aimask@web:~$ cd /

Privacy

Last updated 2026-06-23

aimask is a browser extension that lets a website run LLM completions against your own OpenRouter account, under a per-origin USD budget you grant. This page describes exactly what it stores and where data goes. The short version: aimask has no backend, collects nothing about you, and sends nothing to its makers.

What stays on your device

Your OpenRouter API key, or the OAuth token from connecting OpenRouter, is encrypted with AES-GCM-256 and stored in the extension's local storage (chrome.storage.local). The encryption key is generated inside your browser, marked non-extractable, and held in IndexedDB. Pages never see the key; only the extension's background worker can read it.

Your per-origin budgets, the amount each site has spent, request counts, and activity timestamps are stored the same way, locally in your browser. None of it is transmitted anywhere.

What leaves your device

The only network destination is openrouter.ai. When a site you granted a budget asks for a completion, the extension sends that request to OpenRouter, authenticated with your key, and streams the result back. Connecting your account uses OpenRouter's OAuth sign-in. Your use of OpenRouter is also governed by OpenRouter's own privacy policy and terms.

Prompts and outputs

A website composes the prompts and reads the outputs, because the website is the thing using the model on your behalf. aimask relays those messages to OpenRouter to run them. It does not store them and does not send them anywhere other than OpenRouter. Treat model outputs as untrusted content, the same as anything else a page can produce.

What aimask collects

Nothing. There is no analytics, no telemetry, no tracking, and no server operated by aimask. The extension makes no requests to its makers.

Permissions, and why

storage saves your encrypted key and budgets. identityruns OpenRouter's OAuth sign-in. notifications and activeTab drive consent prompts and budget alerts. The host permission for openrouter.ai lets the background worker run completions. aimask requests no other hosts.

Deleting your data

Remove your key from the extension's Options page, revoke any per-origin grant from the same place, or uninstall the extension to erase all locally stored data, including the encryption key.

Contact

Questions or security disclosures: open an issue at https://github.com/gantrydev/aimask.