How Ophie collects, uses, and protects your information. US users, 18 and over only.
Last Updated: April 20, 2026
Effective: Upon public launch of the Service
This Privacy Policy is a draft. It describes practices Ophie intends to adopt at public launch. It is not yet in effect because the Service is not yet launched. It has not undergone final legal review. Do not rely on it as a binding legal document until we publish a firm effective date.
The canonical source of truth is the PRIVACY.md file in our repository.
This Privacy Policy describes how Ophie collects, uses, discloses, retains, and protects personal information about users of the Ophie webapp and related services (collectively, the Service).
It applies to information we collect through the Service, in communications with us, and through our marketing, waitlist, and community pages. It does not apply to information collected by third parties through services that link to or from the Service.
We operate the Service only in the United States. If you are located outside the United States, please do not use the Service.
By using the Service, you acknowledge that you have read and understood this Policy.
We may update this Policy. Material changes will be communicated by email and/or in-product notice at least 30 days before taking effect. We will never retroactively apply a change that allows new training uses of past conversations without your specific, affirmative, opt-in consent. Prior versions are archived and available on request at team@ophie.app.
We collect the following categories. For each: what it includes; why we collect it; sources; retention; and whether it is sensitive under applicable state law.
Name; email; password (hashed by our identity provider, never visible to us); age range (must be 18+); optional display name, pronouns, bio (500-char max), avatar, time zone; state-level region code used for rights routing; account creation timestamp. Source: you. Retention: until account deletion (backups purged within 30 days). Sensitivity: standard.
Privacy mode (Memory or Ephemeral); communication-style preferences; onboarding goals; personal context; notification and email preferences; cookie-consent state; analytics opt-in state. Source: you. Retention: until changed or account deleted. Sensitivity: standard.
Real-time audio streamed during a voice session; the text transcript derived from your audio (via Deepgram); and session metadata (timestamps, duration, counts, LiveKit identifiers, IP address, user-agent, session preferences JSON).
Raw audio is transient. It is streamed, transcribed, and discarded. We do not retain raw audio recordings.
Retention: transcripts in Memory mode persist until you delete them or your account; Ephemeral mode retains no transcript after the session closes. Sensitivity: consumer health data (WA MHMDA, NV SB 370) and sensitive personal information under CA, VA, CO, CT, TX, OR, MT, DE, NH, NJ, TN, MN, MD, IN, KY, and RI privacy laws.
Text of your messages and the AI's responses; conversation identifiers; system-prompt context snapshots; role and timestamps. Source: your use. Retention: Memory mode until deleted; Ephemeral mode no persistence. Sensitivity: consumer health data / sensitive.
Outputs of our local speech-emotion-recognition model (six labels: sad, angry, disgust, fear, happy, neutral) used transiently as conversational context; optional sentiment and valence scores stored in your wellness timeline (only when you have not opted out and, where required, only when you have opted in); session "key moments". SER outputs are not persisted unless you enable sentiment analysis. Sensitivity: consumer health data / sensitive.
A flag indicating that our automated systems detected language suggestive of risk; the category; a confidence score; the ML classifier's reasoning string; the excerpt that triggered the flag; and the action taken. Retention: 24 months in a restricted safety-audit log. Sensitivity: consumer health data / sensitive. See Section 15 and our Safety Protocol.
Memory items, tags, categories; topic extractions; entities you mention; constellation groupings; proactive-continuity markers. Retention: until deleted (30-day soft-delete), then permanent deletion. Sensitivity: consumer health data / sensitive.
Total sessions; total minutes; last session date; streaks; counters; product-analytics events (only if opted in); dashboard interactions. Retention: counters persist until deletion; analytics events 12 months identified / 24 months aggregated. Sensitivity: standard when aggregated; heightened care otherwise.
IP address, user-agent, device/browser type, timestamps, operational logs, error traces, auth-token metadata. Retention: error/operational logs 90 days; security logs up to 24 months. Sensitivity: standard.
Plan; status; renewal dates; billing events; last-4 card digits and card brand; billing email; ZIP; Stripe transaction identifiers. We do not collect or store full card numbers. Retention: active + 7 years (tax/accounting).
Email, optional name, hCaptcha verification, source; marketing opt-in. Retention: until launch + 90 days, or until you unsubscribe.
Records of your acceptance of Terms/Policy (version hash, timestamp); voice-data consent; consumer-health-data consent (where applicable); auto-renewal acknowledgment; rights requests. Retention: up to 7 years.
SSN; government identifiers; precise geolocation; biometric identifiers intended to uniquely identify you (no voiceprints, face embeddings, fingerprints); full payment card numbers; data from HIPAA-covered sources; data from children under 18.
We collect from three sources:
We do not buy personal information from data brokers and do not enrich your profile with broker data.
Voice audio is processed transiently to produce a text transcript and is then discarded. Raw audio is not retained in our databases or backups.
