← Back to Home

Privacy Policy

How we protect your confidential code and intellectual property

Effective Date: March 22, 2026

Our Core Privacy Principle

Your code is your intellectual property. We provide multiple ways to scan your code, and we design every option to minimize exposure of your source code.

  • Local scanner & AI skills: Run entirely on your machine. No code ever leaves your device. This is the most private option.
  • Hosted GitHub scanner: Accesses your GitHub repository to perform the scan. Your code is processed during the scan but is not stored on our servers after analysis is complete. Only metadata (invention titles, scores, concept counts) is retained.

Regardless of which method you choose, we never use your source code to train AI models, and we never share your code with third parties.

What We Collect

Account Information

  • Email address (used for magic link authentication via Stytch)
  • Authentication session tokens
  • Account creation and last login timestamps

Scanner Results Metadata

  • Invention titles and novelty scores generated by your scan
  • Concept counts and category classifications
  • Scan timestamps and configuration preferences
  • We do not collect or store your source code, file contents, or repository structure

PPA Generation Metadata

  • PPA titles, generation timestamps, and status
  • Inputs you explicitly provide for PPA drafting (descriptions, claims, prior art references)
  • Generated PPA documents (stored in your account)

Analytics & Website Usage

  • Anonymous usage statistics via Google Analytics
  • Page views, session duration, and general location (country/city)
  • Browser type and device information
  • No personally identifiable information is collected via analytics

What We DON'T Collect

  • Your source code after scanning (processed during hosted scans, never stored)
  • File contents from your repositories beyond what is needed for analysis
  • Proprietary algorithms or trade secrets in any persistent storage
  • Passwords (we use passwordless magic link authentication)
  • Any data you don't explicitly submit

How Our Scanning Options Work

Local Scanner & AI Skills (Most Private)

  1. Downloads and runs entirely on your machine
  2. Analyzes code locally using AI models
  3. Generates invention discovery results without sending code to our servers
  4. Only uploads metadata (titles, scores, concept counts) you explicitly choose to save

Hosted GitHub Scanner

  1. Connects to your GitHub repository via authenticated API access
  2. Retrieves and analyzes your code on our servers during the scan
  3. Source code is processed in memory and is not written to persistent storage
  4. Only structured metadata (invention titles, novelty scores, concept summaries) is retained
  5. You can delete all scan results and metadata from your account at any time

We provide both options because privacy needs vary. Teams handling pre-disclosure inventions or trade secrets may prefer the local scanner. Teams wanting convenience can use the hosted scanner knowing their code is processed but not stored.

AI Processing & Model Training

We believe your data belongs to you, not to our models.

  • No model training on your data. Your code, scan results, and PPA content are never used to train, fine-tune, or improve any AI model.
  • Local scanner processing. The scanner runs AI analysis entirely on your device. Your source code is never sent to any server.
  • PPA generation. When you generate a PPA, the inputs you provide are processed server-side by third-party AI services to produce your draft. These inputs are not retained by us or by the AI providers for training purposes.
  • Your outputs belong to you. All generated PPAs, reports, and analysis results are your property.

Data Storage & Security

  • Data stored on encrypted AWS servers in the United States
  • HTTPS encryption for all data transmission
  • Passwordless authentication via Stytch (no password databases to breach)
  • HTTP-only cookies for session management (not accessible to JavaScript)
  • Regular security audits and updates
  • Minimal data collection by design

Data Retention

  • Account data. Retained while your account is active and for 30 days after deletion to allow recovery.
  • Scan metadata. Retained while your account is active. Deleted when you delete your account or remove individual scans.
  • PPA documents. Retained while your account is active. You may export or delete them at any time.
  • Analytics data. Aggregated and anonymized. Retained per Google Analytics standard retention (14 months).
  • Account deletion. When you delete your account, all personal data, scan metadata, and PPA documents are permanently removed within 30 days. Anonymized, aggregated analytics are not affected.

Your Rights

Regardless of where you are located, you have the right to:

  • Access your personal data and request a copy
  • Correct inaccurate or incomplete data
  • Delete your account and all associated data
  • Export your PPA drafts and scan results
  • Object to processing of your personal data
  • Restrict how we process your data
  • Withdraw consent at any time where processing is based on consent
  • Opt out of marketing communications

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

International Data Transfers (GDPR)

ObviouslyNot is based in Alaska, United States, and our data is stored on AWS servers in the US. If you access our services from the European Economic Area (EEA), United Kingdom, or Switzerland, your data may be transferred to and processed in the United States.

We protect international transfers through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data processing agreements with all third-party service providers
  • Technical safeguards including encryption in transit and at rest

Legal Basis for Processing (EU Users)

  • Contract performance. Processing necessary to provide the services you signed up for (account management, scan storage, PPA generation).
  • Legitimate interest. Processing for security, fraud prevention, and service improvement, balanced against your privacy rights.
  • Consent. Marketing communications and optional analytics, which you may withdraw at any time.

Additional EU Rights

  • Right to data portability (receive your data in a structured, machine-readable format)
  • Right to lodge a complaint with your local supervisory authority
  • Right to object to processing based on legitimate interest

California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

  • Right to know. You may request the categories and specific pieces of personal information we have collected about you.
  • Right to delete. You may request deletion of your personal information, subject to certain exceptions.
  • Right to opt out of sale. We do not sell your personal information to third parties. We never have and never will.
  • Right to non-discrimination. We will not discriminate against you for exercising your privacy rights.
  • Right to correct. You may request correction of inaccurate personal information.
  • Right to limit use of sensitive personal information. We collect minimal sensitive information and use it only to provide our services.

To exercise these rights, contact [email protected]. We will verify your identity before processing your request and respond within 45 days.

Cookies & Tracking

We use cookies for:

  • Essential Cookies - Required for site functionality (authentication sessions via Stytch)
  • Analytics Cookies - Google Analytics to understand site usage (can be disabled)

Google Analytics uses cookies to collect anonymous data about site usage. This helps us improve our service. You can opt out by:

Third-Party Services

We use the following third-party services, sharing only the minimum data necessary:

  • Stytch - Passwordless authentication (email address for magic link delivery)
  • Stripe - Payment processing (PCI DSS compliant, we never store card numbers)
  • AWS - Secure cloud hosting and data storage
  • Google Analytics - Website analytics (anonymized usage data)
  • OpenRouter - AI model access for scanner and PPA generation (no user code transmitted)

Each service maintains its own privacy policy and security certifications. We require all providers to meet our data protection standards.

Data Breach Notification

In the unlikely event of a data breach affecting your personal information:

  • We will notify affected users within 72 hours of discovery
  • Notification will include: what data was affected, what we are doing to address it, and recommended steps you can take
  • We will notify relevant supervisory authorities as required by law
  • A public disclosure will be posted on our website for significant incidents

Children's Privacy

Our services are not directed at children under the age of 16. We do not knowingly collect personal information from children. If we discover that we have collected data from a child under 16, we will delete that information promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

Government & Law Enforcement Requests

We take the following approach to legal requests for user data:

  • We require a valid legal process (subpoena, court order, or warrant) before disclosing any user data
  • We narrow the scope of any disclosure to the minimum required by law
  • We will notify affected users before disclosure unless legally prohibited from doing so
  • We do not provide law enforcement with backdoor access to our systems
  • We will challenge requests we believe are overly broad or legally deficient

Updates to This Policy

We will notify you of any material changes to this privacy policy via email and update the effective date above. Continued use of our services after changes constitutes acceptance of the updated policy. For significant changes, we will provide at least 30 days notice before the new policy takes effect.

Contact Us

Questions or concerns about privacy? Contact us at: