The Autonomy Ladder

blincr's rule: you are as autonomous as you can be, until you can't. blincr.com only enters where local action genuinely cannot go — checking a trail before it reaches another person, or running a watcher while your browser is closed. Everything else stays in your browser by default.

Rung What you can do Where it runs Account needed? blincr.com's role
L0 — Local Annotate the web, build trails, create and run blincrs (page watchers) Your browser only No None — nothing leaves your device
L1 — Backup Store a raw trail in the cloud Cloud, unchecked Yes Storage only. Not shareable yet
L2 — Share Send a trail to another person Cloud, checked Yes Safety check: scans every URL in the trail for malicious sites before it can be shared — you connect to another person through blincr, and blincr looks out for both of you
L3 — Always-on Cron watchers, alert webhooks, agent handoff Cloud Yes Managed infrastructure — checks run 24/7, even with your laptop closed

Why this order

  • Privacy by default. Local-only (L0) data never touches our servers — nothing to leak, nothing to hold under GDPR, nothing for us to see. See Privacy for the full data ledger.
  • Sharing is the one place blincr must look. The moment a trail is meant for someone else, blincr checks every page it visits against Google Web Risk — malware, phishing, unwanted software — before a share link is created, via gpn-webrisk-worker, the fleet's shared gateway to that API. That check is the entire reason blincr.com exists in the flow. A trail you keep to yourself is never scanned. If a page is flagged, sharing is blocked with the specific page named, so you can remove it and try again; if the check itself fails (network, API outage), sharing is blocked too — a safety gate that quietly lets things through on error isn't a gate.
  • Always-on is opt-in, not default. Running in your own browser is free, private, and sufficient for most watchers. blincr.com's 24/7 cron is there when you need reliability more than privacy — you choose, every time, before a watcher is created.

Where this shows up

  • "Blincr this element" (the extension's page-watcher picker) asks "Run where?" on every watcher: "In this browser (private, only while open)" or "On blincr.com (24/7, needs sign-in)" — with the trade-off spelled out underneath, not hidden in a settings page.
  • Local blincrs (no account) live in the extension popup's Trails tab. Each one can be paused, deleted, or moved to blincr.com later with one click — nothing is one-way.
  • Trails show a sync badge (local / synced / modified) in the extension's trail library so it's always visible whether a trail has left your browser.

For agent/automation authors

If you're building on top of blincr (MCP client, webhook consumer, Cowork plugin), the ladder tells you what to expect from each surface:

  • Local blincrs and unpublished (L0/L1) trails are not visible to the server API or the MCP tools — by design, the server cannot read what it was never given.
  • get_trail (MCP) and GET /api/user/trails/:id/bundle only serve plaintext cloud tiers (t3 / t3_self) — see docs/trail-bundle.md.
  • The blincr.alert webhook (see docs/trail-bundle.md § "Recipe: alert → agent handoff") only fires for L3 watchers — a local blincr has no server side to dispatch from.