A plain-English brief for the IT, legal, or procurement reviewer evaluating whether a developer in your organization can install Notepatra. Bookmark this page, paste it into a software-acceptance request, or forward it to your OSS-license review board.
Notepatra is a standalone end-user code editor, similar in license posture and use case to Notepad++, vim, or GIMP. It is licensed under the GNU General Public License v3.0 or later. In the Free Software Foundation's published interpretation of GPL-3.0, running and installing a GPL program inside an organization does not require the organization to release any of its own source code, does not create a derivative work of the editor from files the editor is used to edit, and does not require a paid account or commercial contract. The current Notepatra release does not include telemetry or background network calls; AI features default to local backends and any cloud backend is opt-in. (Statements about "current release" reflect the release identified at the bottom of this page and are not warranties for future releases.)
| Field | Value |
|---|---|
| Product | Notepatra |
| Vendor / Author | Prateek Singh (individual open-source maintainer) |
| License | GNU General Public License v3.0 or later (SPDX: GPL-3.0-or-later) |
| Source code | github.com/singhpratech/notepatra — fully open, every release tagged |
| Cost | The current release is distributed at no charge under GPL-3.0. There is no paid tier today. |
| Telemetry / analytics (current release) | None. The current release does not include call-home behavior, usage pings, or automatic crash reports. The canonical statement of what each release collects lives in that release's CHANGELOG. |
| Mandatory network calls (current release) | None. The editor starts offline. Update checks and AI features are opt-in by the user. |
| Data collection (current release) | The current release does not transmit data from the user's machine by default. If the user configures and enables an external (cloud) AI backend, content the user sends to that backend is governed by that backend's terms of service. |
| Local-first AI | Default behavior. The standard build's AI panel ships six dropdown entries: Ollama + llama.cpp (GGUF) (local, separate processes the user installs), Ollama Cloud / OpenRouter / OpenAI / Azure OpenAI (cloud, opt-in, the user supplies their own API credentials). The notepatra-local-ai cloud-free build flavor ships only the two local entries — cloud backends are physically absent from that binary. Other OpenAI-compatible servers (e.g. any OpenAI-compatible server) can be reached only by the user manually pointing the llama.cpp entry at a custom URL — they are not first-class Notepatra backends, are not bundled, and the user is responsible for installing and licensing them per each program's own terms. See the AI backends and Data flow & responsibility sections below. |
| Supply chain | Each release page on GitHub publishes SHA-256 checksums, cosign signatures (recorded in the Sigstore Rekor transparency log), and SLSA build-provenance attestations. The releases are built from public source on GitHub Actions; bit-for-bit reproducible builds are planned but not yet implemented. |
| Code signing | SHA-256 + cosign on every release artifact at the time of writing. Operating-system code signing (Authenticode on Windows, Apple notarization on macOS) is on the roadmap; current builds are unsigned at the OS level but are cryptographically verifiable via cosign. |
| Platforms | Linux x64 / ARM64, macOS Apple Silicon, Windows x64 |
| Footprint | Bare executable under 12 MB (~11.5 MB on Linux x64). Latest Lite (default) downloads: 4.1 MB (Linux x64 tar.gz), 27.5 MB (macOS DMG), 42.4 MB (Windows MSI); the opt-in Full download is larger (bundles DuckDB, plus WebEngine on Linux/Windows). Exact sizes vary release-to-release; the GitHub release page is canonical. |
| Updates | Manual. No auto-update daemon. No background service. |
| Plugins | Drop a .so/.dylib/.dll in ~/.config/notepatra/plugins/. No remote plugin registry. No auto-install. |
The most common concerns about GPL in a corporate setting are about a specific scenario: linking GPL code into a closed-source product your company ships to customers. The questions below summarize how the Free Software Foundation — the author of the GPL — describes those concerns. The authoritative source is the FSF's GPL FAQ; your in-house counsel can advise on your specific situation.
