Security and threat model
What we can protect against, what we can't, and how to verify every claim on this page in under thirty seconds using your browser.
Most privacy pages are sales copy. This is a threat model. It tells you exactly what we protect against, exactly what we can't, and how to verify every claim below in under thirty seconds using your browser.
What we protect
- Your files and text never leave your device. Processing runs in your browser.
- No server receives what you process. There is no server that could.
- No client-side analytics, tracking pixels, or cookies.
- A Content Security Policy blocks every outbound request we didn't approve.
What we can't protect
- Your browser itself (Chrome telemetry, Privacy Sandbox, Topics API).
- Browser extensions with permission to read our pages.
- Your operating system (screen recorders, clipboard managers, malware).
- That you visited our domain (your ISP sees the hostname, not the content).
What we guarantee
Unwrite is a static site. There is no backend, no database, no upload endpoint. The code that runs on your device is all that exists. Your files and text are read into browser memory, processed using JavaScript and WebAssembly, and the result is made available to you. Nothing is sent to us, because there is no “us” to send it to at the network layer.
A strict Content-Security-Policy header is served on every response. The browser enforces the policy independently of our code: if a script or library tries to phone home to a domain we didn't explicitly permit, the request is blocked before it leaves your device.
See the privacy policy for the formal version, and why Unwrite isn't open source for the reasoning behind verifying via DevTools rather than a public repository.
What we can't protect against
Honesty matters more than a clean marketing page. Three categories of threat sit outside anything a website can defend against. If any of them apply to you, the ladder further down tells you what to do about it.
Your browser itself
Chrome participates in tracking through the Topics API, Privacy Sandbox, browser telemetry, Safe Browsing URL checks, and Chrome sync if you have enabled it. Edge sends more. A webpage cannot opt you out of what your browser chooses to do. If this matters, Firefox and Brave are stricter by default.
Browser extensions
Any extension with permission to run on our pages can read what you type, what you paste, what our tools output, and your clipboard. This is a limit of the web platform, not a gap in our site. Extensions run with more privilege than our code and no page can stop them. Audit your extensions in your browser settings, or use incognito or private browsing where most extensions are disabled by default.
Your device
Screen recorders, clipboard history tools, accessibility software, keyloggers, malware. Anything running on your machine sits between your eyes and our page. Outside our reach.
What we don't run
Modern websites commonly include a lot of third-party code. Unwrite doesn't. This list is stronger than the usual “we respect your privacy” line because it is a list of absences, not intentions.
- No client-side analytics of any kind (no Google Analytics, Plausible, Umami, Fathom).
- No tracking or advertising pixels (no Meta, TikTok, LinkedIn, Pinterest, Snap).
- No session-replay tools (no Hotjar, FullStory, Microsoft Clarity).
- No error-reporting SDKs (no Sentry, Bugsnag, Rollbar).
- No chat widgets (no Intercom, Crisp, Drift, HubSpot).
- No social embeds or sharing widgets.
- No third-party fonts. Fonts are self-hosted from our origin.
- No A/B testing or feature flagging against external services.
- No cookies of any kind, not even first-party.
- No browser fingerprinting, canvas fingerprinting, or device identification.
What we do collect
Cloudflare sits in front of the site and produces aggregate traffic figures from its own edge request logs. Page views, popular pages, countries. No JavaScript is injected into your browser to generate these numbers. No cookies. No individual user profiles. We see traffic, we do not see you.
The full list is in the privacy policy. We also wrote a post on removing everything Cloudflare was injecting by default to get to this point.
The three exceptions
A handful of tools need specific network resources to work. These are the only cases where your device talks to a third party, and none of them involve sending us your content.
| Tool | Third party | What they see |
|---|---|---|
| Image tools | jsDelivr CDN | Your IP address when your browser downloads the open-source compression libraries on first use. |
| LLM tools (local mode) | Hugging Face | Your IP address when your browser downloads the open-source language model you chose. |
| LLM tools (remote mode) | A server you configure | Your prompts and responses. You enter the URL; we never see or proxy the traffic. |
None of these reach Unwrite. They reach a public CDN or a server you chose. For remote LLM mode, this is the whole point: you want your data to reach that server.
How to maximise your privacy
A ladder, from casual to strict. Most readers stop at the first rung.
Default
You're fine. HTTPS plus in-browser processing covers the realistic threats for almost everyone.
Cautious
Use incognito or private browsing. Most extensions are disabled by default in these modes, which removes the biggest category of residual risk.
Strict
Install Unwrite as a Progressive Web App, then work with your network disabled. Your browser will show “offline” and the tools will keep running. If nothing can leave, nothing can leak.
Paranoid
Combine the strict setup with a privacy-focused browser (Brave, LibreWolf, hardened Firefox), a dedicated profile for sensitive work, and a clean extension audit. At this point you are defending against threats that have nothing to do with us.
Verify it yourself
Every claim above is visible in your browser. You don't need to trust us and you don't need source code. You need DevTools.
- Open DevTools (F12, or right-click and choose Inspect). Switch to the Network tab and clear the log.
- Use any tool on this site. Process a PDF, clean some HTML, compare text, humanise a draft.
- Watch the Network tab. For most tools, the request count after the page has loaded stays at zero. For the image and LLM tools, you will see requests to jsDelivr or Hugging Face downloading libraries or models, never uploads of your content.
- Check the response headers on any request. The
content-security-policyheader lists every domain the page is allowed to reach. The browser enforces it whether we like it or not. - Install the site as a PWA, then toggle “Offline” in the DevTools Network tab. The tools keep working. Nothing goes out because nothing can.
Still have questions?
The privacy policy is the formal version of everything above. The posts on removing every tracker Cloudflare injected by default and why Unwrite isn't open source explain the reasoning in more depth.