Privacy Policy
Last updated: TODO — set when drafted text is pasted in.
1. Introduction
TODO: paste drafted introduction here. Should identify OwnMoat as the data controller, name the operating entity, and state the effective date.
2. Data we collect
TODO: enumerate every category of data OwnMoat collects. Must explicitly list each Google API Services scope requested (e.g. Google Search Console — read-only, Google Analytics 4 — read-only) with a one-line purpose for each. Google reviewers cross-check this list against the OAuth consent screen scopes.
3. How we use it
TODO: paste drafted "how we use" section. Should map each data category from Section 2 to specific user-facing features that require it.
4. Google API Services — Limited Use
OwnMoat's use of information received from Google APIs adheres to the Google API Services User Data Policy , including the Limited Use requirements. Specifically:
- We use Google user data only to provide or improve user-facing features that are prominent in OwnMoat's user experience.
- We do not transfer Google user data to third parties except as necessary to provide or improve those user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with appropriate user notice.
- We do not use or transfer Google user data for serving advertisements, including retargeting, personalized advertising, or interest-based advertising.
- We do not allow humans to read Google user data unless we have obtained the user's affirmative agreement, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or the data is aggregated and used for internal operations in a way consistent with the Limited Use requirements.
- We do not use Google user data to develop, improve, or train generalized AI models.
5. Data retention
TODO: paste drafted retention text. For each data category from Section 2, state how long OwnMoat retains it and the deletion trigger (customer offboarding, retention window, request).
6. Third-party subprocessors
TODO: paste drafted subprocessor list. At minimum: Cloudflare (edge + Pages), Railway (application hosting), Anthropic (LLM inference), OpenAI (LLM inference), Supabase (auth), Google (LLM inference via Gemini if used). One-line purpose per entry.
7. Your rights
TODO: paste drafted rights section — access, correction, deletion, portability, withdrawal of consent, right to complain to a supervisory authority. Include the process by which a user exercises each right.
8. Security
TODO: paste drafted security section — encryption in transit and at rest, access control, incident response, breach notification timeline.
9. Contact
Privacy questions or requests: hello@ownmoat.com.