blurgate.legal
Home/Desktop Docs/Security & Privacy

Security & Privacy

How the blurgate.legal Desktop App protects your data with military-grade encryption and local-first architecture.

Vault EncryptionData FlowWhat We StoreRecovery Phrase

Vault Encryption

Your sensitive data is protected with military-grade encryption. The vault stores credentials, encryption keys, and processing history - all encrypted locally.

Encryption Standards

  • AES-256-GCM

    Industry-standard encryption for all stored data

  • Argon2id Key Derivation

    64MB memory, 3 iterations (OWASP recommended)

  • BIP39 Recovery Phrase

    24-word mnemonic for vault recovery

  • Memory Zeroization

    Sensitive data cleared from memory when locked

Access Control

  • 1

    6-Digit PIN

    Quick daily access to unlock the app

  • 2

    Recovery Phrase

    24 words for vault recovery if PIN forgotten

  • 3

    Auto-Lock

    Vault locks automatically after inactivity

How Your Data Flows

Understanding exactly what happens when you process a document:

1. Local File ReadLocal Only

Your document is read from disk. The file never leaves your computer.

2. Local Text ExtractionLocal Only

Text is extracted from the document locally. Images, formatting, and metadata stay on your device.

3. API AnalysisText Only

Only the extracted text is sent to our API for PII detection. Transmitted over TLS 1.2+.

4. AnonymizationServer Processing

PII is detected and anonymized on our ISO 27001-certified servers in Germany.

5. Local ReconstructionLocal Only

Anonymized text is received and the document is reconstructed locally with your original formatting.

6. Local SaveLocal Only

The anonymized document is saved to your chosen location. Processing complete.

Summary: Your original documents never leave your computer. Only extracted text is sent for analysis, and only over encrypted connections.

What We Store (and Don't Store)

We NEVER Store

  • Your Original Documents

    Files stay on your device - never uploaded

  • Your Recovery Phrase

    Only you know your 24-word phrase

  • Your Encryption Keys

    Stored only in your local vault

  • Document Contents

    Text processed in memory only - not persisted

We DO Store (Encrypted)

  • Account Credentials

    OAuth tokens for API access (encrypted in vault)

  • Processing Metadata

    Filename, date, entity counts (encrypted in vault)

  • Usage Statistics

    Token consumption for billing (on server)

Recovery Phrase Security

Your recovery phrase is the ONLY way to recover your vault

If you lose both your PIN and recovery phrase, your vault data cannot be recovered. We do not have a copy of your recovery phrase.

Best Practices

  • Write it down on paper (not digital)
  • Store in a secure location (safe, safety deposit box)
  • Consider making a backup copy
  • Test recovery process with a fresh install

Never Do This

  • Store it in a text file or notes app
  • Take a screenshot of it
  • Email it to yourself
  • Share it with anyone

Resetting Your Vault

If you need to start fresh, you can reset your vault in Settings > Security > Reset Vault.

Warning: Resetting your vault will permanently delete all local data including encryption keys, processing history, and saved credentials. This cannot be undone.

Continue Reading

Features & Workflow

Learn how to use all the app features.

Troubleshooting

Common issues and FAQ.