Product
Privacy & Permissions
Explicit invocation, encrypted secrets, permission checks, diagnostics redaction, and cleanup controls.
What permissions it needs
| Permission | Why it is needed | Platform notes |
|---|---|---|
| Microphone | record the spoken request for ElevenLabs STT | macOS can prompt directly; Windows is checked at capture time |
| Screen capture | provide visible context to the multimodal provider | macOS opens System Settings; Windows is treated as available |
The setup wizard and settings window expose request and test actions for both permission types.
What gets sent per invocation
On each valid invocation, FlowLens may send:
- one primary-screen screenshot
- one transcribed voice request
- the active mode
- one prior turn of conversation state if a clarifying follow-up is used
FlowLens does not send screenshots, audio, transcripts, or provider requests outside an explicit invocation.
Secret handling
Provider and ElevenLabs API keys are stored through the main process secret store:
- setup/settings send new secret values to main through IPC
- main encrypts them with Electron
safeStorage - encrypted blobs are stored under
app.getPath('userData')/secrets.json - renderer settings snapshots show only configured/masked status
Legacy plaintext apiKeys in migrated config are moved into the secret store and removed from config JSON.
Diagnostics redaction
Diagnostics exports include useful local state without exposing raw sensitive payloads:
- app version
- platform
- generated timestamp
- sanitized config shape
- permission status
- update status
- recent redacted logs
- last error summary
They do not include raw API keys, screenshots, audio buffers, transcripts, or response bodies.
User controls
| Control | Purpose |
|---|---|
| voice playback | disable spoken TTS while keeping visual answers |
| confirm before screenshot | preference for an extra capture confirmation path |
| diagnostics logging | user-facing logging preference |
| clear logs | included in cleanup/factory reset |
| factory reset | clears FlowLens-owned config, secrets, logs, and overlay position |
Current limits
- provider calls are remote, not fully local
- primary-screen capture is used for reliability rather than active-window precision
- automatic redaction of screenshot content is not implemented
- users should avoid invoking FlowLens on screens they would not want sent to the configured provider