| Common concern | What the FSF GPL FAQ says (paraphrased) |
|---|---|
| "If we install GPL software, we'll have to release our source code." | The FSF's interpretation is that GPL obligations are triggered by distribution of the GPL software or a derivative work — not by running it. (See FSF GPL FAQ: "Does the GPL require source code of modified versions to be posted to the public?") Running a GPL program inside your organization is the same posture as running gcc, vim, or Linux. |
| "If our developers edit our proprietary source code in Notepatra, does that code become GPL?" | The FSF's interpretation is that the editor and the file edited with it are separate works; editing a file in a GPL editor does not by itself make the file a derivative work of the editor. (FSF GPL FAQ: "Can I use GPL-covered editors to develop nonfree programs?") An analogous principle: writing a document in LibreOffice does not place the document under LibreOffice's license. |
| "What if a developer accidentally pastes Notepatra source into our codebase?" | That would be a normal copyright matter, the same as if they pasted code from any other source. The license discipline your organization applies to all third-party code applies here too. |
| "What if we want to modify Notepatra for internal use?" | The FSF's interpretation is that GPL source-disclosure obligations attach to distribution of modified versions, not to internal use. (FSF GPL FAQ: same entry as above.) If your modified version is later distributed outside your organization, GPL-3.0 source-disclosure obligations would apply at that point. |
| "What about AGPL? Some of our software policies block AGPL." | Notepatra is licensed under GPL-3.0-or-later, not AGPL. The AGPL network-clause does not apply to Notepatra. |
| "Patent retaliation clause?" | GPL-3.0 §11 grants users an express patent license from each contributor and includes a defensive termination provision for patent litigation initiated against the software. (Full text in the LICENSE file.) Consult your in-house counsel for application to your organization's patent posture. |
| "Anti-tivoization clause?" | GPL-3.0 §6 ("Conveying Non-Source Forms") addresses the situation of distributing GPL software inside a device whose firmware prevents user modification. It applies to manufacturers who distribute GPL binaries inside such devices, not to end-user installations on general-purpose workstations. |
Many widely-deployed enterprise tools are distributed under GPL-2.0 or GPL-3.0. Examples include:
If your organization's OSS policy already permits standalone GPL-2.0 or GPL-3.0 end-user tools of this category, Notepatra's license posture is in the same category.
Every Notepatra release ships with cryptographic provenance suitable for an internal SBOM or software-acceptance package.
Every release page contains a SHA256SUMS file listing every binary artifact. Your IT team can verify the bytes match what was published:
curl -sL https://github.com/singhpratech/notepatra/releases/latest/download/SHA256SUMS \
| sha256sum --check --ignore-missingEvery artifact is keylessly signed via Sigstore cosign. The signature is recorded in the public Rekor transparency log, so any tampering with the release page is detectable from outside. Verify a download:
cosign verify-blob \
--certificate notepatra-linux-x64.tar.gz.pem \
--certificate-identity-regexp "^https://github.com/singhpratech/notepatra" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--signature notepatra-linux-x64.tar.gz.sig \
notepatra-linux-x64.tar.gzGitHub Actions emits signed SLSA v1.0 build-provenance attestations (SLSA Build Level 2 — signed provenance from a hosted build platform) alongside each release. The attestation cryptographically ties each binary back to a specific commit SHA and workflow run, so your security team can independently confirm that a release was built from the exact public source in github.com/singhpratech/notepatra and not from an attacker-controlled fork.
Every commit is public. Tags are immutable. There is no closed-source binary blob anywhere in the build pipeline. A determined security team can clone the repo at a given tag, run the documented build, and reproduce a functionally equivalent binary.
| Dependency | License | Compatible with GPL-3.0? |
|---|---|---|
| Qt 5/6 (UI framework) | LGPL-3.0 (dynamic linking) | Yes. Standard Qt-app posture. |
| QScintilla (editor widget) | GPL-3.0 (or commercial) | Yes. Riverbank Computing dual-licenses this; Notepatra uses the free GPL-3.0 path. |
| Scintilla (editor engine) | HPND (BSD-like, permissive) | Yes. |
| DuckDB v1.1.3 (Data Analyst mode — bundled in the Full prebuilt download on every platform; the Lite default download has CSV + in-memory SQLite only) | MIT | Yes. |
| Rust crates (memmap2, regex, aho-corasick, encoding_rs, etc.) | MIT / Apache-2.0 dual | Yes. |
| Vega + Vega-Lite + vega-embed (chart rendering — Full flavor only) | BSD-3-Clause | Yes. |
To the maintainer's knowledge at the time of writing, Notepatra does not include GPL-incompatible dependencies, dependencies with field-of-use restrictions, or "free for non-commercial use" components. The canonical license list for the current release is the LICENSE file in the release tag and the dependency manifests (CMakeLists.txt, rust-core/Cargo.toml) in the same tag.
