OhRight!
← Back to login
OhRight!

Privacy Policy

Effective Date: May 3, 2026 · Version 1.2

OhRight, LLC (“OhRight”, “we”, “us”, or “our”) operates the OhRight! web application. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

By creating an account or using the Service, you consent to the practices described in this Privacy Policy.

1. Information We Collect

1.1 Information You Provide

  • Account information: Email address, password (stored as a cryptographic hash by Supabase — we never store or access your plaintext password), and display name/nickname.
  • Obligation data: Task titles, descriptions, due dates, categories, priority levels, and recurrence rules you create.
  • Calendar data: iCal URLs you provide and the calendar event data imported from those sources (event titles, dates, times, locations).
  • Natural language input: Text and voice input you submit for AI-powered obligation parsing.
  • Payment information: If you subscribe to the Pro tier, payment details are collected and processed directly by Stripe, Inc. We do not store your credit card number or full payment details on our servers.

1.2 Information Collected Automatically

  • Usage data: Actions you take in the Service (task creation, AI parses, calendar syncs, filter use) are logged for tier enforcement and analytics purposes. These logs include the action type, timestamp, and your user ID.
  • Device and browser information: We may collect your IP address, browser type, operating system, and device type through standard server logs and our hosting provider (Vercel).
  • Cookies: The Service uses essential cookies for authentication session management. We do not use advertising or third-party tracking cookies.

1.3 Information from Third Parties

  • Google OAuth: If you sign in with Google, we receive your name, email address, and profile picture URL from Google. We do not access your Google contacts, files, or other Google account data beyond authentication.

2. How We Use Your Information

We use the information we collect to:

  • Provide the Service: Create and manage your account, store and display your obligations and calendar events, process AI-powered input parsing, and enforce subscription tier limits.
  • Process payments: Manage Pro subscriptions via Stripe.
  • Communicate with you: Send transactional emails (account verification, password resets) and, in the future, deadline reminders and notifications.
  • Improve the Service: Analyze usage patterns to identify bugs, improve features, and optimize performance.
  • Ensure security: Detect and prevent fraud, abuse, and unauthorized access.
  • Comply with legal obligations: Respond to legal requests and enforce our Terms of Service.

3. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

  • Service providers: We share data with third-party providers who help us operate the Service:
    • Supabase: Hosts our database and authentication system. Your account data and obligations are stored on Supabase infrastructure.
    • Vercel: Hosts our application. Server logs may contain IP addresses and request data.
    • Anthropic: Processes natural language input via the Claude API. Per Anthropic’s data policy, API inputs are not used to train their models and are retained only for abuse monitoring purposes for up to 30 days.
    • Stripe: Processes payments for Pro subscriptions. Stripe’s handling of your payment data is governed by Stripe’s Privacy Policy.
    • Google: Provides OAuth authentication services. Google’s handling of your data is governed by Google’s Privacy Policy.
  • Legal requirements: We may disclose your information if required by law, subpoena, court order, or government regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice before your information becomes subject to a different privacy policy.

4. Data Retention

  • Account data: Retained for as long as your account is active.
  • Usage logs: Retained for 24 months from the date they are produced. After account deletion, usage_logs entries tied to your account are anonymized — your user_id is removed (set NULL). Aggregate analytics may continue to use the anonymized records during the 24-month window. (A scheduled purge job is planned for a future release.)
  • Consent records: Retained for the life of your account plus 24 months after deletion, as required for legal compliance.
  • Inactive accounts: Accounts with no login activity for 12 or more months may be deleted after 30 days’ notice to your registered email address.

4.1 Account deletion and data we retain afterward

When you delete your account from Account Settings → Danger Zone → Delete Account, OhRight! immediately and permanently deletes your tasks, calendars, categories, recurrence rules, notification preferences, and your authentication record. This is a hard delete, not a 30-day grace period.

We retain a minimal record of your former email in a “former_users” table so we can recognize you if you sign up again, determine eligibility for promotional offers, and (in the future) send marketing emails you have opted into. The internal row_inserted_at field tracks when this row was first created. We retain this record on a legitimate-interest basis (GDPR Article 6(1)(f)) until you request its erasure or we no longer have a legitimate purpose for retaining it.

