Skip to content

Raycast

The host behind a shared Raycast extension. Raycast holds a thin slice of you — your account details, and (only if you turn it on) the bits its cloud features sync. The decision that actually sets your exposure is made when you publish: list an extension on the public Store and its full source goes into a public GitHub repo for anyone to read and copy; publish it to your Organization's private store instead and only your teammates ever see it. There's no middle setting.

Last verified: 2026-06-07 · Confidence: high on the public-Store-is-open-source split, the no-training / no-prompt-retention AI stance, and US-primary hosting (all from Raycast's own docs); the soft spot is data residency — Raycast names "contractual protections" for EU/UK transfers but doesn't spell out Standard Contractual Clauses, and there's no EU region.

What it holds about you, and who can see it

Raycast keeps less than most hosts here, because most of your extension's work happens on your own machine. What it does hold splits into a few buckets: [confirmed]

  • Your account, always. "If you create an account, we will collect the information needed to authenticate your access to the Service, including your name, username, email address and password," plus payment details if you pay. [confirmed]
  • Usage data, automatically. Raycast "collect[s] Personal Data about you automatically when you use our Service," used for "data analysis, identifying usage trends, improving the content and functionality of the Service" — the standard product-telemetry bucket. [confirmed]
  • Cloud Sync data — only on Pro, only if you enable it. "When you enable the Cloud Sync feature in our Pro plan, Raycast will store the information to allow the synchronising process." Off by default; nothing syncs to Raycast's servers unless you switch it on. [confirmed]
  • Your extension's own data stays local. An extension's reads and writes go to "the local encrypted database" on your machine, walled off so "data... can only be accessed by the corresponding extension" — it isn't shipped to Raycast. [confirmed]

The publish choice is the one that decides who else sees your code — covered under "Who can get in" below.

Does it train AI on your prompts?

If your extension uses Raycast AI, this is the reassuring part — and it's stated plainly: [confirmed]

  • No training, no logging. "Your data is not used to train AI models," and "we do not log or retain any user prompts." Raycast processes a prompt "momentarily, solely for the purpose of transmitting this information to the relevant AI provider." [confirmed]
  • The providers can't train on it either. "When using Raycast AI (not BYOK), our agreements with providers prohibit them from using any AI interactions to train their models." [confirmed]
  • Voice stays off the record too. "Your voice is never used to train AI models, and we don't store your audio or transcriptions on our servers" — audio goes to a speech-to-text partner "solely to produce a transcription, and isn't retained on Raycast servers." [confirmed]
  • Bring-your-own-key shifts the relationship: "Custom API keys are stored locally on the user's computer, not in our backend. When using BYOK, you maintain the contractual relationship with the AI provider" — so that provider's own training/retention terms apply, not Raycast's. [confirmed]

The Terms say the same in legal language: Raycast "does not retain or store Inputs once Outputs have been generated, nor does Raycast use Inputs to train, tune or customise its models." [confirmed]

How long they keep it, and can you delete it

  • Kept only while needed. Raycast stores Personal Data "until it is no longer necessary to provide the Service or until your account is deleted – whichever comes first," and then "we will delete or anonymise it." [confirmed]
  • No published countdown. Raycast doesn't name a fixed deletion window (the "30 days after account deletion" some hosts promise) — the docs say it deletes or anonymises but not by when. [unclear] (privacy policy gives the trigger, not a timeframe — checked 2026-06-07)
  • A published extension is a different story. Once it's in the public raycast/extensions repo it's MIT-licensed and forkable; anyone who copied it keeps their copy whatever you later delete from your account. [estimate]

Who can get in (the publish choice)

This is the lever that matters, and you pull it once, at publish time: [confirmed]

  • Public Store = fully open source. "All extensions are open source so the current source code can be inspected at all times. Before an extension gets merged into the public repository, members from Raycast and the community collaboratively review extensions." Listing on the Store means your code lands in the public raycast/extensions GitHub repo under the MIT licence — readable and copyable by anyone, forever. [confirmed]
  • Organization (Teams) = private to your org. With an Organization, you "build, share and discover extensions in a private store that is only accessible to members of your organization"; npm run publish puts it "to your private extension store, where the extension is only accessible to members of your organization." The source never enters the public repo. [confirmed]
  • No quiet personal-only middle ground. You can run an unpublished extension locally yourself, but to share it you choose public Store or a private Organization store — there isn't a "share with these three named people" rung short of the org. [estimate]

Which rungs it can hold: public (Store) or org-only (Organization private store); local-only on your own machine if you never publish — see Who can see it?.

Handing data to the host: Raycast holds little — account details, opt-in Cloud Sync, momentary AI prompts it doesn't train on or retain. The exposure that matters is your code, and you set that with the public-vs-org publish choice above. See Raycast in Can you trust the company?.

What a Pro or Organization plan changes

  • Pro is a personal upgrade: it unlocks Raycast AI and Cloud Sync (the only feature that stores your settings on Raycast's servers, and only when you turn it on). It doesn't change the training or retention stance above — those apply on every tier. [confirmed]
  • Organization (Teams) is the one that changes sharing: it gives you the private extension store, so your team can install internal extensions whose source never touches the public repo. [confirmed]
  • No public enterprise DPA or signed-agreement page turned up in Raycast's docs (checked 2026-06-07) — a compliance reviewer wanting a Data Processing Agreement or a named sub-processor list would have to ask Raycast directly. [unclear]

For an individual sharing a handy extension, the free tier plus a public Store listing is the whole story. Reach for an Organization when the extension is internal and the code shouldn't leave the team.

Where your data lives (matters under GDPR)

  • US-primary, no region choice. "We store your Personal Data primarily on servers in the United States," and Raycast "may also transfer Personal Data to our service providers in the United States and in other jurisdictions." There's no EU/UK data-residency option on any tier. [confirmed]
  • EU/UK transfers covered, but loosely named. For data leaving the EEA/UK, Raycast says it relies "on an EU Commission or UK government adequacy decision/regulation... or on contractual protections for the transfer" — it doesn't spell out Standard Contractual Clauses by name. [confirmed] (the safeguard is named only as "contractual protections" — checked 2026-06-07)

The short version: fine for a public extension or an internal team tool in the everyday case, even with EU/UK users — your code is the only sizeable thing involved, and you control whether that's public. If a grant or DPA forbids personal data leaving the EU/UK, Raycast has no EU region to satisfy that.

Sources