Privacy Policy

Last updated 26 May 2026

CookedAF is a local-first desktop application. The single biggest reason it exists is that your API keys never leave your device. This policy describes — precisely, not in legal boilerplate — what data exists, where it lives, and who can see it.

What we do not collect

CookedAF does not collect, store, or transmit personal data to any CookedAF server. We operate no backend that receives user data. Specifically:

  • No user accounts. No sign-up. No password to remember.
  • No email address is collected by the application.
  • No analytics, telemetry, crash reports, fingerprinting, or behavioural tracking is built into the app.
  • No advertising identifiers, cookies, or third-party trackers ship inside the app.

How your API keys are handled

To read your spend, CookedAF needs the API keys you create with each AI provider. Those keys:

  • Are stored locally on your device, inside your operating system's secure keychain (Windows Credential Manager on Windows; the equivalent secure store on other platforms).
  • Are never transmitted to us. We have no server to receive them.
  • Are sent only directly from your device to the respective AI provider's official APIapi.openai.com, api.anthropic.com, openrouter.ai, api.deepseek.com, and management-api.x.ai — over HTTPS, to read usage and billing data.
  • Can be removed at any time using the "Disconnect" button next to each provider in the app, which deletes the key from the keychain.
Verifiable: the application is a thin client. Network monitoring tools on your own machine will show requests going only to the AI provider domains listed above and to updates.cookedaf.com for software updates (see below).

The website (cookedaf.com)

The marketing website is a static site hosted on our web server. Like virtually all web servers, it produces standard access logs containing your IP address, timestamp, requested URL, referrer, and user agent. These logs are retained for security and operational purposes only (rate-limiting, debugging, abuse handling) and are not combined with any other personal data.

Auto-updates

The desktop application periodically requests a small static update manifest from https://updates.cookedaf.com over HTTPS to check whether a newer version is available. This is an ordinary HTTPS file fetch. It does not transmit any of your data, identifiers, settings, or keys. Standard web-server access logs apply to those requests as described above.

You can disable update checks by blocking updates.cookedaf.com at your firewall or hosts file level if you prefer.

Newsletter (future)

If a newsletter signup is added to the website later, the email you provide will be handled by a third-party email-marketing provider and used solely to send product updates. You will be able to unsubscribe from any email with one click. We will update this policy and name the provider before that feature ships.

Third-party AI providers

CookedAF reads data from third-party AI providers using credentials you supply. Your relationship with each of those providers — including the data they collect from your usage of their services — is governed by their own privacy policies and terms, which are outside our control. We recommend reviewing each provider's privacy practices directly.

Children

CookedAF is not directed at children under 13 and is not designed for use by them.

Changes to this policy

If we make material changes to how the application or website handles data, we will update this page and revise the "Last updated" date at the top. Continued use of CookedAF after such a change constitutes acceptance of the revised policy.

Contact

Questions about this policy or how CookedAF handles data: support@aisaasfactory.io.