Privacy Policy

Obsydian Lab is a local-first, sovereign desktop application. Your source code, project files, AI conversations and command history live on your own computer. We do not upload, proxy, store or train on your code. This policy explains the limited data we do handle — essentially your account and your subscription — and the choices you control.

• Your code never leaves your machine. With your own provider keys, requests go directly from your computer to that provider — we never see or relay them.
• Sovereign Mode runs the entire editor against local models with networking off.
• We collect the minimum needed to run accounts, licensing and billing — nothing more.

We limit collection to what is necessary to provide the service:

• Account data. When you sign in with Google via our authentication provider (Supabase), we receive your name, email address and avatar URL to create and identify your account.
• Subscription & billing data. Payments are processed by our merchant of record, Lemon Squeezy. Lemon Squeezy handles your card details; we receive subscription status, plan, invoices and the country/tax information required to bill you. We never see or store full card numbers.
• License & activation data. The license key tied to your subscription, and minimal activation metadata required to validate it (which may be checked offline).
• Included-AI usage metering. If you use our bundled Obsydian Turbo/Apex engines, we count token usage to enforce your plan quota. This metering records volume, not the contents of your prompts or code.
• Support communications. Messages you send us via the contact form or email, so we can reply.

We do not collect your source code, file contents, repository data, or the contents of BYOK requests.

• To create and secure your account and authenticate you.
• To process subscriptions, renewals, invoices and refunds.
• To issue and validate license keys and enforce included-AI quotas.
• To provide support and respond to your messages.
• To meet legal, tax and accounting obligations.

When you bring your own provider keys (BYOK), those credentials are stored in a local vault on your device. AI requests made with them travel directly from your machine to the provider you chose; Obsydian Lab does not act as a proxy and never logs, inspects or retains those requests or responses. In Sovereign Mode, the editor uses local models only and makes no outbound network calls for AI at all.

We share the limited data above only with processors that help us run the service:

• Supabase — authentication and account storage.
• Lemon Squeezy — merchant of record for payments, taxes and invoicing.
• Hosting/CDN providers — to serve this website and software updates.

Each processor is bound to handle data only on our instructions and to protect it appropriately.

We keep account and billing records for as long as your account is active and as long as required for legal, tax and accounting purposes. You may request deletion of your account at any time; we will remove personal data we are not legally required to retain.

Depending on where you live, you may have rights to access, correct, export or delete your personal data, and to object to or restrict certain processing. To exercise any of these, email privacy@obsydianlab.com and we will respond within the time required by applicable law.

We use encryption in transit, scoped access controls and reputable processors. No system is perfectly secure, but our local-first architecture means the most sensitive thing — your code — is never in our custody to begin with.

Obsydian Lab is intended for professional developers and is not directed to children under 16. We do not knowingly collect data from children.

We may update this policy as the product evolves. Material changes will be reflected by the "last updated" date above and, where appropriate, announced in-app or by email.

Questions about privacy? Email privacy@obsydianlab.com or use our contact page.