At OVirtual, privacy isn't a checkbox — it's a core engineering principle. This policy explains what personal data we collect, why we collect it, how we use it, and the rights you have over it.
1. Data We Collect
We collect only what's necessary to operate, secure, and improve the Service:
- Account data: email address, name, hashed password, profile photo (optional).
- Billing data: billing address and last 4 digits of your payment method (full card data is handled by Square — we never see or store it).
- Project data: the websites, apps, code, prompts, and assets you create.
- Usage data: pages viewed, features used, error logs, IP address, browser type. Used for security and performance.
- BYOK credentials: if you provide AI provider API keys, they are encrypted at rest with AES-256-GCM and only decrypted in-memory at request time.
- Form submissions on your sites: data submitted to forms you build is stored in your project's database and shown only to you.
2. How We Use Your Data
- To provide and maintain the Service (account, billing, support).
- To process AI generation requests via the providers you choose.
- To detect and prevent fraud, abuse, and security incidents.
- To send transactional emails (receipts, password resets, security alerts) and — only if you opt in — product updates.
- To comply with legal obligations.
We never sell your personal data. We never use your project content to train AI models.
3. Legal Bases (EU/UK Users)
Under GDPR, we process your data on these legal bases: contract performance (to deliver the Service you signed up for), legitimate interests (security, fraud prevention, product improvement), legal obligation (tax, compliance), and consent (for marketing emails and non-essential cookies — you can withdraw consent any time).
4. Data Sharing & Sub-Processors
We share data only with vetted sub-processors required to deliver the Service:
- Square — payment processing
- AWS & Cloudflare — hosting and CDN
- Resend / SMTP relays — transactional email delivery
- AI providers (Anthropic, OpenAI, DeepSeek, Kimi, Google) — process your prompts when you select them
- Sentry — error monitoring (anonymized)
A complete and up-to-date list, with each sub-processor's data location and DPA link, is available on request from privacy@ovirtual.com.
5. Data Retention
- Account data: retained while your account is active and for 30 days after deletion (then permanently erased, except where law requires longer retention).
- Billing records: retained for 7 years to meet tax/audit obligations.
- Project content: under your control — delete or export at any time.
- Server logs: 90 days, then deleted.
6. Your Rights
Wherever you live, you can:
- Access a copy of the personal data we hold about you
- Correct inaccurate data
- Delete your account and associated data
- Export your data in a portable format
- Object to or restrict certain processing
- Withdraw consent for marketing communications
To exercise any right, email privacy@ovirtual.com. We respond within 30 days (often within 72 hours). See our GDPR page for more on EU/UK-specific rights.
7. International Transfers
OVirtual is headquartered in the United States. When we transfer personal data from the EU/UK/Switzerland to the US or other regions, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical safeguards (encryption in transit and at rest).
8. Security
Security and privacy are inseparable. Highlights: AES-256-GCM encryption for secrets, TLS 1.3 for all traffic, 2FA for all accounts, rate limiting, audit logs, and regular third-party penetration testing. See our Security page for the full overview.
9. Children
OVirtual is not directed to children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, please email privacy@ovirtual.com and we will delete it.
10. Changes to This Policy
We'll notify you of material changes by email and via an in-app banner at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.
11. Contact
Privacy questions or requests: privacy@ovirtual.com. Our EU representative can be reached at eu-rep@ovirtual.com.