Ophie runs a local open-weight SER model to infer coarse-grained emotional tone as short-lived conversational context. SER outputs are not speaker embeddings, not used to identify you, and not persisted unless you separately enable sentiment analysis.
Because we do not create, capture, collect, receive through trade, or otherwise obtain voiceprints or voice biometrics, we do not fall within the "biometric identifier" triggers of the Illinois Biometric Information Privacy Act (740 ILCS 14) or the Texas Capture or Use of Biometric Identifier statute (Tex. Bus. & Com. Code § 503.001). If we ever introduce a feature that would create a voiceprint, we will obtain affirmative opt-in consent and publish a compliant retention and destruction schedule.
Voice-derived transcripts and emotional inferences qualify as "consumer health data" under Washington and Nevada law. We obtain your affirmative opt-in consent before collecting such data beyond what is strictly necessary to provide the Service you requested. See Section 16 and our Consumer Health Data Privacy Notice.
We use personal information to:
We do not use Your Content to train our models or any third-party model. Our subprocessors are contractually prohibited from training their models on inputs we send them on your behalf. If we ever wish to use Your Content for training, we will obtain separate, specific, affirmative, opt-in consent.
We do not use personal information for cross-context behavioral advertising, targeted advertising, consequential profiling, or sale to data brokers.
Per-session override: you may mark a specific session as anonymous, or disable transcript/summary/memory storage for that session, regardless of your default mode.
Changes apply prospectively. To delete previously stored content, use the Memory or Journey screens.
We share personal information with the following service providers, each bound by a written data-processing agreement requiring them to process data only on our documented instructions, to maintain appropriate security, to notify us promptly of any breach, and (where the provider trains models) to refrain from training on data we send. Named disclosure is required by Washington MHMDA for recipients of consumer health data.
| Provider | Function | Data | Location |
|---|---|---|---|
| Supabase, Inc. | Postgres database, authentication, auth-flow email | Account; sessions; transcripts (Memory); memories; consents | US |
| LiveKit, Inc. | WebRTC voice transport and agent orchestration | Voice stream (transient); session control metadata; session IDs | US |
| Deepgram, Inc. | Speech-to-text transcription | Voice stream (transient, not retained for training) | US |
| Cartesia AI, Inc. | Text-to-speech voice synthesis (default) | Response text (transient, not retained for training) | US |
| ElevenLabs, Inc. | Text-to-speech voice synthesis (alternate, configurable) | Response text (transient, not retained for training) | US |
| Inworld AI, Inc. | Text-to-speech voice synthesis with emotion adapter (alternate, configurable) | Response text (transient, not retained for training) | US |
| Groq, Inc. | LLM and safety-classifier inference | Conversation context; safety-classifier inputs | US |
| OpenAI, L.L.C. | LLM and embedding inference (sentiment, summarization, memory triggers, supplementary safety) | Conversation snippets; transcript chunks; safety-classifier inputs | US |
| Voyage AI Innovations, Inc. (a MongoDB company) | Embedding and reranking models for semantic memory | Memory/transcript snippets | US |
| Pinecone Systems, Inc. | Vector database (retrieval-augmented memory) | Embedding vectors; minimal identifiers | US |
| Stripe, Inc. | Payment processing and subscription billing | Name; billing email; ZIP; last-4; transaction IDs | US |
| Netlify, Inc. | Frontend application hosting and CDN | Service traffic; operational logs | US |
| Render Services, Inc. | Backend API hosting | Service traffic; operational logs | US |
| Functional Software, Inc. (Sentry) | Error monitoring and performance tracing (PII scrubbed) | Stack traces; request metadata | US |
| PostHog, Inc. | Product analytics (opt-in only) | Hashed user identifier; feature events | US |
| Intuition Machines, Inc. (hCaptcha) | Bot and abuse prevention on signup and waitlist forms | IP address; anti-abuse signals | US |
| Doppler, Inc. | Secrets management (internal infrastructure only) | No user data | US |
| Resend, Inc. | Transactional email delivery (notifications, reminders, verifications) | Email address; message body | US |
| Tango Card, Inc. (Blackhawk Network) | Gift-card fulfillment for promotional rewards | Recipient name; email; reward amount | US |
A current version of this list is maintained at /privacy/subprocessors. We provide at least 30 days' advance notice before adding a subprocessor that handles consumer health data.
We do not transfer personal information outside the United States.
| Category | Retention |
|---|---|
| Account and identity | Until account deletion |
| Preferences and settings | Until account deletion |
| Transcripts (Memory mode) | Until user deletes or account deleted |
| Transcripts (Ephemeral mode) | Not persisted |
| Emotional snapshots (if enabled) | Until user deletes or account deleted |
| Memories / topics / constellations | Until deleted (30-day soft-delete), then permanent |
| Safety-audit log (crisis-detection events) | 24 months (longer only if legally required) |
| Product analytics events (opt-in) | 12 months identified / 24 months aggregated |
| Error / operational logs | 90 days |
| Security logs | 24 months |
| Billing and subscription | 7 years (tax/accounting) |
| Consent and rights-request records | Up to 7 years |
| Waitlist entries | Until launch + 90 days, or until unsubscribe |
| Backups | 30-day rolling purge after underlying record deletion |
We comply with the FTC Health Breach Notification Rule (16 C.F.R. Part 318, as amended in 2024) and every applicable state breach-notification statute (including N.Y. SHIELD Act, Cal. Civ. Code § 1798.82, and Mass. 201 C.M.R. 17.00).
