Network traffic analysis

First-paint requests (page load)

These fire once when the editor opens. They are static assets: HTML, CSS, JavaScript, fonts.

• index.html — the editor shell, ~3 KB.
• main.[hash].js — the React bundle, ~1.4 MB gzipped. Contains the entire editor logic.
• main.[hash].css — Tailwind styles, ~30 KB.
• Google Fonts — Fraunces + Bricolage Grotesque, loaded from fonts.gstatic.com. Replaceable with a self-hosted copy if you prefer zero third-party requests. Logged for transparency.

None of these carry user data. They are the same requests every visitor's browser makes.

During editing: zero

Once the editor is loaded, scrubbing, cutting, adding transitions, applying color grades, and exporting fire zero outbound HTTP requests. The browser's WebCodecs / FFmpeg.wasm / MediaRecorder do the work; there is nothing for our servers to be involved in.

Optional cloud features (opt-in)

Some AI features call our backend, which calls an LLM provider. These are individually toggled by the user — none fire automatically.

• POST /api/transcribe — when you click 'Auto-Captions'. Sends the extracted audio track (not the video) to Whisper. The audio is processed and deleted within seconds; we retain only the resulting subtitle text.
• POST /api/director/suggest — when you click 'AI Director'. Sends a description of your timeline (clip count, lengths, type tags) — not the video itself — to Claude for editing suggestions.
• POST /api/broll/generate — when you click 'Generate B-Roll'. Sends a text prompt to Sora 2 or Gemini Image Gen. Your existing footage is not transmitted.

Privacy Mode (toggle in the header) disables all of these in one click.

Always-on housekeeping

• POST /api/analytics/page-view — page-load beacon. Sends path, referrer host, UTM tags, user-agent bucket (desktop / mobile). No identifiers, no content.
• GET /api/auth/me — checks if you're signed in. Sends the session cookie, returns user email + tier.
• Stripe.js — loaded only on the pricing page. No upfront tracking.