Privacy policy

Last updated: July 5, 2026

Klef is built so that it cannot read your data. This page describes the little it does collect, in plain language.

What Klef stores

  • Account details. When you sign in with Google, Klef receives your name, email address, and profile picture. If you register a passkey, its public key is stored. Better Auth session cookies keep you signed in.
  • Vault metadata. The names of your workspaces, projects, and env files are stored in plaintext so the app can show navigation before you unlock your vault.
  • Encrypted content. The contents of your environment files are encrypted in your browser before upload. Klef stores only ciphertext and cannot decrypt it. See how the encryption works.

What Klef does not do

  • No analytics, tracking scripts, or ads.
  • No third-party scripts or CDN fonts; assets are self-hosted.
  • No selling, sharing, or mining of your data.
  • No plaintext secrets on the server, ever, by construction.

Where data lives

Klef runs on Cloudflare Workers with data stored in Cloudflare D1. Cloudflare acts as the hosting provider and processes traffic according to its own privacy terms. Because content is end-to-end encrypted, neither Klef nor Cloudflare can read your files.

Deleting your data

Deleting a file or project removes its versions from the database. To delete your account and everything in it, open an issue on GitHub or reach out via beny.one, and it will be removed promptly.

Changes

If this policy changes, the date above will be updated. The policy is versioned with the source code, so every change is public and diffable.