What Data Leaves Your Machine
Engine is designed to send the minimum necessary context to generate accurate code. Here's the exact data flow:
What IS Sent
- Your prompt — The task description you provide (e.g., "Add JWT authentication")
- Retrieved context snippets — Small, relevant code chunks (~20 snippets, typically 50-200 lines total)
- File structure metadata — File paths and function names to help the AI understand your project
- License key — For authentication and usage tracking
What is NOT Sent
- Your full codebase — We never upload your entire repository
- Environment variables — .env files are excluded by default
- Secrets or credentials — We filter common patterns (API keys, passwords)
- Git history — Only current file contents, never commit history
- Dependencies — node_modules, venv, etc. are excluded
✓ Your Code is Never Stored
Code snippets sent to our API are processed in memory and immediately discarded. We do not retain, log, or store your source code. The only data we persist is usage metrics (generation count, token usage) for billing purposes.
Local Data Storage
Engine stores data locally in your project's .engine/ directory. This data never leaves your machine:
Rollback Snapshots
Before applying any changes, Engine creates a complete backup of all affected files. Snapshots are stored locally and can be restored instantly with engine rollback last.
Self-Verification Tools
Engine's AI uses three verification tools before generating code. These tools run server-side to validate the AI's output:
Verifies that referenced files exist in your project before generating imports or dependencies.
Retrieves actual function signatures from your codebase to ensure correct method calls.
Validates syntax before output. Python uses AST parsing; TypeScript uses the TypeScript compiler.
These tools prevent common AI mistakes like importing non-existent modules, calling functions with wrong signatures, or generating syntactically invalid code.
API & Network Security
- TLS 1.3 encryption — All data transmitted over HTTPS with modern encryption
- No third-party analytics — We don't use Google Analytics or tracking pixels
- License-based auth — Simple license key authentication, no OAuth or account passwords stored
- Hosted on Fly.io — Enterprise-grade infrastructure with SOC 2 compliance
- Payments via Stripe — We never see or store your credit card details
Usage Data We Collect
For billing and service improvement, we collect minimal usage metrics:
- Generation count — Number of code generations per billing period
- Token usage — Input/output tokens for cost calculation
- Timestamp — When generations occur (not what was generated)
- Error rates — Anonymous error counts for reliability monitoring
✓ No AI Training
Your code is never used to train AI models. We use Anthropic's Claude API with a commercial agreement that prohibits using customer data for training.
Recommended Practices
For maximum security, we recommend:
- Add .engine/ to .gitignore — Keep local index out of version control
- Review generated code — Always review AI-generated code before committing
- Use rollback — Test changes before deploying; rollback if issues arise
- Exclude sensitive files — Engine respects .gitignore; add sensitive paths there
Questions?
For security questions, concerns, or to report a vulnerability:
Email: [email protected]
We respond to all security inquiries within 24 hours.