Back to Home

Keys and Calls

Understanding how Evvl handles your API keys and routes requests to AI providers.

The Short Version

Your API keys are always stored locally in your browser or desktop app—never on our servers. However, due to browser security restrictions (CORS), some API calls in the web app must be proxied through our server. The desktop app makes all calls directly to providers.

Desktop App
All calls go directly to providers
Web App
Some calls proxied for CORS compatibility
Shared Responses
Stored on our servers when you share

What is CORS?

CORS (Cross-Origin Resource Sharing) is a browser security feature that prevents web pages from making requests to different domains. It's designed to protect users from malicious websites.

When you use the Evvl web app at app.evvl.ai, your browser blocks direct requests to api.openai.com or api.anthropic.com unless those servers explicitly allow it. Some providers do, some don't.

Provider Breakdown

Provider Web App Desktop App
OpenAI
GPT-4, GPT-4o, o1, etc.
 Proxied Direct
Anthropic
Claude 3.5, Claude 3, etc.
 Proxied Direct
Google
Gemini Pro, Gemini Ultra, etc.
 Direct Direct
OpenRouter
1,000+ models from various providers
 Direct Direct

How Our Proxy Works

Keys Are Never Stored

Your API key is included in the request header, forwarded to the provider, and immediately discarded. We never write keys to disk, database, or logs.

Prompts Are Not Logged

We don't log, store, or inspect the content of your prompts or the responses from AI providers. The proxy is a pass-through only.

TLS End-to-End

All connections use HTTPS/TLS encryption. Your data is encrypted in transit from your browser, through our proxy, to the AI provider.

Minimal Footprint

Our proxy is a simple pass-through with no business logic. Requests go in, get forwarded, and responses come back. Nothing more.

Plausible Analytics

We use Plausible Analytics for website analytics on our marketing site and web app. We chose Plausible because it's privacy-focused by design.

What Plausible Does

  • • Counts page views and unique visitors
  • • Tracks referral sources (how you found us)
  • • Records country-level location (not city or IP)
  • • Logs device type and browser (aggregate only)

What Plausible Doesn't Do

  • • No cookies or persistent identifiers
  • • No cross-site or cross-device tracking
  • • No personal data collection
  • • No data sold to third parties

Plausible is GDPR, CCPA, and PECR compliant out of the box. No cookie banners needed because no cookies are used.

Marketing Site

evvl.ai

We track page views and aggregate download numbers using Plausible Analytics. No personal data is collected, no cookies are used, and we have no way to identify individual visitors.

Analytics: Yes Prompts Logged: No

Share URLs

share.evvl.ai

By necessity, we store the prompt and response to display them on the shared page. This data is not logged or analyzed, but is technically viewable by us while the share URL is active.

Share URLs and all associated data are automatically expunged when they expire.

Analytics: Yes Prompts Logged: Yes

Web App

app.evvl.ai

We track success/error events for system health monitoring. No prompts, responses, or personal data are ever logged. Your conversations stay entirely in your browser's local storage.

Analytics: Yes Prompts Logged: No

Desktop App

Mac, Windows, Linux

Zero tracking, fully offline capable. The desktop app makes all API calls directly to providers and stores all data locally on your machine. We have no visibility into your usage.

Analytics: No Prompts Logged: No Auto Update Check: Yes AI Model List Sync: Yes

Our Recommendation

If you're working with sensitive data or want maximum privacy, use the desktop app. All API calls go directly from your machine to the providers with no intermediary.

The web app is great for quick evaluations and when you're on a machine where you can't install software. The proxy exists solely to work around browser limitations.

Download Desktop App