Privacy - rootiest/obsidian-ai-image-ocr GitHub Wiki

๐Ÿ” Privacy & Anonymity

Your privacy is a top priority for the AI Image OCR Plugin.
We do not collect or store any personal data, images, or extracted text.

๐ŸŒ CORS Proxy Usage

The plugin may use a self-hosted CORS proxy at
https://corsproxy.rootiest.com
to fetch external images only when ALL of the following are true:

  1. You run the "Extract from an embedded image" command.
  2. The image is not already downloaded into your vault.
  3. The image is hosted on a domain external to your vault
    (e.g., not a local network or same-origin path).
  4. CORS restrictions prevent direct access to the image.

๐Ÿง  Why This Is Necessary

While Obsidian can display images from the web without issue, plugins must still follow the security rules enforced by the Obsidian application (since it is built on Electron and Chromium). One of these rules is the Same-Origin Policy, which blocks plugins from directly accessing image data hosted on a different domain unless the server explicitly allows it via CORS headers.

When a server does not allow cross-origin requests, the plugin cannot access the image content directly. In those cases, a proxy server is needed to fetch the image on the pluginโ€™s behalf and safely bypass these restrictions.

๐Ÿ”’ What This Means for You

  • Traffic is not routed through Cloudflare or any third-party proxy.
    DNS resolution for the proxy domain may involve standard DNS providers.
  • The plugin does not retain any data or metadata from your requests.
  • The proxy server may log basic (anonymous) request metadata (such as timestamp and image URL) only for debugging. These logs are not stored long-term and are automatically removed within 7 days.
  • Communication with the proxy is fully encrypted over HTTPS.
  • Only the URL of the image is sentโ€”no personal info or extra headers are included.

๐Ÿค– AI Provider Considerations

When using cloud-based AI models, it is important to understand that:

  • Your images and extracted text may be used for model training, depending on the provider and plan.
  • As a general rule:

    If you're not paying for the API, your data is probably not private.

๐Ÿ“Œ Gemini API Specifics

  • The free-tier Gemini API does use your data for training.
  • If you add a credit card or payment method, your account becomes a "paid" account:
    • This disables data sharing with Google for training purposes, even if your usage stays within free-tier limits.
    • Charges will apply only if you exceed the free quota.

โœ… Result: You can use Gemini for free and keep your data private by registering a paid-tier account with billing enabled.

๐Ÿ–ฅ๏ธ Local and Self-Hosted Models

Local providers such as Ollama or self-hosted models do not transmit data to third-party servers. They generally offer complete data privacy, assuming your local environment is secure.

Still, itโ€™s wise to review the privacy policies or documentation for any tool or model you use.

If you have additional concerns or would like to suggest more privacy-related features or settings, feel free to open a discussion or issue on the plugin repository.