In the rare event that the deletion partially fails (your authentication row is removed but your application data is not), our administrator is alerted automatically and remediates the partial state within seven (7) days using a documented runbook.

4.2 Erasure of post-deletion records (GDPR Article 17 / CCPA right to delete)

You may request that we erase the post-deletion record we keep (the “former_users” row, including your email and unsubscribe token). Submit your request via the /contact-privacy form. We will respond within 30 days at the email you provide. We do not rely on a public support@ohright.ai inbox for this purpose; the form creates a durable record for our compliance log.

4.5 Marketing communications and country defaults

We use Vercel’s x-vercel-ip-country header (an IP-derived country estimate) to determine the default marketing-email setting at signup. Users in the United States are opted in by default, consistent with the opt-out model under the U.S. CAN-SPAM Act (15 U.S.C. § 7701 et seq.). Users outside the United States are opted out by default; we will not send you marketing email unless you affirmatively opt in. This aligns with the stricter consent regimes in other jurisdictions — including Canada (CASL), the EU and UK (GDPR & ePrivacy) — which require express consent before sending commercial electronic messages. You can change this preference at any time. Every marketing email contains an unsubscribe link; if you lose the link, request a new one at /u/resend.

5. Data Security

We implement industry-standard security measures to protect your information, including:

  • Encryption in transit (TLS/HTTPS) for all data transmitted between your browser and our servers
  • Encryption at rest for database storage (provided by Supabase)
  • Row Level Security (RLS) policies ensuring users can only access their own data
  • Password hashing using bcrypt (handled by Supabase Auth)
  • Server-side API keys and secrets are never exposed to client browsers

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

6. Your Rights and Choices

6.1 All Users

  • Access: You can view your obligations, calendar data, and account information at any time through the Service.
  • Correction: You can update your nickname and password through Account Settings.
  • Deletion: You can permanently delete your account and all associated data from Account Settings → Danger Zone → Delete Account. The deletion is immediate; there is no 30-day grace period. To erase the post-deletion record we keep (your former_users row), submit a request via /contact-privacy.
  • Data export: You can request a copy of your data in a machine-readable format via /contact-privacy.

6.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to know: You may request the categories and specific pieces of personal information we have collected about you in the preceding 12 months.
  • Right to delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to opt out of sale: We do not sell personal information. We also honor Global Privacy Control (GPC) signals.
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

Do Not Sell or Share My Personal Information: OhRight! does not sell or share personal information for cross-context behavioral advertising.

To exercise these rights, submit a request via /contact-privacy. We will verify your identity before processing your request and respond within 45 days.

6.3 European Economic Area Residents (GDPR)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):

  • Legal basis: We process your data based on: contract performance (to provide the Service), legitimate interest (analytics, security), and consent (where applicable).
  • Right to access: Request a copy of your personal data.
  • Right to rectification: Request correction of inaccurate data.
  • Right to erasure (GDPR Article 17): Request deletion of your data (“right to be forgotten”). Use the /contact-privacy form for post-deletion record erasure requests.
  • Right to data portability: Receive your data in a structured, machine-readable format.
  • Right to restrict processing: Request that we limit how we use your data.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.
  • Right to lodge a complaint: You have the right to file a complaint with your local data protection authority.

International transfers: Your data is stored and processed in the United States. By using the Service, you consent to the transfer of your data to the US. We rely on standard contractual clauses and service provider agreements to safeguard international data transfers.

7. Children’s Privacy

The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at info@ohright.ai, and we will promptly delete such information. Users between 13 and 18 may use the Service only with parental or guardian consent.

8. Cookies and Tracking Technologies

We use only essential cookies required for authentication and session management. We do not use:

  • Advertising or marketing cookies
  • Third-party tracking pixels
  • Cross-site tracking technologies

Our hosting provider (Vercel) may collect standard server analytics (page views, response times) in aggregate form that does not identify individual users.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or by prominent notice within the Service at least 30 days before the changes take effect. We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of a revised Privacy Policy constitutes acceptance of the changes.

10. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

OhRight, LLC
Email: info@ohright.ai

See also our Terms of Service.