Privacy — Egg

Agent firewall

The agent works for you. Not the other way around.

An AI that can browse the open web is powerful. It’s also dangerous if you can’t control it. So we built the controls first.

Approval before action

The agent pauses before sensitive actions — file writes, payments, destructive commands — and waits for your tap.

Per-service rules

Allow Gmail reads automatically. Require approval for Gmail sends. Block third-party MCP servers entirely. Each service is its own policy.

Per-action rules

Within a service, control which actions need approval. Let the agent read calendars without prompting; require approval to delete events.

Per-sender rules

When the agent is acting in chat, you can scope rules to which agent is asking — tighter for "research" agents, looser for "primary" agents.

Spending limits

Daily and per-task token budgets. Hit the cap, the agent stops. No silent overruns.

Threat detection

Every page the agent reads is scanned for prompt-injection, hidden instructions, exfiltration phrasing, zero-width tricks, and token-flood payloads. Detections raise an in-app alert and are logged to the threat log in Settings, where you can review and dismiss them.

Audit log

Every tool call. Every action. Every page.

You don’t need to trust the agent. You can verify it.

Every action recorded

Tool name, arguments, result, timestamp, agent identity. Persisted in a local SQLite log.

Searchable

Filter by tool, by agent, by time range. Find every Gmail send, every file write, every navigation.

Linked to chat turns

Click any audit row to jump to the chat turn that triggered it.

Local-only

The audit log lives on your disk. Nothing is sent to the cloud. Future sync will be E2E like the vault.

Site permissions

Per-site, per-action.

You decide what the agent can do on each site. Read pages, click links, fill forms, autofill credentials — each is a separate toggle.

Read

Allow the agent to extract content from this site. Off by default for sensitive sites (banking, health).

Click

Allow the agent to click links and buttons.

Form fill

Allow the agent to fill forms (search boxes, drafts).

Autofill credentials

Allow the agent to use saved passwords. Off by default. Requires a per-site explicit grant.

File access zones

Configured "safe" directories where local-files skills can read and write. Outside the zones, file ops fail closed.

Site info panel

Click the shield in the address bar for a unified view: current permissions, tracker count, cookies, ad-block status, mute, forget-this-site.

Network-layer privacy

Privacy below the page.

Egg blocks tracking before content even loads. Always-on protections plus optional, more aggressive layers.

Tracker blocking

~90 known ad/tracker domains blocked at the network layer. Per-site whitelist via the shield panel.

Tracking parameter strip

40+ tracking params (utm_*, fbclid, gclid, msclkid, ...) stripped from URLs on load and on copy.

Bounce-tracking bypass

Sites that route you through tracker domains to set cookies are detected and skipped.

Referrer protection

Tighter Referer policy than Chromium default. Sites can’t see exactly where you came from.

Prefetch & preconnect blocked

Browsers ping ad networks before you click. Egg blocks that.

Clipboard gating

Sites can’t silently read your clipboard. Pasting requires user action.

Optional: WebRTC leak prevention

Hide your local IP from sites that abuse WebRTC’s ICE candidates.

Optional: sensor API blocking

Block DeviceOrientationEvent, DeviceMotionEvent, ambient light. Useful for fingerprinting resistance.

Optional: cookie banner auto-dismiss

Dismiss EU cookie banners automatically without clicking Accept All.

Tracking prevention levels

None → Basic → Balanced (default) → Strict. Per-profile setting.

Per-site controls

Tight grip on each site.

Sometimes you don’t want privacy as a global toggle — you want it as a per-site decision.

Egg's site info panel showing tracker counts, cookie counts, ad-block toggle, tracking level, audio mute, notifications, and forget-this-site action

Whitelist ad blocker per site

Disable ad-blocking on sites you want to support. Re-enable elsewhere.

Forget this site

One click removes all cookies, storage, history, cache, and saved data for a site.

Per-site mute

Auto-muted sites, persistent across sessions.

Cookie inspector

View, search, edit, and delete cookies per site. Same panel as the site permissions.

Idle override

Per-tab toggle to make a backgrounded site keep working without throttling.

Vault & encryption

Encrypted at rest. Encrypted in transit.

Passwords, passkeys, and sync blobs are end-to-end encrypted. The cloud relay only ever sees ciphertext.

Encrypted local vault

Master-password protected. Locked vaults park sync deliveries in a pending queue and drain on unlock — nothing decrypts before you authenticate.

Self-authored WebAuthn authenticator

Passkeys are stored encrypted. Two AAGUIDs — one for synced, one for device-bound.

E2E-encrypted sync

AES-256-GCM with X25519 ECDH key exchange between paired devices. The cloud holds opaque blobs only. No account, no master server.

Replay protection

Monotonic counters on every sync envelope so attackers can’t replay an old encrypted blob.

Pairing verification

Short Authentication String (SAS) verification on first connect — you confirm a 6-character code matches on both devices.

Settings allow-list

Only keys explicitly marked syncable cross devices. Local-only keys (file paths, install state) stay put.

Wallet

Limits the agent can’t exceed.

If the agent is buying things, it’s spending real money. The wallet enforces ceilings before the firewall even gets the request.

Spending limits

Daily, weekly, monthly caps on agent-initiated payments. Hard stop, not soft warn.

Per-merchant rules

Allow this merchant up to $X. Block that one entirely. Require manual approval over $Y.

Payment method controls

Restrict which saved cards the agent can use. Lock high-balance accounts to manual approval.

Audit trail

Every agent-initiated payment lands in the audit log with merchant, amount, and approval chain.

Telemetry

Egg doesn’t phone home.

No usage analytics. No crash reports phoned home by default. No "AI improvement" data sharing.

No telemetry

The Egg app and Gateway daemon don’t send usage events anywhere. The cloud relay only carries E2E-encrypted sync.

Crash logs are local

Crash dumps land on your disk. You can review them, opt to share, or delete.

API calls go direct

BYOK keys hit the model provider directly — no Egg-operated proxy in the path. The 3rd-party services we proxy (TTS, places, etc.) are clearly listed in Settings.

Optional sign-up

Egg works without an account. Account features (sync invites, publish links) layer on if you want them.

Built so an agent can run loose without burning the house down.

The agent works for you. Not the other way around.

Approval before action

Per-service rules

Per-action rules

Per-sender rules

Spending limits

Threat detection

Every tool call. Every action. Every page.

Every action recorded

Searchable

Linked to chat turns

Local-only

Per-site, per-action.

Read

Click

Form fill

Autofill credentials

File access zones

Site info panel

Privacy below the page.

Tracker blocking

Tracking parameter strip

Bounce-tracking bypass

Referrer protection

Prefetch & preconnect blocked

Clipboard gating

Optional: WebRTC leak prevention

Optional: sensor API blocking

Optional: cookie banner auto-dismiss

Tracking prevention levels

Tight grip on each site.

Whitelist ad blocker per site

Forget this site

Per-site mute

Cookie inspector

Idle override

Encrypted at rest. Encrypted in transit.

Encrypted local vault

Self-authored WebAuthn authenticator

E2E-encrypted sync

Replay protection

Pairing verification

Settings allow-list

Limits the agent can’t exceed.

Spending limits

Per-merchant rules

Payment method controls

Audit trail

Egg doesn’t phone home.

No telemetry

Crash logs are local

API calls go direct

Optional sign-up

What’s next

Try it.