Privacy & Security
How claudereview handles your data and protects your sessions.
Overview
claudereview is designed with privacy in mind. All sessions are encrypted before they leave your machine. However, the level of protection depends on how you choose to share:
Password-Protected True End-to-End Encryption
When you share with --private "password", the encryption key is derived from your password using PBKDF2 (600,000 iterations, SHA-256). The key never leaves your machine and is never stored on the server. claudereview cannot decrypt these sessions even if I wanted to.
Public Links Encrypted at Rest
When you share without a password, the session is encrypted with a random key. The key is embedded in the URL fragment (#key=xxx). For anonymous shares, the key is only in the URL. For authenticated users, claudereview stores the key so you can view your sessions from the dashboard.
How Encryption Works
Password-Protected Sessions (True E2E)
┌─────────────┐ ┌──────────────────┐ ┌─────────────┐
│ Your CLI │────▶│ Password + Salt │────▶│ PBKDF2 │
│ │ │ │ │ Key Derivation
└─────────────┘ └──────────────────┘ └──────┬──────┘
│
▼
┌──────────────┐
│ AES-256 │
│ Encryption │
└──────┬───────┘
│
┌──────────────────────────────┘
▼
┌───────────────────────┐
│ Encrypted Blob │────▶ Server stores:
│ (unreadable) │ • Encrypted blob
└───────────────────────┘ • Salt (for key derivation)
• Metadata (owner-only)*
* Metadata is stored but only visible to you (the owner) in your dashboard.
The public API does NOT expose metadata for password-protected sessions.
Public Link Sessions
┌─────────────┐ ┌──────────────────┐ ┌─────────────┐
│ Your CLI │────▶│ Random 256-bit │────▶│ AES-256 │
│ │ │ Key │ │ Encryption │
└─────────────┘ └──────────────────┘ └──────┬──────┘
│
┌───────────────────────────────┘
▼
┌───────────────────────┐
│ Encrypted Blob │────▶ Server stores:
│ (unreadable) │ • Encrypted blob
└───────────────────────┘ • Metadata
• Key (for authenticated users only)
URL: claudereview.com/s/abc123#key=xxxxx
└─────┘
Fragment never sent to server
What Gets Stored
| Data |
Public (Anonymous) |
Public (Signed In) |
Password-Protected |
| Encrypted session blob |
✓ |
✓ |
✓ |
| Session title |
✓ |
✓ |
🔒 Owner only |
| Message/tool counts |
✓ |
✓ |
🔒 Owner only |
| Encryption key |
✗ (URL only) |
✓ (for dashboard) |
✗ (derived from password) |
| User association |
✗ |
✓ |
✓ (if signed in) |
| Salt (for key derivation) |
✗ |
✗ |
✓ |
Can claudereview Read Your Sessions?
- Password-protected sessions: No The key is derived from your password and never stored. claudereview cannot decrypt these even with database access.
- Public sessions (signed in): Technically yes claudereview stores the encryption key to enable dashboard viewing. However, I do not access session content and the code is open source for you to verify.
- Public sessions (anonymous): No The key exists only in the URL fragment which is never sent to the server.
Recommendations
- Use
--private "password" for sensitive sessions that you want to guarantee cannot be read by anyone (including me)
- Share public links for routine code reviews where convenience matters more than maximum privacy
- If you lose a password for a private session, the session is unrecoverable by design
Open Source
claudereview is open source. You can audit the code yourself:
Data Retention
- Sessions are stored indefinitely unless you delete them from your dashboard
- Anonymous sessions cannot be deleted (you don't own them)
- I may add session expiration features in the future
Questions?
Open an issue on GitHub.