensitive information, including authentication tokens, cookies, request bodies, response bodies, personal data, and internal network details.

You are responsible for protecting exported files and sharing them only with authorized recipients.

Data Deletion

You can delete local artifacts by using available app controls such as clearing browser automation artifacts or resetting local data. You may also manually delete exported files and application data from your device.

Resetting local data may remove browser automation artifacts, the intercept browser profile, and local CA certificate files managed by the app. It may not remove files that you exported to other locations, files synchronized by your operating system or third-party services, or certificates that you manually installed into browser or operating system trust stores.

Security

The app is a security testing tool and may intentionally access, decrypt, store, and replay sensitive traffic at your direction. You should:

  • Use the app only on authorized targets.
  • Avoid capturing unrelated personal or third-party traffic.
  • Protect your device account, local database, exported files, API keys, and generated certificates.
  • Remove trusted CA certificates when testing is complete.
  • Review captured data before sharing reports or exports.

No software can guarantee perfect security. Local files may be accessible to users, processes, backups, or malware that have sufficient access to your device.

Retention

Local data remains on your device until you delete it, reset local data, uninstall the app and remove its application data, or overwrite it through normal app usage. Exported files remain wherever you saved or shared them until deleted from those locations.

Third-party providers may retain data according to their own policies when you use features that send data to them.

Children's Privacy

The app is intended for security testing, development, and professional use. It is not directed to children.

International Use

Because the app is distributed as local desktop software, data is generally processed on your own device. If you use third-party services, update endpoints, cloud backups, file synchronization, or AI providers, your data may be processed in other regions according to those services' policies.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date above. Material changes should be reviewed before continued use or distribution of the app.

Contact

For privacy questions, contact:

`arhamymr@gmail.com`

If you are publishing this policy, replace this placeholder with the appropriate legal entity name, mailing address if required, and contact email.