livediagram

Open Source and Trust

The whole codebase is public and MIT-licensed, so you do not have to take any privacy claim on faith.

The strongest privacy guarantee livediagram can offer is that you do not have to trust it blindly. The entire codebase is public and MIT-licensed, so every claim on these pages, where diagrams are stored, what telemetry records, how share passwords work, is something you can verify in the source yourself, or sidestep entirely by running your own copy.

A public, MIT-licensed codebase

livediagram is open source under the MIT license. That is permissive on purpose: anyone may read, fork, modify, embed, or self-host it, for any purpose.

  • Free for everyone. There is no paid tier and no plan to introduce one. Every feature ships to every user.
  • No license checks. Nothing in the core editor calls home to verify a licence or gate a feature, which is also what keeps self-hosting honest.
  • Optional, not required, outside services. Sign-in is optional. With it unconfigured, the app runs in pure-guest mode and works fully without any account system.

Because the code is visible to the world, you can audit precisely how your data is handled rather than relying on a privacy policy alone.

No secrets in the source

A public repository has one hard rule: no secret ever lives in the source code. No API keys, no tokens, no passwords, no signing keys, in code, in examples, in tests, or in history.

Every secret a deployment needs is supplied at runtime through environment variables or the hosting dashboard, never committed. Only values explicitly marked as publishable (such as a public API base URL) are ever included in what ships to the browser. This is what makes a public codebase safe to publish in the first place.

Audit it, or run your own

You have two ways to satisfy yourself about how livediagram treats your data.

  1. Read the code. Follow how a diagram is saved, how access is checked, or what an analytics event contains, all in the open.
  2. Self-host it. Deploy your own instance so the data never leaves infrastructure you control. A self-hoster who wants zero outbound runtime traffic beyond their own hosting can run the guest-only, telemetry-off configuration. See self-hosting.

Whether you use the hosted version or run your own, you get the same feature set. The hosted site is a convenience, not a more capable product.

Was this article helpful?