Data Sharing
Last updated:
Mermaid Studio collects usage data to help improve the plugin. This data can distinguish one user’s activity from another, but cannot identify who you are.
Data sharing settings can be changed at any time in Settings > Tools > Mermaid Studio > Data Sharing.
| Release Channel | Default Behavior |
|---|---|
| Stable | Opt-in (disabled by default) |
| Early Access | Opt-out (enabled by default) |
Early Access builds enable data sharing by default to help identify issues before stable releases. You can disable it at any time through settings.
Configuring Data Sharing
Section titled “Configuring Data Sharing”Usage Statistics
Section titled “Usage Statistics”When enabled, Mermaid Studio sends usage data about how you use the plugin. This helps identify popular features, discover issues, and prioritize development.
To enable or disable usage statistics:
- Open Settings > Tools > Mermaid Studio > Data Sharing
- Check or uncheck Send usage statistics
Product Surveys
Section titled “Product Surveys”When enabled, you may occasionally see in-product surveys asking for feedback. Survey participation is separate from usage statistics—you can enable one without the other.
To enable or disable surveys:
- Open Settings > Tools > Mermaid Studio > Data Sharing
- Check or uncheck Participate in product surveys
What Data Is Collected
Section titled “What Data Is Collected”Usage Statistics
Section titled “Usage Statistics”Every event includes basic metadata:
| Data | Example |
|---|---|
| Plugin version | 2026.1.1 |
| IDE name | IntelliJ IDEA Ultimate |
| IDE version | 2025.3 |
| Operating system | Mac OS X 14.0 |
| Architecture | aarch64 |
Some examples of collected usage events:
- Diagram activity: When diagrams are opened, closed, exported, or printed
- Diagram types: Which diagram types are used (flowchart, sequence, etc.)
- Feature usage: Code completion (not including completed values), color picker, structure view, preview navigation
- Export formats: PNG vs SVG, file vs clipboard
- Plugin upgrades: Version transitions to understand upgrade paths
Survey Responses
Section titled “Survey Responses”If you participate in surveys, your responses are collected separately from usage statistics. Surveys may include rating scales, multiple choice questions, or open-ended feedback.
What Data Is NOT Collected
Section titled “What Data Is NOT Collected”Mermaid Studio does not collect:
- Diagram content or source code
- File names or project names (only non-reversible hashes)
- Personal information
- Credentials or API keys
- Any content you create
Privacy Safeguards
Section titled “Privacy Safeguards”Data Classification
Section titled “Data Classification”Device identifiers allow us to correlate events from the same user (e.g., to understand feature adoption over time), but we have no way to attribute this data to a known individual.
Under GDPR, whether data qualifies as “anonymous” or “pseudonymous” depends on whether the party holding the data can reasonably re-identify individuals. Because we never have access to your local salt, we cannot reverse the hashed identifiers—the data is effectively anonymous in our hands. However, the hashed identifiers can still single out a particular user’s activity patterns, which introduces some risk of re-identification through correlation.
We take a conservative compliance approach: we treat this data as if it were pseudonymous personal data under GDPR, requiring explicit opt-in consent before collecting any usage statistics.
Data Anonymization
Section titled “Data Anonymization”All potentially identifying information is hashed with a locally-generated salt before transmission:
| Data | Method |
|---|---|
| Device ID | SHA-256 hash with local salt |
| Project names | SHA-256 hash with local salt (12-char truncated) |
| File paths | SHA-256 hash with local salt (12-char truncated) |
| File extensions | Allowlist only (mmd, mermaid, md) |
The local salt is generated once per local device user and stored locally. Because we never have access to your salt, we cannot reverse these hashes to recover the original values.
Schema-Based Collection
Section titled “Schema-Based Collection”All usage data is recorded using strictly defined schemas with enumerated values. This means we can only collect predefined categories of information—there is no mechanism to capture arbitrary or free-form data from usage statistics.
The only exception is open-ended survey questions, where you may optionally provide written feedback. Please avoid including any personal or sensitive information in survey responses.
