Runs entirely in your browser via the Web Crypto API (RFC 6238 / RFC 4226). No requests, no cookies — your secret never leaves this device. Accounts are saved in your browser, so they're still here after a refresh. Want them gone? Just clear site data for this site and they're wiped.