Notepatra's AI features (chat, inline edit, agentic Coding mode, Data Analyst mode) are powered by an external backend that the user chooses and configures. The backend is not bundled inside the Notepatra binary; it is a separate program (for local backends) or a separate online service (for cloud backends) that the user installs, runs, or signs up for independently. Notepatra is purely an HTTP/HTTPS client to whichever backend the user has configured.
Two consequences worth noting for your review:
The AI panel's backend dropdown ships six entries in the standard build (the notepatra-local-ai "cloud-free" build flavor ships only the two local entries — cloud backends are absent from that build at the binary level):
| Dropdown entry | Type | Backend's own license / terms | What Notepatra does |
|---|---|---|---|
| Ollama | Local (separate process) | MIT — permissive open source | HTTP client to localhost:11434. Ollama is not bundled; users install it separately. |
| llama.cpp (GGUF) | Local (separate process) | MIT — permissive open source | HTTP client to a user-run llama-server endpoint (default localhost:8080). llama.cpp is not bundled. This entry also accepts a custom base URL, so users can route it to any OpenAI-compatible server they choose (see next section). |
| OpenRouter | Cloud (cloud-free build: not present) | OpenRouter's terms — see openrouter.ai/terms | HTTPS client. User supplies own OpenRouter API key. Opt-in. |
| Ollama Cloud | Cloud (cloud-free build: not present) | Ollama hosted-service terms — see ollama.com | HTTPS client. Opt-in. |
| OpenAI | Cloud (cloud-free build: not present) | OpenAI's API terms — see openai.com/policies | HTTPS client. User supplies own API key. Opt-in. |
| Azure OpenAI | Cloud (cloud-free build: not present) — typical enterprise option for regulated industries with a Microsoft DPA in place | Microsoft Azure OpenAI Service terms — see azure.microsoft.com | HTTPS client. User supplies own deployment URL + API key. Opt-in. |
The llama.cpp (GGUF) entry accepts a user-configured base URL. Many third-party programs expose an OpenAI-compatible HTTP API; a user may, on their own initiative, point this entry at any such program they have separately installed. Such third-party programs are not "Notepatra backends" — they are not first-class dropdown entries, are not bundled with Notepatra, and are not endorsed or supported by Notepatra. They are user-configured passthroughs over a standard HTTP protocol. The user is solely responsible for selecting, installing, licensing, configuring, and operating any such program in accordance with that program's own license and terms; Notepatra makes no representation, warranty, or claim about any such program.
Because Notepatra communicates with all such programs purely as an HTTP client over the OpenAI-compatible REST protocol — without including, modifying, statically or dynamically linking, or redistributing any of their code or binaries — the licenses of those programs (whether MIT, AGPL, closed-source, or otherwise) do not attach to Notepatra. Any obligations under those licenses (including AGPL §13 network obligations, if the user has chosen an AGPL program) remain with whoever distributes the program in question, not with Notepatra.
This section clarifies who is responsible for what when content flows from a developer's machine through Notepatra to an external AI backend. The summary is straightforward: Notepatra is a conduit, not a data processor or controller. Notepatra forwards the content the user asks it to forward, to the backend the user has configured, using the credentials the user has supplied — and otherwise stores nothing externally.
| Activity | Responsibility |
|---|---|
| Choosing which backend to use (local vs cloud, which specific provider) | The end user / their organization. |
| Installing and operating the chosen local backend (Ollama, llama.cpp, etc.) in accordance with its license and terms | The end user / their organization. |
| Signing up for, and supplying API credentials to, the chosen cloud backend (OpenAI, Azure OpenAI, OpenRouter, Ollama Cloud, etc.) | The end user / their organization. |
| Deciding what file contents, prompts, or workspace context to send to a backend | The end user / their organization. Notepatra exposes user-facing toggles for "Share file with AI" and similar context options; the default for these toggles is to limit, not expand, what the AI sees. |
| Complying with the cloud provider's terms of service, data processing agreement, privacy policy, residency / sovereignty rules, and any export-control or sectoral regulation (e.g. HIPAA BAA, PCI-DSS, GDPR / CCPA controller-processor terms, FINRA, ITAR, etc.) | The end user / their organization, in conjunction with the cloud provider. Notepatra is not a party to any such agreement. |
| The cloud provider's processing of received content (storage duration, training-data inclusion, regional routing, etc.) | The cloud provider, per its own terms. |
| Forwarding the user's content from the editor to the user-chosen backend over HTTPS | Notepatra (as an API client). Notepatra does not retain, mirror, copy, or transmit the user's content to any party other than the backend the user has configured. |
| Local logging of AI interactions on the user's own machine (for the user's own audit purposes) | An optional Notepatra feature stored in a local SQLite file (~/.config/notepatra/ai-logs/interactions.db) on the user's machine. Pruned to a 7-day window, capped at 50 MB, masked of credentials by a built-in credential scrubber, and toggleable by the user. The log file never leaves the user's machine; Notepatra does not transmit it anywhere. |
localhost:11434; cloud backends are opt-in from the dropdown.notepatra-local-ai cloud-free build flavor exists for organizations that want a binary that physically cannot reach public-cloud LLM endpoints. In that flavor, every AI-backend (LLM-endpoint) network request is filtered to a unit-tested network-policy allowlist that admits only loopback, RFC 1918 private addresses, CGNAT 100.64/10, IPv6 ULA fc00::/7, and the .local/.lan/.internal/.intranet/.corp/.home suffixes. Public-cloud LLM endpoints are blocked at the binary level.None of the statements in this section modify, expand, or limit the warranty disclaimer in GPL-3.0 §15 and §16 or the warranty/liability discussion in the Warranty & liability section below. They describe the design intent and current-release behavior; they are not contractual representations or guarantees for future releases.
