AICoven app iconAICoven
Join Beta
← Back to Blog

The Middleman Attack: Why Your AI Wrapper is Logging Your Code

Andreea

If you aren't using your own API key, you are trusting a middleman.

That free "AI Wrapper" app you downloaded sits right between you and the provider. It can read your messages, log your code snippets, and see your API keys. And you agreed to let it.

There is a massive privacy firewall between consumer apps (ChatGPT, Claude.ai, Gemini) and their developer API equivalents. Most people don't realise they're agreeing to two completely different Terms of Service depending on how they access the same models.

The Breakdown

OpenAI (ChatGPT vs. API)

  • ChatGPT (Consumer): By default, OpenAI uses your conversations, code snippets, and uploads to train future models. You can opt out in settings, but the default is opted in.
  • API (Developer/BYOK): Data submitted through the API is not used to train models. Retained for 30 days for abuse monitoring only. Zero-day retention is available for sensitive use cases.

Anthropic (Claude vs. API)

  • Claude (Consumer): As of late 2024, consumer chats can be used to improve future models unless you manually opt out. If you leave it on, they retain data for up to 5 years.
  • API (Commercial): Not used for training. Your data belongs to you.

Google (Gemini App vs. API)

  • Gemini App (Consumer): Chats may be reviewed by human reviewers and used to enhance Google products.
  • Gemini API (Paid): Data is not used to train foundational models. Logged temporarily for policy violation checks only.

Why This Matters for Developer Tools

When you use a standard AI wrapper app where they provide the AI, they're often operating under the consumer terms — or worse, they're logging your data on their own servers before forwarding it to the API.

Your codebase, your API keys, your internal documentation — all passing through a middleman.

How AICoven Handles This

AICoven is a Bring Your Own Key (BYOK) client. Your machine talks directly to the API endpoints:

  • Developer-grade privacy by default. Your API key means you automatically inherit the strict non-training, non-retention policies of the developer API tier.
  • No proxy server. No intermediary can scrape your code, capture your API key, or train a model on your workflows.

On the local version, there is no proxy at all. On the cloud version, your key encrypts your messages end-to-end — we can't see them even if we wanted to. They're decrypted in RAM for the seconds needed to send to your AI provider, then gone.

If you care about what happens to your code after you hit Enter, check how your current tool handles it — and whether you're on the consumer tier or the API tier. The difference is significant.

About the Author

I'm Andreea, the creator of AICoven. I build local-first tools for developers who care about architecture, privacy, and prompt economics.

See more of my work at papillonmakes.tech →