Privacy Policy

1. Who we are

OneOver operates the website at oneover.com and the related product surfaces at admin.oneover.com and labs.oneover.com. For privacy matters you can reach us at privacy@oneover.com or through our contact page.

2. Information we collect

We collect and process the following categories of information when you use OneOver:

• Account data: email address (for authentication and receipts), display name/username where provided, and profile or preference settings stored in our database.
• Product content: chat threads and messages, uploaded or generated images and videos, prompts, attachment metadata needed to run requests, projects, referrals, and related app state you create in your workspace.
• Payments: subscription tier, Stripe customer identifiers, and transaction metadata. Card numbers are processed by Stripe — we do not store full payment card numbers.
• Technical and security data: IP address, approximate device / browser information, hashed identifiers used for anonymous guest quotas, signup attempt logs tied to IP and email for fraud prevention (see retention below), CAPTCHA/session signals where applicable, and operational telemetry needed to operate and secure the service.
• Credits and billing history: balances, allowances, ledger entries, purchases, subscription events — stored to power the credit economy and invoicing summaries.

3. How we use your information

We process data as needed to:

• Provide chat, creation, Explore, Projects, subscriptions, referrals, credits, and support features
• Route requests securely to upstream AI/model providers using our own credentials (see section 4)
• Operate cloud storage for your assets (e.g., object storage/CDN-backed URLs referenced in our database)
• Detect fraud, automate abuse defenses, investigate security incidents, and enforce our terms
• Improve reliability, prioritize bugs, analyze aggregate usage metrics, and run internal analytics dashboards (analytics cookies are only used when allowed — see section 7)
• Communicate transactional emails (verification, receipts, alerts) where appropriate
• Meet legal obligations, respond to valid legal requests, or protect rights and safety

4. AI model providers

When you run a prompt or creation job, relevant content is sent from our servers to third-party AI providers so they can fulfill the request. Your OneOver user id, billing email address, or home IP address are not forwarded to providers as part of those model API calls — we mediate requests with platform credentials. Providers still receive the inputs required to run the models (typically prompts and parameters/images you supply).

Each provider maintains its own terms, retention, abuse policies, and (where applicable) data usage for model improvement. Refer to OpenAI, Anthropic, Flux/Black Forest Labs, Ideogram, Grok/X.AI, ByteDance/Seedance, Google, Meta, Alibaba (Wan), and other processors listed in-product as your model selection changes.

• We aggregate operational logs focused on troubleshooting (status codes, model ids, durations) — not your full chat transcripts in provider logs unless required for diagnostics.
• Guest preview chat is intentionally stateless: we persist daily limits via a hashed fingerprint, not a full signup profile.
• We do not use your content to train our own models, and we do not share your content with AI providers for the purpose of training their models beyond what is necessary to run your request.

5. Data sharing & subprocessors

We share data only with vendors that help us operate the service, under contractual confidentiality and security obligations. We do not sell personal information for money. Under CPRA we treat analytics cookies as “sharing” for cross-context behavioral purposes, and you can opt out at any time via the Privacy Preferences dialog or your browser’s Global Privacy Control signal (see section 8).

• Supabase: Database, auth, and edge functions hosting (AWS-backed)
• Amazon Web Services (S3, CloudFront): Object storage and CDN delivery for assets
• Cloudflare (Turnstile, CDN): Bot mitigation on auth flows; edge caching
• Stripe: Payments, subscription billing, and tax handling
• Google (Analytics 4): Aggregate product analytics — only when not opted out
• Resend / transactional email vendor: Transactional email delivery (verification, receipts)
• OpenAI: GPT chat + vision + image generation when you select those models
• Anthropic: Claude chat models
• Google AI: Gemini family models
• xAI: Grok chat + Grok Imagine video
• Black Forest Labs (Flux): Diffusion image generation
• Ideogram: Diffusion image generation
• ByteDance / Seedance, Alibaba (Wan), Meta: Video / multimodal generation when selected

6. Security

OneOver chats and assets are not end-to-end encrypted — our database and downstream storage rely on HTTPS in transit plus the encryption and isolation controls of our infrastructure providers (e.g., Supabase-managed Postgres, AWS S3-compatible object storage accessed from secure edge workloads). Paid traffic is routed through Stripe. We continuously harden APIs with row-level authorization for user-owned tables and lock down privileged admin routes/tools.

• Authenticated clients only access conversations and assets belonging to their account via database policies unless an admin investigates abuse.
• Sessions use modern Supabase auth flows with PKCE for OAuth-compatible sign-in methods.
• Public asset URLs rely on hard-to-guess object keys combined with CDN delivery; evaluate whether sensitive media should leave the workspace at all before publishing to Explore.

7. Cookies, local storage & similar technologies

We use a small set of cookies and browser storage keys. The tables below list every cookie or storage value we ourselves set, grouped by purpose. Subprocessors (Stripe, Cloudflare Turnstile) may set their own session cookies on their interactive surfaces; those are governed by their respective privacy policies.

Strictly necessary

Required for the service to work. Cannot be switched off because the site cannot function without them.

Analytics (opt-out)

Loaded only when your privacy preferences allow it. If your browser sends Global Privacy Control we treat that as an opt-out automatically.

Anti-fraud signals

Disclosed for transparency. Used strictly to prevent automated abuse of signup and authentication; not used for advertising or sold to anyone.

