Skip to content

Replit

The host behind a shared Replit project. Replit holds your code and anything your project stores while it runs — a database, uploaded files, the lot — on US servers. The one knob that actually matters here is public vs private: a public project is MIT-licensed for anyone to copy and may be used to train Replit's models; a private project is neither. So the decision is made the moment you create the project, not in a buried settings page.

Last verified: 2026-06-07 · Confidence: high on the public/private split, the commercial no-training term, and the 30-day deletion window (all from Replit's own terms); data residency is the soft spot — there's no EU region.

What it holds, and who can see it

Replit is a full workspace, so it keeps more than a file tree: your source code, plus whatever your running app holds — its database rows, uploaded files, environment secrets. The thing that decides exposure is one choice you make up front: [confirmed]

  • Public project — anyone on Replit can find and copy it. Publishing a public App "is automatically made subject to the MIT License, which allows others to view, copy, modify, and distribute your code, on or off platform." It's the share-by-default state, and it's genuinely open. [confirmed]
  • Private project — invite-only. "Content in private Apps is not made available to the public"; only people you invite (or teammates) can open it. [confirmed]
  • One honest line on private: Replit "reserves the right to access the content of your private Apps for the purpose of troubleshooting, improving our service, and ensuring the safety and security of the Service" — staff can reach in for those reasons, the standard host carve-out. [confirmed]

If what you're sharing is meant to be open anyway, public is the whole point. If it carries anything you wouldn't hand a stranger, make it private before you put the data in.

Does it train AI on your project?

This is where public and private diverge sharply, and it's the one claim worth reading twice: [confirmed]

  • Public projects: yes, they may train on them. "Content published in public Apps may be used by Replit for improving the Service, including but not limited to developing or training large language models, both during and after the term of this agreement." There's no toggle — going private is the off switch. [confirmed]
  • Private projects: not used for training. The training clause is scoped to public Apps; private content is accessed only for the troubleshooting/security reasons above, not model training. [estimate] (the public-App training clause has no private-App equivalent; we read the absence as "not trained" — Replit doesn't state it in those exact words)
  • The AI assistant you type to, on free vs paid. Replit routes model calls through OpenRouter with privacy defaults: on paid endpoints "your data will not be used for training by paid model providers," but on free endpoints "free model providers may train on your prompts and completions." So a free account's AI chats can be trained on by the underlying model vendor. [confirmed]

How long they keep it, and can you delete it

  • Delete your account and it's purged in 30 days. "When you request to delete your account, we delete your data within 30 days," and deleting "removes all of your content from Replit (including Replit Apps, templates, posts)." [confirmed]
  • It's a one-way door. "You will not be able to recover this data if you change your mind" — keep your own copy first. [confirmed]
  • Public copies survive your deletion. Anyone who already copied your public, MIT-licensed project keeps their copy — deleting your original never reaches it. [estimate]

What a Team / Enterprise plan changes

The commercial tiers flip the training default and add the paperwork a compliance review wants: [confirmed]

  • No training, by contract. "Replit will not use Customer Content to develop or improve Replit's products or services, train machine learning models, or create derivative works, except as expressly permitted in this Agreement." This holds for public and private commercial content — it's the meaningful upgrade over the free tier. [confirmed]
  • You own your work, in writing. Customers "retain all right, title and interest... in and to the Input Content" and "own the Output Content." Any AI tuning on your content is "only for Customer's sole use." [confirmed]
  • A signed DPA, with Replit as your processor, plus — for Enterprise AI — model calls restricted to "Zero Data Retention (ZDR) endpoints only," so the underlying vendor stores nothing. [confirmed]

For an individual sharing a demo or a learning project, the free tier is fine — just pick public-vs-private deliberately. The Team/Enterprise extras are for orgs putting regulated data into a repl.

Where your data lives (matters under GDPR)

  • US-primary, no region choice. "Our Services are primarily hosted in the United States and may also be hosted in locations abroad (for example, India)." There's no EU/UK data-residency option, on any tier. [confirmed]
  • Transfers are covered on paper. For EEA/Swiss/UK customers, Replit's DPA applies the EU Standard Contractual Clauses (Implementing Decision 2021/914, Modules 2 and 3) plus the UK Addendum and UK IDTA, with Replit as your processor. [confirmed]

The short version: fine for a public demo, a course project, or an internal tool, even with EU/UK users in the everyday case. If a funder or DPA forbids personal data leaving the EU/UK, Replit can't meet that — it has no EU region.

Sources