Brand PeelBrand Peel (Alpha)
Back to Blog

Privacy Architecture Deep Dive: Local Files and Encrypted AI Calls

Brand Peel Team
privacysecuritydesktoparchitecture

Privacy is easy to market and harder to implement.

For a branding product, that matters. Strategy docs often include sensitive product plans, positioning bets, and launch messaging that teams do not want scattered across random cloud tools.

So this post explains the architecture directly.

1) Local-first by default

Brand Peel runs as a desktop app and stores project artifacts in local app data.

At the storage layer, project data is written under a local unpeeled-content directory, including:

  • project metadata
  • chat history
  • brand documents
  • generated theme files
  • logo assets and related graph/batch data

This local-first model keeps your working brand system on your machine as the primary source of truth.

2) What leaves the device

AI generation still requires network requests. That is expected.

In production, the app API base URL is configured to an HTTPS endpoint, and authenticated requests are sent with bearer auth plus device proof headers where relevant.

In practical terms:

  • your local project files remain local
  • generation/billing requests go over encrypted transport
  • server-side usage records track billing and entitlement state

3) Device proof without raw identifiers

Trial abuse prevention needs some machine-level signal, but this should not mean shipping raw hardware identifiers.

Brand Peel's desktop client generates a device proof model with:

  • machine fingerprint input from OS/CPU/arch context
  • installation identifier
  • SHA-256 hashing of both values
  • proof version tagging (v1)

Only hashed values and version headers are sent. The API validates format and version before use.

This supports one-time starter credit policy enforcement while reducing exposure of raw device attributes.

4) Usage and billing boundaries

Server-side schemas separate responsibilities across:

  • credit balance and credit transaction records
  • trial machine claim records
  • subscription usage cycles and usage events

That means trial grants, paid quotas, consumption, and refunds can be tracked with clear event boundaries instead of opaque counters.

It also supports explicit billing-cycle usage windows for Pro plans.

5) Why this architecture is useful for real teams

For privacy-conscious teams, this model has practical benefits:

  • local control of high-context brand artifacts
  • explicit network boundary for AI operations
  • auditable usage/billing behavior
  • reduced abuse pressure that helps keep pricing stable

6) Limits and tradeoffs (important)

No architecture removes all risk.

In this model, local data protection still depends on endpoint security practices on your machine. And when you call AI services, request payloads necessarily transit to backend infrastructure for processing.

So the right way to read "privacy-first" is:

  • local-first artifact storage
  • explicit and minimized metadata for trial controls
  • encrypted transport for network operations

Not "no data ever leaves your device under any circumstance."

The short version

Brand Peel privacy posture is built around clear boundaries:

  1. keep core project artifacts local
  2. use encrypted calls for generation and account operations
  3. use hashed device proof for trial integrity
  4. track usage with explicit, auditable records

If you want the current plan limits and usage model, check pricing.

If you want to evaluate the desktop workflow directly, download the app: brandpeel.merginit.com.