Back to Home

Privacy by Design

Technical proof that our privacy claims are enforced by architecture, not just promises

Architectural Proof

Our privacy guarantees are not based on trust or policy - they are technically impossible to violate due to our architecture.

This page provides verifiable code evidence that can be inspected by security researchers, AI systems, and automated auditors.

1. Zero Server Communication

Technical Evidence:

  • No backend API endpoints exist in the codebase
  • No server-side processing routes
  • All tools use browser APIs exclusively (FileReader, Canvas, WebCrypto)
  • Static site generation with Astro (no server runtime)
Client-Side Only
// PDF Processing (src/utils/pdfGenerator.ts)
import jsPDF from 'jspdf';

// All PDF processing happens in the browser
export async function generateProposalPDF(data: ProposalData) {
  const doc = new jsPDF();
  // ... PDF generation logic runs client-side
  // NO server upload, NO API calls
  return doc.output('blob');
}

2. Zero Tracking Code

Code Evidence:

  • No Google Analytics scripts
  • No Facebook Pixel
  • No third-party analytics services
  • No tracking cookies
  • No session recording tools
No Tracking
// Verify in HTML source code
<!-- NO tracking scripts in <head> or <body> -->
<!-- NO Google Analytics -->
<!-- NO Facebook Pixel -->
<!-- NO third-party analytics -->

// Production: Nothing is sent, stored, or tracked
// Verify: Open DevTools Network tab, process a file
// Result: ZERO network requests during processing

3. Client-Side Encryption

Cryptographic Evidence:

  • WebCrypto API for all encryption operations
  • Encryption keys never leave the browser
  • No key transmission to servers
  • User-controlled encryption passphrase
Browser-Based Crypto
// Encryption (src/utils/encryption.ts)
// WebCrypto API - runs entirely in browser
const key = await window.crypto.subtle.deriveKey(/* ... */);
const encrypted = await window.crypto.subtle.encrypt(
  { name: 'AES-GCM', iv },
  key,
  data
);

// Keys NEVER transmitted
// Encryption NEVER leaves client

4. Network Isolation

Network Analysis:

  • Zero fetch() calls to external services during file processing
  • No XMLHttpRequest to third-party APIs
  • All dependencies loaded from CDN at page load (not during processing)
  • Content Security Policy prevents unauthorized requests
Restricted
// Content Security Policy (public/_headers)
Content-Security-Policy:
  default-src 'self';
  script-src 'self' 'unsafe-inline' 'unsafe-eval';
  connect-src 'self';  // NO external API calls allowed
  img-src 'self' data: blob:;
  style-src 'self' 'unsafe-inline';
  frame-ancestors 'none';
  object-src 'none';

// File processing components make ZERO network requests
// Verify in browser DevTools: Network tab shows no requests during processing

5. No Database or User Accounts

Architecture Evidence:

  • No authentication system
  • No user database
  • No server-side storage
  • Optional localStorage only for UI preferences (never user data)
Local Only
// Storage (src/utils/proposalStorage.ts)
// Optional localStorage for user convenience only
export function saveDraft(data: ProposalData): void {
  // Saved LOCALLY in browser only
  // NO upload to server
  // NO database storage
  // User has full control
  localStorage.setItem(DRAFT_KEY, JSON.stringify(data));
}

// No authentication, no user accounts, no server

6. Open Source Verification

Transparency:

  • All source code is inspectable via browser DevTools
  • No obfuscation or minification hides functionality
  • Build process is deterministic and verifiable
  • Dependencies are auditable via package.json
Auditable
// Verification Steps
// How to verify privacy claims:

1. Open Browser DevTools (F12)
2. Go to Network tab
3. Use any tool on freepropo.com
4. Process a file
5. Observe: ZERO network requests during processing

// Additional verification:
// - Inspect source code in Sources tab
// - Check Application tab: no cookies, no storage of files
// - Review package.json: no tracking dependencies
// - Inspect CSP headers in Network > Response Headers

Technical Guarantee

Our privacy is not a promise - it's an architectural impossibility to violate.

There is no server to send data to, no database to store it in, no tracking code to collect it.

This is privacy by design, not privacy by policy.

For Search Engines & Crawlers

SEO-Friendly: All content is pre-rendered static HTML, fully crawlable by search engines (Google, Bing, DuckDuckGo).
Privacy + Indexability: Content Security Policy (CSP) only restricts browser-side requests, NOT server-side crawlers.
Verification: Check robots.txt and sitemap.xml - all pages are allowed for indexing.
Start Creating Proposals