Privacy Policy

Depending on which features you use, opheli.ai may process account data, authentication and security data, 2FA settings and recovery metadata, Provider account metadata, encrypted Provider keys, Missions, Tasks, Runs, RunSteps, Operator messages, Artifacts, Context Vault content, uploads, Mission Replay events, Mission Physics signals, Blueprint data, Mission Copilot conversations and actions, Mission Orb state, support requests, billing metadata, cookie preferences, audit logs, security events, IP address, and user-agent data.

2FA codes, Provider API keys, and secrets should not be exposed in product UI or support records. Provider keys are stored encrypted when live Provider accounts are configured.

When you launch a Run through BYOK, selected prompts, Operator instructions, attached Context, and execution inputs may be sent to the AI Provider you configured to perform the requested work.

Provider processing is subject to the Provider terms, privacy policy, data retention, regional processing, abuse controls, and billing relationship that apply to your Provider account.

Do not attach sensitive, regulated, confidential, or third-party material unless you are authorized and comfortable with it being processed by the selected Provider.

opheli.ai does not use private user Missions, Context, Runs, Artifacts, Copilot conversations, Mission Replay events, or Mission DNA for public/shared model training unless an explicit opt-in process is implemented.

Future fine-tuning, dataset capture, shared learning, or public Blueprint creation from private data requires explicit consent and a review flow.

Official Blueprints should not be created from private user data unless a future explicit consent and publication process exists.

Account and product content may be retained while your account is active or as needed to provide the service. Support, security, audit, billing, and operational logs may be retained as needed for investigation, safety, legal, tax, and abuse-prevention purposes.

Private beta export and deletion handling is request-based. Account deletion may remove or anonymize Missions, Runs, Artifacts, Context, Provider settings, Copilot threads, and related data after review, but it is not an immediate automatic deletion workflow.

Specific retention periods, deletion workflows, export processes, and backup deletion timing must be finalized before public launch.

Potential subprocessors or external services may include the hosting provider, database/cache infrastructure, email/SMTP provider, payment provider such as Stripe when billing is enabled, analytics provider only if implemented and consented, and AI Providers connected by users.

A final subprocessor list and DPA posture must be reviewed before public launch.

Users may open Privacy Requests from the account/settings area for access, correction, deletion, export, provider-key deletion guidance, privacy, or account questions. Exact statutory rights depend on applicable law, location, role, and customer type.

Provider keys can be removed from Provider Vault and should also be revoked directly in the Provider dashboard. Privacy request exports and admin summaries do not include Provider API keys or encrypted credentials.

Do not treat this Privacy Policy as a final GDPR, AI Act, or compliance certification. Final legal review is required.