We extend the following rights to every US user, regardless of state:
team@ophie.app.We verify by confirming access to your account email; some requests may require re-authentication.
Acknowledgment within 10 business days; substantive response within 45 calendar days. We may extend once by up to 45 days (90 where authorized). Washington consumer-health-data requests follow the 45 + 45 statutory timeline.
Residents of CA, CO, CT, DE, IN, IA, KY, MD, MN, MT, NE, NH, NJ, NV (consumer health data), OR, RI, TN, TX, UT, VA, and WA have additional rights under their state privacy laws. We honor those rights in accordance with each law's terms and timelines.
We honor the Global Privacy Control signal where state law requires (CA, CO, CT, TX, and additional states as of 2026). When we detect Sec-GPC: 1, we treat it as a request to opt out of sale, sharing, and processing for targeted advertising. Because we do not engage in any of those, honoring GPC is a formality for us.
We do not sell personal information and do not share personal information for cross-context behavioral advertising. We have not done so in the past 12 months. We do not knowingly sell or share personal information of consumers under 16, and we do not knowingly collect personal information from individuals under 18.
Our use of sensitive personal information is already limited to providing, securing, and ensuring the integrity of the Service. You may submit a right-to-limit request to confirm; no change in processing is necessary to honor it.
We use AI to generate responses and to screen for safety risk. These uses do not produce legal or similarly significant effects on you. Where CPPA ADMT regulations apply, we will provide the notices, opt-out, and access rights required.
We do not train or fine-tune any generative AI model on user data. If that ever changes (with your opt-in consent), we will publish a plain-language summary at /privacy/training before any such training begins.
We do not disclose personal information to third parties for their own direct marketing purposes.
The Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs may be contacted in writing at 1625 North Market Blvd., Suite N 112, Sacramento, CA 95834, or by telephone at (800) 952-5210.
Ophie runs an automated classifier on user messages to detect language suggestive of imminent or active risk. When detected, Ophie may display crisis resources, pause or redirect the session, and log the event to a restricted safety-audit log.
Ophie does not contact emergency services, family members, clinicians, or third parties on your behalf. Ophie reserves the right, in its sole discretion and without any duty to do so, to contact emergency services if it receives a specific, credible, and imminent threat to the life of an identifiable person.
See our separate Safety and Crisis Response Protocol (required by CA SB 243).
The full Consumer Health Data Privacy Notice is maintained separately at /consumer-health-data-notice.
We comply with CA Bus. & Prof. Code §§ 22601–22605: clear AI disclosure at start of every interaction; published crisis protocol; annual public report to the California Office of Suicide Prevention starting July 1, 2027.
We comply with Utah Code § 13-74 et seq.: disclosure on first access, after 7+ days, and whenever asked. Any advertisement/sponsorship will be clearly disclosed. No sale or sharing of individually identifiable health information of Utah users.
We disclose AI status at the start of each interaction and at least every three hours of continuing interaction, and maintain a crisis-referral protocol.
Ophie does not make, and does not substantially influence, "consequential decisions" under SB 24-205 (effective June 30, 2026). We monitor the statute as the Service evolves.
We do not knowingly collect personal information from children under 18. If we learn that we have, we will terminate the account and delete the data. Notify us at team@ophie.app.
We do not currently respond to DNT because there is no industry standard. We do honor the Global Privacy Control signal (see Section 13).
In a merger, acquisition, financing diligence, reorganization, bankruptcy, or asset sale, your information may be transferred subject to commitments consistent with this Policy. You will receive notice and, where applicable, a reasonable opportunity to delete your data before transfer.
We do not voluntarily provide government authorities with access to user personal information. We will respond to valid legal process consistent with our obligations and users' rights, and we will notify affected users unless legally prohibited. We will challenge overbroad or unlawful requests. We intend to publish aggregate transparency statistics annually.
For each processing activity that involves sensitive data, targeted advertising (none), sale (none), or profiling with significant effects (none), we conduct and maintain an internal data-protection assessment as required by applicable state law.
Privacy
team@ophie.app
Consumer health data (WA, NV, CT)
health-team@ophie.app
Founders / general
founders@ophie.app
Mailing address
To be added upon Delaware incorporation.
If any provision is held unenforceable, the remainder stays in force. Section headings are for convenience and do not affect interpretation. Examples are non-exhaustive.
This Policy does not create a contract between Ophie and any user. The contract governing your use of the Service is the Terms of Service. This Policy is a good-faith description of our practices, enforceable by the FTC and state attorneys general.