You may copy the block below verbatim and submit it to your organization's OSS review process. The statements describe the current Notepatra release; consult the GitHub release page and CHANGELOG for the canonical statement on any specific release.
Software: Notepatra — open-source code editor with optional local-first AI integration
Maintainer: Prateek Singh (independent open-source author)
License: GNU General Public License v3.0 or later (SPDX: GPL-3.0-or-later)
Source: github.com/singhpratech/notepatra
Use case: standalone code editor running on developer workstation. No service, no daemon, no auto-update. Files edited remain the property of the organization; per the FSF's published interpretation of GPL-3.0, no GPL obligation attaches to files edited with a GPL editor.
Data flow (current release): the editor runs offline by default. The AI panel in the standard build offers six dropdown entries: Ollama and llama.cpp (local, separate processes the user installs); Ollama Cloud, OpenRouter, OpenAI, and Azure OpenAI (cloud, opt-in, user supplies own API credentials). A notepatra-local-ai cloud-free build flavor exists for organizations that require a binary that cannot reach public-cloud LLM endpoints. Notepatra is purely an HTTP/HTTPS API client; it forwards content the user explicitly sends, to the backend the user has configured, and otherwise transmits nothing. Content sent to a cloud backend is governed by that backend's own terms of service and privacy policy. Notepatra is not a data processor or controller in respect of such content; the cloud provider is.
Telemetry (current release): none.
Equivalent already approved: Notepad++ (GPL-2.0/3.0) is a comparable standalone GPL code editor that many organizations have already evaluated.
Supply-chain evidence (current release): SHA-256 checksums, cosign signatures via Sigstore (publicly recorded in the Rekor transparency log), and SLSA build-provenance attestations; built from public source on GitHub Actions.
No. GPL obligations attach to distribution of the GPL software or its derivatives. Running, installing, and using Notepatra does not distribute anything and does not create a derivative work.
Allowed. As long as the modified version is not distributed outside your organization, no source-disclosure obligation arises. (If you do distribute it — e.g. to customers, contractors outside your org, or the public — you must offer the source under GPL-3.0.)
No. The editor boots offline. Update-check is manual. AI features default to a local backend; cloud backends are opt-in and require the user to enter credentials.
No commercial offering exists today. Notepatra is distributed solely under GPL-3.0-or-later at the time of writing. Statements on this page are not an offer to license under different terms, and no representation is made that alternative licensing will be available in the future.
The current release does not include telemetry, analytics, or call-home behavior, and the project's stated direction is to remain that way. However, statements on this page describe the release in effect when this page was last updated and do not bind future releases. The canonical statement of what each release does or does not collect is the CHANGELOG entry and the release notes for that specific release; review those before deploying any new version in a sensitive environment.
See SECURITY.md in the repo for the disclosure policy.
Notepatra is provided as-is under the GPL-3.0 disclaimer of warranty (sections 15 and 16). There is no SLA, no support contract, and no warranty. Your organization assumes risk the same way it does for every other GPL tool it uses (gcc, gdb, git, vim, Linux kernel).
Yes, and you can cryptographically verify it. Every release is built by GitHub Actions from a tagged commit in the public repo. The SLSA provenance attestation and cosign signature both bind the binary to that commit. A reproducible build pass is planned but not yet implemented.