Separate Identifiers
Section titled “Separate Identifiers”For privacy compliance (GDPR/CCPA), Mermaid Studio uses two separate device identifiers:
- Analytics ID: Used for usage statistics
- Survey ID: Used for survey responses
These identifiers cannot be correlated, minimizing the risk of re-identification if a user inadvertently includes identifying information in a survey response.
Local Salt
Section titled “Local Salt”The salt used for hashing is generated once per machine using a cryptographically secure random number generator and stored locally. The salt is never transmitted.
This design ensures:
- Irreversibility: Without your salt, we cannot reverse hashes to recover original values
- Consistency: The same value on the same machine always produces the same hash, enabling event correlation
- Isolation: Different machines have different salts, preventing cross-machine correlation
Consent States
Section titled “Consent States”Data sharing has three states:
| State | Usage Statistics | Surveys |
|---|---|---|
| Undecided | No data sent | No surveys |
| Opted In | Events tracked | Surveys appear |
| Opted Out | No data sent | No surveys |
Consent is tracked separately for:
- Data type: Usage statistics and surveys have independent consent
- Release channel: EAP and stable releases maintain independent consent states
- IDE installation: Each IDE installation tracks consent separately (e.g., IntelliJ IDEA and PyCharm have their own settings)
- Machine: Consent is not synced across devices
Viewing Collected Data
Section titled “Viewing Collected Data”Local Event Log
Section titled “Local Event Log”For full transparency, all analytics events are logged locally on your device before being sent to PostHog. You can inspect these log files at any time to see exactly what data is being collected.
Log file locations by operating system
| Operating System | Location |
|---|---|
| Windows | %LOCALAPPDATA%\JetBrains\<IDE>\system\mermaid-studio\analytics-log\ |
| macOS | ~/Library/Application Support/JetBrains/<IDE>/system/mermaid-studio/analytics-log/ |
| Linux | ~/.local/share/JetBrains/<IDE>/system/mermaid-studio/analytics-log/ |
Where <IDE> is your IDE name and version (e.g., IntelliJIdea2025.3).
Log files contain JSON-formatted events, one per line:
{"timestamp":"2026-01-29T15:30:45Z","event":"diagram_opened","distinct_id":"a1b2...","properties":{...}}Log management:
- Rotation: New file created when current file exceeds 200 KB
- Retention: Files older than 7 days are automatically deleted
- Privacy: No events are logged when data sharing is disabled
Device Identifiers
Section titled “Device Identifiers”Device identifiers are stored in the Tachi Labs shared directory:
Identifier file locations by operating system
| Operating System | Location |
|---|---|
| Windows | %APPDATA%\TachiLabs\ |
| macOS | ~/Library/Application Support/TachiLabs/ |
| Linux | ~/.local/share/TachiLabs/ |
Files in this directory:
PermanentDeviceId— Analytics device identifierPermanentSurveyDeviceId— Survey device identifier
Compliance
Section titled “Compliance”Mermaid Studio’s data collection is designed for GDPR and CCPA compliance:
- Conservative classification: We treat collected data as pseudonymous personal data under GDPR, even though we cannot reverse hashed identifiers
- Explicit consent: Data sharing requires opt-in
- Data minimization: Only essential data is collected
- Hashing: Device identifiers are hashed before transmission
- Separation: Analytics and survey data use separate identifiers that cannot be correlated
- User control: Opt out at any time through settings
Data Subject Requests
Section titled “Data Subject Requests”Because we cannot attribute collected data to a specific individual, we are unable to honor data retrieval or deletion requests under GDPR (right of access, right to erasure) or similar regulations.
This is a direct consequence of our privacy-preserving design:
- We do not collect names, email addresses, or other identifying information
- Device identifiers are hashed before transmission, and we do not have access to your local salt
- There is no account system linking your identity to collected data
If you wish to stop future data collection, you can opt out at any time through settings. Deleting the local device identifier files will cause new identifiers to be generated, effectively unlinking any future activity from past data.
Data Processors
Section titled “Data Processors”The following third-party services process data on our behalf:
| Processor | Purpose | Data Center Location |
|---|---|---|
| PostHog Cloud EU | Product analytics, surveys | EU (Frankfurt) |
| Cloudflare | CDN, DDoS protection, reverse proxy infrastructure | Global (nearest edge) |
For more information, see our Privacy Policy.