Interviewary’s security model is simple because its architecture is: your interview content never leaves your browser, so there’s no central store of it to breach. Here’s exactly how it’s built and what that means for you.

1. The architecture is the security model

The Interviewary extension is fully client-side, with no user accounts. We never receive your API keys, audio, transcripts, résumés, or reports — so there is no central honeypot of interview content for an attacker to target. The only data we store is the contact details you submit to download the extension and, if you opt in, anonymous usage events (see section 4) — both kept in a database protected by insert-only access rules.

2. Where your keys live

Your Deepgram and LLM provider keys are stored in chrome.storage.local, scoped to the extension on your own device.
They are never transmitted to us and are not synced across devices.
They are sent only to their respective providers’ official API endpoints to authenticate your own requests.
You can wipe them at any time by clearing the extension’s storage or removing the extension.

3. How your data flows

During an interview, data moves directly between your browser and the services you chose:

Audio → Deepgram. Tab audio is streamed over an encrypted WebSocket (wss://) to Deepgram for transcription.
Transcript + documents → your LLM. Text is sent over HTTPS to the LLM provider you configured to generate questions, evaluations, and the report.
Only opt-in analytics → us. No copy of your audio, transcript, documents, or report is routed through or stored on infrastructure we operate. The sole exception is anonymous usage events — and only if you turned analytics on in Settings.

The extension requests only the Chrome permissions it needs — tab capture for the Meet audio, side panel, active tab, and local storage — plus host permissions limited to the transcription and LLM provider domains.

4. Data retention

Session data (audio, transcript, evaluations) is held in memory only and is discarded when you close the side panel. The single exception is a report you explicitly download, which is saved to your computer under your control. Retention of the text you send to providers is governed by those providers’ own policies and dashboards.

Separately, the two things we do store live in our database (Supabase): the contact details you submit to download, and any opt-in anonymous usage events. Both sit behind Row-Level Security that permits inserts only — the public key shipped in the app cannot read anyone’s rows back. Email us to have your contact details removed.

5. Your responsibilities

Because you hold the keys, a few practices keep you safe:

Treat your API keys like passwords; don’t share them or commit them anywhere.
Scope and rotate keys with your providers, and set spending limits where available.
Only install the extension from the official download on this site.
Obtain any recording/transcription consent required in your and the candidate’s jurisdiction.

6. Responsible disclosure

We welcome reports from security researchers. If you believe you’ve found a vulnerability in the extension or this site, please email sricharan.rayala@dotportion.com with details and steps to reproduce. Please give us a reasonable opportunity to investigate and remediate before any public disclosure, and avoid accessing or modifying data that isn’t yours while testing.

7. Prototype caveat

Interviewary is an early prototype and has not undergone a formal third-party security audit. Evaluate it accordingly before using it with sensitive candidate information.

8. Contact

Security questions or reports: sricharan.rayala@dotportion.com.