Yes — GPL-3.0 explicitly allows this. You may redistribute the binaries inside your organization (or publicly) as long as you also offer the source code under GPL-3.0. Pointing users at github.com/singhpratech/notepatra satisfies the source-availability requirement.
Yes. The Lite flavor is fully self-contained (~11.5 MB on disk). On Linux and Windows, the Full flavor bundles the chart-rendering JS as a Qt resource and works offline (the WebEngine Vega chart path is Linux/Windows-only; macOS Full is DuckDB-only with no inline Vega). The native QtCharts ```chart renderer works offline on every platform. AI features can be configured for a local Ollama or llama.cpp running on the air-gapped machine — no external network required.
Notepatra is distributed "as is", without warranty of any kind. The complete and authoritative warranty disclaimer is in sections 15 and 16 of the GNU General Public License v3.0, which forms part of every Notepatra release and is reproduced in full in the LICENSE file. To the maximum extent permitted by applicable law, the maintainer disclaims all warranties, express or implied, including without limitation any implied warranties of merchantability, fitness for a particular purpose, non-infringement, accuracy, completeness, or uninterrupted availability.
Nothing on this page is a representation, guarantee, or warranty regarding any specific deployment, environment, or use case. Statements on this page describing what a current release does or does not include are descriptive — not contractual — and do not modify, expand, or limit the warranty disclaimer in the LICENSE file or the disclaimers in GPL-3.0 §15 and §16.
To the maximum extent permitted by applicable law, in no event will the maintainer be liable to any party for any direct, indirect, incidental, consequential, special, exemplary, or punitive damages arising out of or relating to the use or inability to use Notepatra, even if advised of the possibility of such damages. The liability ceiling stated in GPL-3.0 §16 governs.
"Notepad++" is a trademark of Don Ho. "GitHub", "Microsoft", "Azure", and "VS Code" are trademarks of Microsoft Corporation. "Apple" and "macOS" are trademarks of Apple Inc. "OpenAI" is a trademark of OpenAI, OpCo, LLC. "Ollama" is the project name and a trademark of Ollama, Inc. (where registered). "llama.cpp" is the project name of the open-source project of the same name. "Linux" is a registered trademark of Linus Torvalds. "Wireshark" is a registered trademark of the Wireshark Foundation. "GIMP" and "Inkscape" are project names of their respective projects. "Qt" is a registered trademark of The Qt Company. "Scintilla" and "QScintilla" are project names of the respective open-source projects, and QScintilla is also a trademark of Riverbank Computing Limited. "Sigstore" and the "Sigstore" mark belong to the Sigstore project / The Linux Foundation. "SLSA" is a mark of OpenSSF / The Linux Foundation. Other product or service names referenced on this page may be trademarks of their respective owners.
All references on this page to third-party products, projects, services, or organizations are nominative — used solely to identify the corresponding product or service so that readers can understand what Notepatra does or what Notepatra is compatible with. No affiliation, endorsement, sponsorship, partnership, or business relationship between Notepatra and any such third party is implied or claimed.
This page is informational and is not legal advice. It is a good-faith summary written by the Notepatra maintainer to assist organizations in evaluating Notepatra for use in their environments. The maintainer is an independent open-source author and not a law firm. The page may be updated from time to time; the version of this page in effect at any given moment is the version published at https://notepatra.org/enterprise.html at that moment.
Where this page describes how GPL-3.0 applies to particular scenarios, those descriptions are paraphrases of interpretations published by the Free Software Foundation in the official GPL FAQ at gnu.org/licenses/gpl-faq.html. The FSF's own statements are the authoritative source for those interpretations; your in-house counsel is the authoritative source for how the GPL applies to your specific situation.
Where this page describes the behavior of Notepatra (e.g., "does not include telemetry", "starts offline", "AI backends are opt-in"), those descriptions describe the release in effect at the time the page was last updated and do not bind future releases. Always cross-reference the CHANGELOG and release notes for the specific Notepatra release you are evaluating.
The maintainer reserves the right to revise this page without prior notice. Mirroring or quoting this page elsewhere is permitted; please cite the canonical URL above so readers can confirm the current version.
Page last updated: 2026-05-17. Current release at time of writing: v0.1.90.
Questions from a legal / IT / procurement reviewer: open an issue tagged enterprise, or reach out via the GitHub profile of @singhpratech (the contact email is listed there). This matches the project's standing contact pattern — see SECURITY.md.
Security disclosures: see SECURITY.md.
General issues and feature requests: GitHub Issues.