Privacy Policy

Last updated: March 28, 2026

1. Data Controller

Onvo is operated by an individual entrepreneur registered in Tbilisi, Georgia. For privacy inquiries, contact us at [email protected].

2. Information We Collect

Account information: Email address, name, and authentication data provided through our identity provider (Clerk).

API keys: LLM provider API keys you provide are encrypted at rest using AES-256-GCM and stored securely. Keys are only decrypted at container runtime.

Agent data: Configuration files, personality files (SOUL.md), memory files, and workspace content you create within your agent profiles.

Usage data: Message counts, container uptime, feature usage for service improvement and billing.

Technical data: IP address, browser type, and device information collected automatically for security and service operation.

3. How We Use Your Data

  • To provide and operate the Service (deploying and managing your agent containers).
  • To authenticate your identity and protect your account.
  • To process payments and manage subscriptions.
  • To send transactional emails (container status, security alerts).
  • To monitor service health and prevent abuse.
  • To improve the Service based on aggregate usage patterns.

4. Third-Party Services

We use the following third-party services to operate Onvo:

  • Clerk (authentication): Processes your login credentials and session data.
  • Supabase (database): Stores account and agent profile data in PostgreSQL.
  • Hetzner (hosting): Runs our servers and your agent containers in European data centers.
  • Cloudflare (CDN/DNS): Routes traffic and provides DDoS protection.
  • Lemon Squeezy (payments): Processes subscription payments.
  • Resend (email): Sends transactional emails on our behalf.

5. Data Retention

  • Account data is retained for the duration of your account.
  • Agent workspace data is retained while your profile exists and for 30 days after deletion.
  • Container logs are retained for 30 days, then automatically pruned.
  • Upon account deletion, all personal data is removed within 30 days.

6. Your Rights

You have the right to:

  • Access your personal data.
  • Rectify inaccurate data.
  • Delete your account and associated data.
  • Export your agent configurations and workspace files.
  • Object to processing of your data for marketing purposes.

To exercise these rights, email [email protected].

7. Cookies

We use essential cookies for authentication and session management. We do not use tracking cookies or third-party advertising cookies. Our authentication provider (Clerk) may set its own session cookies as necessary for login functionality.

8. Security

We implement industry-standard security measures including: encryption at rest (AES-256-GCM for API keys), encryption in transit (TLS), container isolation (each agent runs in a separate Docker container), and access controls (authentication required for all API endpoints).

9. International Transfers

Your data may be processed in servers located in Europe (Hetzner, Germany/Finland) and the United States (Supabase, Clerk, Cloudflare). We ensure appropriate safeguards are in place for any international data transfers.

10. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via email or a notice on our website. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact

For privacy questions or data requests, contact us at [email protected].