Why?
I started PathForge a couple of weeks ago, on a passing thought. Most note-taking apps on the market are basically a single page where you write your reflections and diary entries. Or they're flowchart frameworks wrapped in restrictions — including paywalls just to access basic features.
What I find most painful is that some note apps and memo tools don't let you bulk-copy or directly export your own files. This bothers me a lot. The data is mine. Why is the sunk cost of leaving so high?
So I wanted to build a visual tool that shows where you are at each stage and what you've done — including the inner journey. It should feel like an exploration game, where every node is a footprint. Which direction you walk in is entirely up to you.
At the same time, plain boxes and text-style memos are also a real need. So I combined three modes into one — use whichever you want, when you want. You can export files or export your data freely, including taking it elsewhere.
The promise?
If you use PathForge and decide to leave, I provide one-click export of all your data as JSON and Markdown. If it ever breaks, message me and I'll fix it immediately. One-click delete your account, and all your data is wiped. The contents of your account belong to you — without your permission, no one can view them.
You can bring your own API key and bypass me entirely. The cost of your AI conversations is fully in your hands. I provide the integration, the chat window, and the features — at no charge.
Where is your data, actually?
Your canvas and your notes are stored in your own browser first, then asynchronously synced to the cloud. This isn't a toggle. It's the default.
I did this because I wanted "it's yours" to be a physical fact, not a slogan. If the server goes down, you keep working. If you're offline, you keep working. If PathForge shuts down one day, you can still open your own data — as long as you have a local backup. So I added a button in settings: one click downloads everything as a zip, containing a standalone HTML viewer. Double-click to read it. My server doesn't need to exist.
You can verify this yourself. Press F12 to open DevTools, go to Application → Local Storage → path-forge.uk. You'll see keys like pathforge_journeys_index, pathforge_journey_<uuid>, pathforge_notes_index, pathforge_note_<uuid>. That's your data, in plain text (or in ciphertext once you enable encryption), yours to copy out at any time. Now try disconnecting your network and keep using the canvas — everything still works, and it syncs back when you reconnect.
The cloud has no exclusive claim on your data. It's just a sync pipe.
On privacy I need to be more precise, because different kinds of data travel on different trust paths. Lumping them together would mislead you — and honestly, it would mislead me too.
Layer 1 — notes and canvases: real end-to-end encryption. Once you enable encryption in settings, your note bodies and your canvas node/edge payloads are encrypted on your device with AES-256-GCM before they're ever sent to Supabase. The key is derived from your password via PBKDF2 and lives only in your browser. What I receive is ciphertext I cannot open — even if the database were dumped, even if I wanted to misbehave, I cannot read it. That is a cryptographic guarantee, not a trust promise. If you forget your password I cannot help you recover it — that's the cost of E2E, and also why it's real.
There's a bit of history worth keeping here, because "we admitted a problem and then fixed it" is a trail I don't want to erase. In Phase 2.8, I wrote on this page that I owed you a disclosure: the title field of encrypted canvases was still stored in plaintext on Supabase, and only the node and edge payloads were encrypted. It was a scope limitation, not a bug — closing it required a database schema change. Phase 2.9 closed it. The title of an encrypted canvas is now also AES-256-GCM encrypted on your device before it's ever sent to Supabase, and each title ciphertext is bound to its own canvas UUID via AAD (additional authenticated data) — which means that even if someone had Supabase write access, they could not move a title ciphertext from canvas A onto canvas B, because decryption would fail the integrity check. So Layer 1's "real end-to-end" statement is now true for titles, nodes, and edges — no exceptions. You can verify this yourself in the Supabase table editor: for an encrypted canvas, the `title` column is NULL and the `title_encrypted` column holds a base64 blob.
Layer 2 — AI chat: local only, plus a trust promise. Your AI chat history lives entirely in your own browser (the pf_chat_sessions key in localStorage) and has never touched PathForge's database. But the moment you hit send, your message passes through my /api/chat route on its way to the upstream model provider (OpenRouter, Anthropic, DeepSeek, and so on). That forwarding happens in Vercel's Edge runtime, which means your message briefly exists in my runtime memory during the streaming window. My promise is: I don't log it, I don't persist it, I don't share it with any third party. That is my promise to you. I have to be honest about what it is, though: it's a trust promise, not a cryptographic guarantee. If you don't want to trust even that in-memory forwarding step, bind your own API key in settings (BYOK) — your messages then go directly from your browser to the model provider, bypassing me entirely.
Layer 3 — upstream model providers. Once your message reaches OpenRouter, Anthropic, DeepSeek, or whichever provider you picked, their own log retention, their own training-data policy, and how long they keep requests are all outside PathForge's control. Using them is agreeing to their terms. All I can do is name the path honestly — I can't make promises on their behalf. To minimize exposure at this layer, prefer providers whose policy pages explicitly state "zero data retention" or "not used for training."
Runtime logs: the /api/chat route keeps at most 7 days of metadata — which model was called, how many tokens were returned, and a truncated SHA-256 hash of the user ID (the first 8 hex chars). No message content, no chat history, nothing that can be reversed back into you. Only I can read these logs, and they're used for debugging and billing reconciliation. After 7 days they roll over automatically.
About that canvas "🔒 Encrypt Data" button — I owe you an apology. When it first shipped, it was actually misleading. The code only encrypted a local copy in your browser while the data going to the backend stayed plaintext. I didn't realize it myself. It wasn't until recently, when I was going through the encryption code again, that I spotted the gap. That moment was uncomfortable, because this very page already claimed "nobody can see your data without your permission," and strictly speaking that wasn't true. So I spent a few days rewriting the entire encryption layer into what you see above as Layer 1. The old local-only path is deprecated; if your browser still holds old data, the next time you open the canvas it will be migrated automatically to the new mechanism.
About subscriptions?
There are no subscriptions and no information-asymmetry markup.
The credit model exists for people who want to use these AI models but don't yet have access to them. But my budget as one person is limited, so the seats are limited. If you're a heavy user, I strongly recommend using your own API key.
PathForge's operating and maintenance costs come out of my other income. This is a tool I built. I don't expect it to make money. I expect it to be used by people who need it. I hope it helps you.
Who am I?
I'm someone who loves to build things myself, and I have a strong distaste for restrictions. At any moment, a person should have the rights and responsibilities over what they produce.
I don't accept PRs — I maintain this alone, while continuing to improve the program.
When will this change?
Every stage has its own purpose and mindset, but the core has always been a dream from childhood. If this product can spread and be cared for and run better than I can do alone, then I'll hand it over, and start my own next stage.