OFA × Digital × CivSign in

Privacy Policy

Last updated: June 23, 2026

This Privacy Policy explains what information Optimal Flow Agency LLC ("OFA," "we," "us") collects through OFA × Digital × Civ (the "Service"), how we use it, and who we share it with. We've tried to write this in plain language and describe what this app actually does, rather than generic terms that don't match it.

What we collect

  • Account information: your email address and password. Passwords are hashed by our authentication provider (Supabase) — we never see or store your password in plain text.
  • Task content: whatever you type into a task's title or description, and the results our agents produce from it. Don't enter anything in a task you wouldn't want processed by an AI model (see "AI processing" below) — task content isn't reviewed by a human, but it is sent to third-party AI providers to generate your results.
  • Billing information: if you upgrade to Pro, payment is handled entirely by Stripe. We never receive or store your card number — only a Stripe customer/ subscription reference and your subscription status.
  • Usage and technical data: task counts, timestamps, and an activity log of what your agents did (visible to you on the Events page), plus your IP address, used only to enforce a per-IP rate limit against abuse.
  • Cookies: a single session cookie set by our authentication provider to keep you signed in. We don't use advertising or analytics cookies, and nothing on this site tracks you across other websites.

AI processing — what actually happens to your task content

When you create a task, its title and description are sent to Google's Gemini API to generate a response. If our research agent decides a task needs current information, it may also send a search query to a search service or fetch a document from a URL you provide — both run on our own infrastructure, but a search query or a URL you give it necessarily leaves our systems to do its job. We also keep a semantic index of your past task summaries (via Qdrant) so agents can recall relevant past work, and a trace of each AI call (via Langfuse) for debugging and quality purposes. None of this content is used to train any third party's AI models, as far as we are able to control or confirm from each provider's own terms — we encourage you to review Google's own data-handling terms for their API if that matters to you.

AI-generated content can be wrong, incomplete, or misleading. Use your own judgment before relying on it, especially for anything important.

Who we share data with

We don't sell your data. We use the following service providers to operate the Service, each of which processes only what it needs to do its job:

  • Supabase — authentication and database hosting.
  • Google (Gemini API, Google Cloud) — AI processing of task content; hosts our search and document-parsing infrastructure.
  • Stripe — payment processing for Pro subscriptions.
  • Vercel — application hosting.
  • Qdrant — semantic memory storage (vector embeddings of your task summaries).
  • Langfuse — observability/tracing for our AI calls.
  • Upstash — rate-limit enforcement (IP address only, short-lived).
  • Resend — delivers the one-time email confirming your signup.

We may also disclose information if required by law, or to protect the rights, safety, or property of OFA or our users.

Data retention and deletion

We keep your account and task data for as long as your account is active. We don't yet have a self-service "delete my account" button — to request deletion of your account and associated data, email us at deallomcconnell@gmail.com and we'll process it manually. Some records (like billing history) may be retained longer where we're legally required to keep them.

Your rights

Depending on where you live, you may have the right to access, correct, export, or delete your personal data, or to object to certain processing. To exercise any of these, email deallomcconnell@gmail.com. We'll respond as soon as we reasonably can.

Security

We use industry-standard practices to protect your data, including encryption in transit, rate limiting, and access controls scoped so you can only ever see your own data. No system is perfectly secure, and we can't guarantee absolute security — if we ever discover a breach affecting your data, we'll notify you.

Children's privacy

The Service isn't directed at children under 13, and we don't knowingly collect personal information from them. If you believe a child has provided us information, contact us and we'll delete it.

Changes to this policy

If we make material changes to this policy, we'll update the date at the top of this page. Continued use of the Service after a change means you accept the updated policy.

Contact

Optimal Flow Agency LLC — deallomcconnell@gmail.com