Please open a GitHub Issue to report security concerns. For sensitive disclosures, contact the maintainer directly through GitHub.

Do not commit API keys, secrets, or credentials to the repository.

SunnyD Notes is a fully client-side application. No backend server processes or stores your data.

• Stored only in sessionStorage in your browser — one key per provider:
  • sd_key_openai
  • sd_key_claude
  • sd_key_gemini
• sessionStorage is cleared automatically when the browser tab is closed.
• Keys are sent only to the LLM provider you select (OpenAI, Anthropic, or Google). No other server ever receives them.

• Stored in localStorage (sd_notes_v1, sd_activeId_v1) in your browser. They persist across reloads.
• Optionally, you can save notes to a local JSON file on your disk using the File System Access API (Chrome/Edge only). The app writes to whatever file you choose; no copy is sent anywhere.
• Note content is sent to the selected LLM provider only when you trigger an AI action (suggestion, ghost completion, selection action, lecture Q&A, SunnyD Cast, etc.).

If you enable Google Workspace integration and connect your Google account:

• OAuth access and refresh tokens are stored in IndexedDB (sunnyd_google_db) in your browser until you disconnect or clear site data for the app.
• Tokens are as sensitive as API keys: malicious scripts in the page (XSS) could exfiltrate them — the same class of risk as LLM API keys in sessionStorage.
• The app calls Google APIs directly from your browser (Calendar, Drive, Docs, Sheets, Gmail) using those tokens. There is no SunnyD server in the middle.

• No analytics, telemetry, or tracking of any kind.
• No user accounts or registration.
• No server-side logging of notes, queries, or API keys.

When you use the app, your note text (and relevant context) is sent to the AI provider you configured. Review their privacy policies:

• OpenAI Privacy Policy
• Anthropic Privacy Policy
• Google Privacy Policy