8. Your US state privacy rights

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, Iowa, Indiana, Tennessee, Delaware, New Jersey, New Hampshire, Maine, Nebraska, Maryland, Minnesota, Rhode Island, or any other US state with an enacted comprehensive privacy law, you have one or more of the following rights, subject to local exceptions and verification requirements:

• Right to know / access: request confirmation of whether we process your personal information and a copy of it.
• Right to delete: request deletion of personal information we have collected from you.
• Right to correct: request correction of inaccurate personal information.
• Right to portability: request a structured, machine-readable copy of your data (we ship JSON exports in-product).
• Right to opt out of sale or sharing for cross-context behavioral advertising: exercise via the Privacy Preferences dialog (footer link “Do Not Sell or Share My Personal Information”) or by sending Global Privacy Control from your browser — we honor both. We do not sell personal information for money.
• Right to limit use of sensitive PI: we do not collect Social Security numbers, biometric data, precise geolocation, union membership, religious beliefs, or genetic data, so there is nothing additional to limit.
• Non-discrimination: we will not deny you service, charge different prices, or provide a different level of quality because you exercised a privacy right.
• Authorized agent submissions: you may designate an agent to submit requests on your behalf; we will verify both the agent’s authority and your identity.
• Appeal (VA, CO, CT, and several others): if we decline a request you may appeal by replying to our response email; we will respond within the timeframe required by your state.

Categories of information collected and disclosed

In the prior 12 months we collected and disclosed the following CCPA categories:

How to submit a request

• In-product: Account settings → Privacy & data for portable export, granular deletes, and full account deletion.
• Cookies / analytics opt-out: Manage privacy preferences.
• Email: privacy@oneover.com for access, correction, deletion, or opt-out requests we cannot satisfy in-product.
• Web form: our contact page.

9. Platform & admin access to your workspace

Support engineers or security operators with administrative privileges may inspect limited account and content context when investigating bugs, verifying billing anomalies, enforcing policies, appealing model refusals, or addressing abuse — including reading chat snippets or prompts associated with flagged actions. That access is minimized, audited at the tooling layer, and not used for marketing profiling.

Automated systems (bot defenses, quotas, scanners) analyze metadata signals and hashed fingerprints to keep the platform resilient. For abuse measurement we may derive a pseudonymous browser identifier in your browser (open-source fingerprinting libraries) and store that identifier with your account in our database for up to 90 days after last activity — it is not sold, not shared with a third-party fingerprinting service from this measurement path, and is used only for security review and rate analysis.

10. Data retention

• Active accounts: product data persists until you delete it or delete your entire account.
• Signup attempt logging: IP + email tuples used for signup throttling rotate out via automated deletes after roughly 30 days (implemented through our cleanup_signup_ip_log maintenance procedure).
• Browser visitor-id sightings: pseudonymous fingerprints tied to your account for overlap analysis are deleted after about 90 days without a new sighting (see cleanup_stale_device_fingerprints), and may appear on signup/IP logs when you attempt registration.
• Backups: even after deletion, residues may linger in encrypted database backups for our provider’s advertised backup window until those snapshots naturally expire — this is standard for SaaS infra and not a hidden “undelete vault” surfaced in the UI.
• Legal/finance retention: invoices, Stripe references, dispute evidence, regulator requests, tax/audit statutes, security logs — we keep only what regulators or payment partners require and delete or anonymize when obligations end.

11. Other rights & controls (non-US visitors)

If you visit OneOver from outside the United States you may still have legal rights regarding your personal information under your local law (e.g. UK GDPR or EU GDPR). Subject to local exceptions and verification, those rights typically include access, rectification, erasure, restriction of processing, portability, objection, withdrawing previously-granted consent, and the right to lodge a complaint with your supervisory authority. To exercise any of these, contact us at privacy@oneover.com. We are working on a dedicated EU/UK consent surface; until then visitors from those regions can prevent analytics by opting out via the Privacy Preferences dialog or sending Global Privacy Control from their browser.

International transfers: our infrastructure providers (Supabase, AWS, Cloudflare, Stripe) are headquartered in the United States. Where applicable we rely on Standard Contractual Clauses and equivalent safeguards published by those vendors.

12. Automated decision-making

We automate safety review, bot scoring, quotas, dormant-account pruning, disposable-domain checks, OAuth activation gates, referrals, referrals visibility rules, Stripe renewals/refunds scripting, CDN cache eviction, hashed guest counters, anomaly detection on admin dashboards, and health regression scans. None of these produce exclusively automated legal/account decisions without escalation — human operators can audit high-impact actions.

13. Children’s data

OneOver is not directed to children under 13 and we do not knowingly collect personal information from anyone in that age group. Where required by state law (e.g. CT, CO, parts of CA), additional protections apply to users between 13 and 18 — we do not process such users’ data for targeted advertising, sale, or profiling that produces legal effects. If you believe a child has provided us personal information, contact privacy@oneover.com and we will delete the account and associated data.

14. Updates

We may revise this Privacy Policy alongside product changes or regulatory guidance. Material amendments (new categories of data, new third-party recipients, new purposes) will be announced through the Service (banner, changelog, newsletter, or mandatory email) and the “Last updated” date at the top of this page will change. Minor clarifications that do not change the substance of our practices may be made without notice; we still bump the date.

15. Contact

Questions about privacy, security, portability, objection rights, DPIAs, SCCs/subprocessors lists, voluntary codes, or escalation paths? Email us at privacy@oneover.com or use our contact channels. We acknowledge privacy communications within statutory windows where applicable.