Mountain Meadow Systems
  • Studio
    • Overview
    • Workflow
    • Instruments
    • Support
    • Privacy
    • Privacy Choices
    • Terms
  • Margot
  • Projects
  • Writing
  • Contact
App Store Soon

Studio Privacy Policy

Effective date: July 17, 2026

Overview

Studio is a native macOS creative production workspace by Mountain Meadow Systems. Studio is local-first, but features that a user deliberately starts can send selected content to third-party AI providers or, for certain reference-frame workflows, through Mountain Meadow Systems' temporary reference-media relay.

This policy describes those data flows, their purposes, the controls available to users, and the limits of Mountain Meadow Systems' control over third-party providers.

Local Projects And Credentials

Studio stores projects locally in user-selected .studio packages. A package can contain project metadata, imported media, generated outputs, captions, transcripts, exports, cache files, prompts, provider jobs, provider request and response snapshots, logs, timelines, and related project state.

Provider API keys are supplied by the user and are intended to be stored in the macOS Keychain. Mountain Meadow Systems does not receive those keys through this website or the reference-media relay. Users can remove keys in Studio or Keychain and can delete local projects from their Mac.

AI Providers

When a user starts a provider-backed feature, Studio sends the prompt, script, dialogue, settings, selected project context, and selected image, video, or audio inputs needed for that request to the chosen provider. Current integrations can include OpenRouter and an upstream model provider selected through OpenRouter, and ElevenLabs for supported speech, dialogue, transcription, voice, and audio workflows.

As of the effective date, OpenRouter account controls for provider training, publication, and related data sharing are disabled. Universal Zero Data Retention enforcement is not enabled because the current video route requires endpoints that would be unavailable under that restriction; individual requests can therefore be subject to provider retention. The current ElevenLabs Starter account exposes no Zero Retention Mode control, so Studio does not treat ElevenLabs requests as zero-retention. Studio uses request-level privacy settings only when the endpoint and account support them.

Provider accounts, request metadata, content history, training choices, moderation records, backups, and deletion are governed by the selected provider's current policies, endpoint terms, upstream provider, and account settings. Deleting Studio-controlled relay data or a local project does not delete provider-held data.

Temporary Reference-Media Relay

Some First Frame and Last Frame video workflows require an HTTPS URL that the selected AI provider can fetch. After the user's first affirmative confirmation, Studio may send the selected reference frames to media.mountainmeadowsystems.com. The relay creates a temporary provider-accessible URL and is not AI compute, a credit system, advertising, or Studio-owned analytics.

For authorization, Studio sends an Apple-signed AppTransaction proof plus app version, build, bundle, channel, and platform metadata. The relay verifies the signed proof in memory. It does not store the raw proof, a full App Store receipt, provider keys, original filenames, local paths, prompts, raw IP addresses, upload tokens, media capabilities, or delete tokens. It stores keyed digests and a keyed pseudonymous subject derived from the verified AppTransaction identifier.

The relay processes the request IP address in memory for rate limiting and stores only short-lived keyed network buckets. Access logging is disabled for the versioned relay routes. Sanitized security events contain bounded event type, reason, status, environment, byte-range category, and keyed network-bucket data; they exclude request content and secrets.

Relay Retention And Deletion

  • An upload token is valid for one hour.
  • Reference media becomes unavailable after no more than six hours and is physically removed by cleanup scheduled every fifteen minutes. An explicit delete or permission reset can remove active media earlier.
  • Expired or revoked token rows are removed no later than 24 hours after token expiry.
  • Keyed rate-limit buckets are removed after two hours.
  • Sanitized security events are removed after 14 days.
  • An inactive keyed pseudonymous subject is removed after 30 days.

Mountain Meadow Systems does not create separate application-level backups of relay media or the versioned relay database. Infrastructure backups, if enabled by the hosting provider, are governed by that provider's account configuration and retention schedule; deletion from an active system may not immediately remove an existing infrastructure backup copy.

Consent And Privacy Choices

Studio asks before the first relay-backed reference-frame transfer and remembers the choice locally for the disclosed recipients, data, purpose, and retention terms. Canceling the confirmation prevents the relay and provider transfer. Choosing Reset AI & Relay Permissions in Studio Settings > Privacy blocks future applicable transfers until the user confirms again and starts a best-effort request to revoke active relay tokens and delete active Studio-controlled relay media.

See Studio Privacy Choices for local deletion, relay permission reset, provider-account deletion, and contact options.

Apple And Subscriptions

Apple processes Mac App Store downloads, subscription purchases, billing, refunds, and subscription management under Apple's terms and privacy policy. Studio uses StoreKit transaction information locally to determine subscription access. The reference relay uses the minimized Apple-signed AppTransaction proof described above only to authorize the relay, not to collect payment information.

Support And Website Data

If a user emails support, Mountain Meadow Systems receives the information the user chooses to send, such as an email address, message, Studio build, macOS version, screenshots, logs, project details, or attachments. Users should avoid sending provider keys, access tokens, or private project media unless specifically necessary and authorized.

The Mountain Meadow Systems website and its hosting provider may process ordinary operational data such as IP address, request time, requested URL, browser user agent, and error information. Studio and this website do not use advertising tracking.

Contact And Changes

For privacy questions, email patrick@mountainmeadowsystems.com. Material policy changes will be reflected by a new effective date and, when they change the remembered reference-frame disclosure, Studio will require confirmation again.

Back to Studio Privacy Choices Terms of Use Studio Support
Mountain Meadow Systems
Support Privacy Privacy Choices Terms patrick@mountainmeadowsystems.com LinkedIn GitHub

© 2026 Mountain Meadow Systems