How Legate Studio Protects Your Knowledge

Each Legate Studio user gets their own SQLite database file, stored on a persistent Fly.io volume. Your data does not share a database with other users — there is no shared table that contains rows from multiple accounts.

This is an intentional architectural decision. Shared multi-tenant databases are efficient for the platform but create a class of risk: a query bug, a misconfigured permission, or an injection vulnerability in one account can affect others. Per-user databases eliminate that class of problem entirely.

A small shared database contains user account metadata (GitHub login, subscription status, profile settings). Your actual knowledge — notes, categories, embeddings, graph data — lives only in your per-user database.

Legate Studio uses GitHub OAuth for authentication. When you log in, you're redirected to GitHub, authenticate there, and GitHub tells us who you are. We never see your GitHub password — it never touches our servers.

We request the minimum OAuth scopes needed to identify you: your public profile (username, name, avatar). We do not request access to your repositories, emails (unless public), or any other GitHub resources.

Sessions are managed using server-side session cookies with a randomly generated secret. Sessions expire and are invalidated on sign-out.

Your notes are processed through AI models to generate transcriptions, categorizations, and embeddings. That processing requires sending content to an AI API — either Google Gemini via your own key (BYOK) or via our managed account.

We do not use your notes to train models. We do not retain copies of your content beyond what's needed to run the app. We do not read your notes for any purpose other than running the AI pipeline on your behalf.

If you use the BYOK plan, your content goes directly from Legate to Google's Gemini API under your API key — under Google's terms of service, not ours. Review Google's AI terms if you need to understand exactly how they handle API inputs.

If you use the Managed plan, your content goes to Google's Gemini API under our account. We choose Google specifically because they offer data processing agreements and clear data handling policies for API users.

What we store

• Your GitHub profile information (username, name, avatar URL) — for your account
• Your subscription status and billing ID — for payments via Stripe
• Your notes, categories, embeddings, and graph data — in your per-user database
• Your profile settings (display name, bio, accent color) — for your public profile

What we don't store

• Your GitHub password (we never see it)
• Your credit card details (handled entirely by Stripe)
• Your Gemini API key in recoverable form on BYOK plans
• Audio files after transcription is complete (audio is processed and discarded)

We use Plausible Analytics to understand how the product is used. Plausible is an EU-based, open-source analytics provider that does not use cookies, does not build user profiles, and does not track you across sites.

Plausible counts pageviews and events (button clicks, feature usage) as aggregate numbers — not tied to individual users. We see "100 people visited /features" — not "user X visited /features at 2pm." No IP addresses are stored. No fingerprinting is done.

We do not use Google Analytics, Facebook Pixel, or any other tracking technology. Plausible is the only analytics tool on Legate Studio.

If you discover a security issue, have a question about our data handling, or need to report something, please reach out at hello@legate.studio. We take security reports seriously and will respond promptly.

For general privacy questions, see our Privacy Policy.