Why Privacy Matters in API Development: The Data Your Client Sends Home

Your API client knows more about your work than almost any other tool on your machine. It holds your auth tokens. Your internal staging URLs. The shape of endpoints you haven't shipped yet. Request bodies with real customer data in them. The question worth asking before you trust one isn't whether it's convenient. It's where all of that goes.

Most of that data should never leave your computer. Some of it leaves anyway. Not through the requests you send on purpose, but through telemetry: the usage data a client reports back to its makers in the background, separate from anything you asked it to do.

Three things people blur together

It helps to keep these apart, because a tool can do all three, one, or none of them:

• Telemetry — events your client sends about you (app started, request run, version, OS), usually to an analytics service, while you work.
• Cloud sync — your actual collections, environments, and history, stored on a vendor's servers instead of on your disk.
• Account-gating — features locked behind a login, which usually means your data has to land in the cloud for the login to be worth anything.

"Local-first" only rules out the middle one. It says nothing about telemetry. Local-first is necessary for privacy. It isn't sufficient. A tool can keep your files on disk and still phone home every time you open it.

What the popular clients actually send home

You don't have to take anyone's word for any of this. In mid-2025, the popular clients were put through a simple test: open each one, send a single request, and intercept the outbound network traffic to see what else gets sent. The hard numbers below come from that kind of capture, and anyone can reproduce them with a proxy. A year has passed since, so where a tool has moved, I've noted it. Voiden sits at the top of the table because it's the baseline the others are slowly being dragged toward.

A few specifics, because the details are the point.

Postman is the cloud-first end of the spectrum. In the mid-2025 capture, opening the lightweight client and sending one request produced ten outbound calls to external servers. Some were update checks. Others carried installation details and analytics to Amplitude, plus a 112 KB feature-flag payload from LaunchDarkly. One recorded event was the in-app viewing of an ad. There was no setting to turn telemetry off, and almost all of your data lives in the cloud by design.

A year on, Postman has moved in two directions at once. The rebuilt "new Postman," shipped in April 2026, is built around an AI Agent Mode, and it finally added a Git-native, offline-capable mode with a diffable YAML collection format. That's a real concession to the local-first critique. At the same time, the free tier became solo-only in early 2026, so collaborating with even one teammate now needs a paid plan, and Postman's own published sub-processor notices added a major LLM provider in mid-2026, processing data created through the service. The default still points at the cloud. During a large cloud outage in late 2025, the desktop app stopped working entirely, which is a strange failure mode for something that runs on your laptop.

Insomnia is owned by Kong, and a year ago the tell was in the off switch: logged-out users could disable telemetry, logged-in users could not, and the logged-in stream wasn't anonymous, since it carried a SHA256 hash of your user id. Since then it has leaned further the other way. It now positions itself as an AI-native collaboration platform with native cloud integration. A local scratchpad still works for one collection without a login, and local storage is an option, but Git sync sits behind a paid plan and the center of gravity keeps moving toward the cloud.

Bruno is the one that moved toward privacy, and it deserves credit for it. A year ago its telemetry, a slim operating-system-and-version ping through PostHog, couldn't be turned off, which was the one real mark against an otherwise local-first, no-account tool. Bruno has since added a telemetry toggle in its preferences. It's still on by default, but you can switch it off. The data still lives in a custom .bru markup that needs Bruno to read, but on the exact question this post is about, Bruno listened and shipped the fix.

The direction of travel in 2026 is toward more data leaving your machine, not less. The big platforms are racing to add AI features, and those features need somewhere to send your requests. That's worth holding in view when you're picking a tool you'll trust for years.

If a tool lets you disable telemetry when you're logged out but not when you're logged in, the account was never really about you. It was about the data.

This is architecture, not a checkbox

Notice the pattern. The tools you can't opt out of aren't withholding a setting they forgot to ship. They're built so that data leaving the machine is the default, and the off switch is the exception or doesn't exist at all. Telemetry you can't disable is not a setting. It's a decision the tool already made for you.

That's also why local-first alone doesn't settle the question. For a year, Bruno kept every file on your disk and still couldn't stop reporting home, until it added the off switch. The storage choice and the telemetry choice are separate, and a tool can get one right while leaving the other locked, or, as with Postman, with no switch at all. Where your data lives, what leaves the machine, whether you can read your own collections without the vendor's app installed: none of these are details. They're architecture. You inherit whatever the tool decided before you ever opened it.

What to actually check

If you care about this, here's what's worth doing, whichever tool you land on:

• Intercept your own client once. Point it at a proxy like mitmproxy, Proxyman, or Charles, send one request, and read what else goes out. Ten outbound calls for one API request isn't a hypothetical; it's a number someone measured.
• Check whether telemetry survives logout. An off switch that only works when you're signed out tells you what the tool actually values.
• Prefer a format you can read without the tool. A .bru file needs Bruno. A Postman export needs Postman, and won't carry your gRPC requests at all. Plain JSON or plain Markdown opens in any editor, diffs in any review, and outlives whichever client you happen to use this year.
• Keep your collections in your repo. If your requests, docs, and tests live in Git next to the code, you own them the same way you own the code: no cloud, no account, no export step in between.
• Treat "we don't sell your data" as the floor, not the answer. The real question isn't only what a vendor does with what you send. It's how much you had to send in the first place.

How we built Voiden around this

Voiden didn't add privacy as a feature later. It was a starting assumption. The question we kept coming back to was a plain one: what if an API tool didn't treat your data as something it was entitled to?

That led to a few decisions that are deliberately hard to walk back:

• Your data is files, on your disk. Every request, test, and doc lives in a plain .void Markdown file in your own Git repo. No cloud copy, no sync step in between.

• No account. There's nothing syncing to our servers, so there's nothing to make you log in for.
• No telemetry. The app doesn't report your usage back to us. Not anonymized, not sampled, not "just for product improvement." It collects nothing.
• Plain Markdown, not a proprietary format. A .void file opens in any text editor, with or without Voiden installed. You can read it, diff it in a pull request, and keep it long after you've stopped using us.
• Open source under Apache 2.0. You don't have to trust our description of what the app does over the network. You can read the code and check.

Transparency here isn't a marketing line. It's the architecture. Hidden behavior is a bug, and a tool you can't inspect is asking for trust it hasn't earned. While the bigger tools spent the past year adding new places to send your data, none of that applied here. There was nothing to add a switch for.

There's an honest tradeoff in this. By choosing to collect no telemetry, we prioritize direct community feedback as our primary driver for development. We find out which features matter the most through issues, GitHub Discussions, and people telling us directly—ensuring our roadmap is shaped by actual user voices rather than background tracking. For a tool that holds your tokens and your unreleased endpoints, we think that's the right trade. If you want to see how the Git-native side works in practice, there's a short video on it: https://youtu.be/fekca2eWLDY.

Wrap-up

Privacy in an API client isn't really about any one vendor being good or bad. It's about how much you're required to hand over before the tool does its job, and whether you can see and stop the rest. Some of the popular clients still collect something you can't switch off, and the direction across the field is to send more, not less. A few collect nothing. That difference is worth thirty seconds with a traffic interceptor before you commit years of saved collections to any of them.

The data your client sends home is, in the end, your data. It's worth knowing where it goes.

Voiden is open source under Apache 2.0. Download it at https://voiden.md/download, or browse the code at https://github.com/VoidenHQ/voiden.