Security & data handling
LockStack is a desktop application. After install, the AI engine runs entirely on your own PC and never contacts our servers. Here is exactly what leaves your machine, what stays on it, and how to verify both.
What stays on your machine
- Your wedge inputs — audience, theme, query, business details. Never transmitted.
- Generated content — the 30 posts, schema files, social adaptations, calendar files. Written directly to your Downloads folder.
- Saved campaigns — full snapshots stored as local files you control.
- The AI model itself — bundled GGUF model file runs via a local
llama-serversubprocess on your CPU. No cloud LLM is contacted. - Prompts — compiled into the binary. The JavaScript frontend never sees them, so they cannot be exfiltrated through browser dev tools.
What leaves your machine
Two things, both during purchase only:
- Your email address — submitted to Lemon Squeezy at checkout, then forwarded to us so we can deliver your license key by email.
- Purchase metadata — product purchased, price, traffic source (UTM parameter from your inbound link). Used for sales analytics on our own admin dashboard.
The desktop application itself sends nothing. No usage telemetry. No crash reports. No analytics. No update pings. After install, you can disconnect from the internet and the app continues to work.
How to verify
- Block network traffic. Run the app behind a firewall that blocks all outbound connections. Generate a campaign. It will complete normally.
- Inspect the binary. The installer and EXE contents are open for inspection.
stringsthe binary,grepfor network code, monitor with Wireshark — you will not see remote endpoints called by the app at runtime. - Read the source of
llama-server. The bundled inference subprocess is the open-source llama.cpp server. Listens only on127.0.0.1.
Architecture at a glance
| Component | Location | Network |
|---|---|---|
| Tauri shell (UI) | Your PC | None |
| Backend logic (Rust) | Your PC | None |
Inference subprocess (llama-server.exe) | Your PC | 127.0.0.1 loopback only |
| AI model (GGUF) | Your PC, bundled with installer | None |
| License check | None | None — offline activation |
Subprocessors (purchase flow only)
For checkout and license email delivery we rely on:
- Lemon Squeezy — payment processor and merchant of record (privacy policy).
- Resend — transactional email delivery for license keys (privacy policy).
See Data Processing for the full subprocessor list and what each receives.
Reporting a vulnerability
Please email hello@lockstack.net with details. We respond within one business day. Coordinated disclosure preferred — give us a reasonable window to patch before public disclosure.