Privacy Policy

Last updated: June 13, 2026

This Privacy Policy ("Policy") describes how oooi("oooi," "we," "us," or "our") collects, uses, discloses, and protects information when you access or use our website, applications, and related services (collectively, the "Service"). By using the Service, you acknowledge that you have read and understood this Policy.

oooi is operated by oooi (the Company). Our registered legal entity name and principal business address will be published on this page when finalized. Until then, you may contact us at privacy@oooi.ai or hello@oooi.ai.

1. Scope and relationship to other policies

This Policy applies to personal data processed in connection with the Service. It should be read together with our Terms of Service and Payment Policy, which govern your use of the Service and purchases of Ostra credits. If there is a conflict between this Policy and mandatory law in your jurisdiction, mandatory law prevails to the extent of the conflict.

2. Our privacy philosophy: metadata, not message content

oooi is designed around a zero-retention default for user prompts and model answers. In ordinary operation we do not persist the text of your prompts, the full text of AI-generated responses, or the contents of your conversations in our primary application database for long-term storage.

Instead, we store the metadata required to operate the Service, including but not limited to: account identifiers, authentication records, credit balances and ledger entries, invoices and payment status, usage counters for free-tier limits, token counts and cost metadata for model calls, feature identifiers, routing mode (manual vs. Omega), and administrative diagnostics. This approach lets us meter usage, prevent abuse, bill accurately, and improve reliability without building a permanent archive of your creative or confidential inputs.

Important limitations: (a) prompts and responses are transmitted to third-party AI model providers to generate answers — those providers process data under their own policies; (b) if you explicitly save content to Projects or export files, that content is stored because you requested it; (c) transient processing in memory, logs, and backups may briefly contain content even when we do not intend long-term retention; (d) we may retain data where required by law, to resolve disputes, or to enforce our terms.

3. Information we collect

3.1 Information you provide

• Account data: email address, display name, avatar URL (if supplied via OAuth), password hash (for email/password sign-up), and your unique wallet code (format OSTRA-XXXX-XXXX) used for peer-to-peer Ostra transfers between accounts.
• Profile and preferences: settings you configure in the Service, including optional intelligence profile data if you use that feature.
• User-generated saves: items you deliberately save to Projects, exported documents, and similar artifacts you choose to persist.
• Communications: messages you send to support, feedback forms, or legal notices.
• Payment-related data: billing references, invoice amounts, currency, payment status, and gateway transaction identifiers. We do not store full payment card numbers — card data is handled by Polar.

3.2 Information collected automatically

• Usage metadata: feature used, model identifier (for administrative and billing purposes), input/output token counts, credits charged, routing mode, optional batch identifiers for deduplication, and timestamps.
• Free-tier counters: rolling-window request counts for free Search and Optimize features (default window: 5 hours; default limits: 80 search and 40 optimize requests per window, subject to change via configuration).
• Device and log data: IP address, browser type, operating system, referring URLs, session identifiers, and server logs used for security, rate limiting, and debugging.
• Cookies and similar technologies: authentication session cookies, preference cookies (e.g., theme, sound settings stored locally where applicable), and analytics cookies if enabled. See Section 9.

3.3 Information from third parties

• Authentication providers: if you sign in with Google or another OAuth provider, we receive profile information permitted by that provider and your consent.
• Payment processors: Polar provides payment confirmation, failure notices, and fraud signals. We reconcile these with our invoice records.

4. How we use information

We use personal data to:

• Provide, maintain, and improve the Service;
• Authenticate users and secure accounts;
• Enforce free-tier limits, credit metering, postpaid billing, and fraud prevention;
• Route requests to AI model providers and operate Omega managed routing;
• Process payments, invoices, refunds (where legally required), and account suspensions for overdue billing;
• Facilitate Ostra credit transfers between user accounts via wallet codes;
• Respond to support requests and communicate about the Service;
• Comply with legal obligations and protect our rights, users, and the public;
• Generate aggregated, de-identified statistics that do not identify you.

We do not sell your personal data. We do not use your private prompts to train our own models unless we explicitly ask for and receive your separate opt-in consent for a specific program.

5. AI model providers and subprocessors

To generate answers, we send prompts (and necessary context) to third-party AI providers such as OpenAI, Anthropic, Google, and others listed in our model catalog, as well as models in our Omega free pool. Each provider processes data under its own terms and privacy policy. In Omega mode, the underlying model may be selected and blended by oooi without disclosure of the specific model to you.

We share only what is technically necessary to fulfill a request. We do not share your email address or full account profile with model providers as part of routine inference calls unless required for a specific integration you enable.

