Privacy
BlobberVault is local-first by default. Screenshots, OCR, metadata, tags, embeddings, and generated records stay on your Mac unless you explicitly configure an external service or model provider. Optional OpenAI query planning (when enabled) is metadata-only — never your image bytes as a default vision upload.
What is indexed?
Linked local folders and Capture imports: image/video paths, EXIF-style metadata when present, OCR text, derived tags, embeddings (when the pack is available), and structured Markdown/JSON records. Originals are not copied by default.
Where is it stored?
Vault database and derived artifacts live under
~/Library/Application Support/PhotoKB/.
The on-disk directory name remains PhotoKB for compatibility; the product display name is
BlobberVault.
What leaves the device?
Default Strict Local: no image, thumbnail, crop, or embedding leaves the device during indexing.
Optional OpenAI query planning (when you enable it) sends metadata-only planning prompts — never your image bytes as a default vision upload. Optional Hugging Face model downloads are user-initiated weight fetches.
Which AI providers or models?
- On-device OCR / tagging / Ask packs shipped or downloaded for local use.
- Optional SmolVLM weights via in-app download (not baked into the DMG).
- Optional OpenAI metadata-only planning with a Keychain-stored key.
- Semantic CLIP / faces extras are not claimed as DMG freeze features.
How do I delete vault data?
Use in-app delete / reset flows where available, or remove the Application Support
PhotoKB directory. Uninstalling the .app does not
always wipe Application Support — delete that folder when you want a clean slate.
Where are exports?
Markdown and JSON exports go to locations you choose in Export flows (typically a folder you pick). They are ordinary local files under your control.
Telemetry / analytics?
Desktop app: no metrics SDK in the default build. Nothing leaves your Mac unless you opt into features that explicitly call a cloud API (e.g. OpenAI tagging).
This website: each page load (and Download click) sends
a small beacon to our AWS Lambda counter — no cookies. Unique visitors use a
hashed client IP plus a random session id kept only in
sessionStorage for that browser tab session (salt
server-side; raw IPs are not stored). Aggregate counts are published to public S3
site-stats.json for the hero and
/stats. Optionally, when configured, we may also use
Plausible. Never GitHub Release counters — the repo
stays private.
Download email (optional): before a DMG download you may leave an email for release notes. It is stored in our DynamoDB lead list for product updates only — never sold. Unique emails count toward the public Blobberizers community total. You can always continue without providing an email.
Download compatibility check: the download gate may
display your client IP from a short Lambda
?e=whoami response so you can see what we detected.
That echo is for the UI only — it is not written to a new raw-IP store (visitor uniqueness
still uses a hashed IP as above).
Contact form: messages (email, optional name, message) are stored in our DynamoDB so we can reply. Your email is also added to the same private lead list as optional download emails. Do not send secrets or vault data. Never sold.
Local MCP residual risk
Optional photokb-mcp / Collections fleet ships as a
slim binary in the DMG and is a localhost surface only. Tokens and slice caps are managed
in Settings → Local MCP. Keep BlobberVault running while agents query; treat MCP like any
local API you enable.
Related: Docs · Privacy · Docs · MCP