Back to Home

Privacy Policy

Last updated: May 2026

1. Who We Are

Laya is an open-source desktop application distributed under the Apache License 2.0. There is no company, hosted service, or data controller behind Laya. The software runs entirely on your machine. Laya's contributors do not operate servers, collect registrations, or maintain accounts on your behalf.

2. Data We Collect

Laya itself collects no personal data from you. There are no Laya-operated servers to receive data, no analytics endpoints, no crash reporters, and no telemetry transmitted to Laya's contributors.

All data that Laya processes — events from connected platforms, action cards, chat messages, embeddings, settings, and logs — is stored locally on your machine in the ~/.laya/ directory. This includes:

3. Data Sent to Third-Party LLM Providers

To classify events, generate action suggestions, power chat, and compute semantic embeddings, Laya transmits portions of your professional data to the LLM and embedding providers you configure. The data transmitted may include email content, messages, issue descriptions, PR diffs, calendar details, team member information, and any content you enter in chat or workspace interfaces.

You choose which providers receive your data. Laya supports fully local models (Ollama, LM Studio, any OpenAI-compatible local endpoint) where no data leaves your machine. If you configure cloud providers (Anthropic, OpenAI, Google, OpenRouter), your data is subject to those providers' privacy policies and data-processing terms.

Local-first recommended. When using self-hosted models, your data does not leave your machine or local network via Laya. This is the recommended configuration for sensitive data.

4. Platform Integrations

Laya connects to third-party platforms (Gmail, Slack, Jira, GitHub, Bitbucket, Calendar, Outlook, Linear, Notion, and others) using credentials you provide (OAuth tokens or API keys). These connections operate under your identity on each platform. Laya ingests events from these platforms and, with your approval, can execute actions on your behalf.

Credentials are stored in your operating system's secure credential store (macOS Keychain, Windows Credential Manager, or Linux Secret Service) and are never stored in plain text by Laya.

5. MCP Server

Laya exposes a Model Context Protocol (MCP) server on http://127.0.0.1:8420/mcp/sse while running. This local-only endpoint allows MCP-compatible clients (Claude Desktop, Cursor, VS Code, and others) to query your cards, events, entities, and execute actions through Laya.

The MCP server is bound to localhost (127.0.0.1) only and is not accessible from the network. Access is controlled via bearer token authentication (configurable in Settings → MCP) and tool scope toggles that let you restrict which capabilities are exposed. No data is transmitted externally by the MCP server itself.

6. Telemetry & Analytics

Laya does not collect, transmit, or share any usage analytics, telemetry, crash reports, or diagnostic data with Laya's contributors or any third party. Dashboard metrics (event counts, cost estimates) are computed and stored locally.

Laya bundles third-party components (ChromaDB, n8n, sentence-transformers, HuggingFace Hub client) that may emit anonymous telemetry to their respective maintainers. Laya makes a best-effort attempt to disable all such telemetry via documented opt-out flags at startup, but this cannot be guaranteed across all versions of all dependencies.

7. Cookies & Tracking

Laya is a desktop application. It does not use cookies, web beacons, tracking pixels, or any browser-based tracking technology. The only browser storage Laya uses is localStorage within its own embedded webview for UI preferences (theme, font size, tab state). This data never leaves your machine.

8. Data Retention & Deletion

All data is stored locally and you have full control over retention. You can configure automatic retention periods in Settings → Data (card retention, chat history retention, audit log retention). You can also export or delete all data at any time.

To completely remove all Laya data from your system, delete the ~/.laya/ directory. To revoke platform access, remove the corresponding connections in Settings and revoke OAuth grants on each platform's own settings page.

9. Children's Privacy

Laya is a professional productivity tool and is not directed at children under 16. By using Laya you represent that you are at least the age of majority in your jurisdiction.

10. Your Rights

Because Laya is local-first and Laya's contributors do not hold any of your data, there is no data controller to whom you need to submit access, rectification, or deletion requests. You can inspect, modify, export, or delete all data directly on your machine at any time. For data sent to third-party LLM or platform providers, your rights are governed by those providers' privacy policies.

11. Changes to This Policy

This privacy policy may be updated with new releases of Laya. The "Last updated" date at the top reflects the current version. Material changes will be noted in release notes.

12. Contact

Laya is an open-source project. For privacy-related questions, open an issue on the GitHub repository or contact the maintainer directly.