Subprocessors we rely on include, without limitation:

• Supabase — authentication, database, and infrastructure hosting;
• Polar — card payments, subscriptions, and checkout;
• AI model providers — inference as described above;
• Hosting and CDN providers — application delivery (e.g., Vercel or equivalent).

We may update subprocessors from time to time. Material changes will be reflected in this Policy or a subprocessor list made available on request.

6. Legal bases for processing (EEA/UK users)

If you are in the European Economic Area, United Kingdom, or Switzerland, we process personal data on the following bases:

• Contract: processing necessary to provide the Service you requested (account, credits, feature access);
• Legitimate interests: security, fraud prevention, service improvement, and internal analytics, balanced against your rights;
• Legal obligation: tax, accounting, and regulatory compliance;
• Consent: where required (e.g., non-essential cookies or optional marketing).

7. Data retention

We retain personal data only as long as necessary for the purposes described in this Policy, unless a longer period is required or permitted by law.

• Account data: retained while your account is active and for a reasonable period after deletion to handle backups, disputes, and legal holds.
• Usage metadata: retained for billing, abuse prevention, and capacity planning; aggregated beyond identification where possible.
• Prompts and AI outputs: not retained in our application database by default after the request completes, except as noted in Section 2.
• Invoices and payment records: retained as required for tax, accounting, and chargeback defense (typically 7 years or as mandated locally).
• Support communications: retained as needed to resolve your inquiry and improve support quality.

When you delete your account, we will delete or anonymize personal data associated with your account, subject to legal exceptions and backup cycles.

8. International data transfers

oooi may process and store information in the United States and other countries where we or our subprocessors operate. These countries may have data protection laws different from those in your jurisdiction. Where required, we implement appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms for transfers from the EEA/UK.

9. Cookies and local storage

We use cookies and similar technologies for essential functions (session authentication, security) and preferences. Non-essential analytics cookies, if any, will be disclosed in a cookie notice or settings panel where required by law.

Some client-side preferences (e.g., sound on/off) may be stored in your browser's localStorage and are not transmitted to our servers except indirectly through your use of the Service.

You can control cookies through your browser settings. Disabling essential cookies may prevent you from signing in or using core features.

10. Security

We implement technical and organizational measures designed to protect personal data, including encryption in transit (TLS), access controls, row-level security policies on our database, rate limiting, and constant-time verification of webhook signatures where applicable. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

You are responsible for safeguarding your account credentials and wallet code. Treat your wallet code like a payment identifier — anyone who knows it may attempt transfers to your account.

11. Your privacy rights

Depending on your location, you may have rights to access, correct, delete, restrict, or port your personal data, and to object to or withdraw consent for certain processing.

• Access and portability: request a copy of personal data we hold about you;
• Correction: update inaccurate account information via your account page or by contacting us;
• Deletion: delete your account from the account settings page or by emailing support — this initiates removal of associated personal data subject to legal retention;
• Restriction and objection: where applicable under GDPR/UK GDPR;
• Complaint: lodge a complaint with your local supervisory authority.

To exercise rights, contact privacy@oooi.ai. We may verify your identity before responding. We aim to respond within 30 days (or the period required by applicable law).

California residents (CCPA/CPRA): we do not sell personal information. You may have rights to know, delete, and correct personal information. Authorized agent requests must include proof of authorization.

12. Children's privacy

The Service is not directed to children under 13 years of age, and we do not knowingly collect personal data from children under 13. If you are between 13 and the age of majority in your jurisdiction, you may use the Service only with permission of a parent or legal guardian who agrees to these terms on your behalf.

Purchases, postpaid billing, and binding payment obligations require you to be at least the age of majority in your jurisdiction (typically 18) or to have verifiable parental consent where permitted by law. If we learn we have collected data from a child under 13 without consent, we will delete it promptly.

13. Automated decision-making

The Service uses automated systems to route requests (including Omega model selection), enforce rate limits, detect abuse, and determine credit affordability. These systems do not produce legal or similarly significant effects on you without human review where required by law. AI outputs are informational only and should not be relied upon as professional advice.

14. Third-party links

The Service may link to third-party websites or services. We are not responsible for their privacy practices. Review their policies before providing personal data.

15. Changes to this Policy

We may update this Policy from time to time. Material changes will be posted on this page with an updated "Last updated" date. Continued use after changes constitutes acceptance where permitted by law. For significant changes, we may provide additional notice (e.g., email or in-product banner).

16. Contact us

Privacy inquiries: privacy@oooi.ai
General contact: hello@oooi.ai
Support: support@oooi.ai
Web: oooi.ai/contact