Privacy Policy
Effective 1 July 2026
This policy explains how the Ohmatic hosted API and MCP service ("Ohmatic", "we") handles personal data under the EU General Data Protection Regulation (GDPR). The free local engine is a separate product and is not covered here.
1. Who we are (Data Controller)
Ohmatic — Vittoria Lanzo (sole proprietor), Via Montale 367, Cesena, Italy. Contact for any privacy or data-subject request: [email protected].
2. What we collect
- Account details — your email address, your name (if you give one), and, for password accounts, a securely hashed password. Collected when you sign up, to run your account, verify you, and send service emails.
- Login sessions — when you sign in we store a session in our EU database and set an essential session cookie in your browser. The session record includes your IP address and browser user-agent, to keep you signed in and to protect the account.
- Agent key identity — for keys used by agents, a one-way hash (SHA-256) of the key; anonymous keys have no account. We never store a plaintext key.
- Consent & terms record — the time you accepted the Terms and, only if you tick it, the fact and time of your marketing opt-in.
- Circuit payloads — the circuit JSON you submit to verify is processed in memory to run the rule checks and is not persisted after the response.
- Usage & billing metadata — counts of verifications, timestamps, amounts, your prepaid balance, and subscription status, to meter usage against your balance and bill you.
- Referral data — if you use a referral link, the link between the referring and referred account and the time you joined, to credit the referral reward.
- Technical data — IP addresses and request logs handled by our infrastructure providers for security and reliability.
3. Why, and the legal basis
- Provide the service (auth, verification, billing) — performance of a contract (Art. 6(1)(b)).
- Security & abuse prevention, service reliability — legitimate interests (Art. 6(1)(f)).
- Marketing email — your consent (Art. 6(1)(a)). Consent is opt-in: an unticked checkbox at sign-up that you choose to tick. We record the fact and time, never pre-tick it or infer it, and you can withdraw at any time.
- Legal/accounting obligations — compliance (Art. 6(1)(c)).
4. Processors and sub-processors
We use these providers to run the service; each processes only what its function needs:
- Cloudflare — website hosting, DNS, email routing, and the EU-region database (D1) that stores your account, login sessions, and email-verification tokens (via Better Auth).
- Unkey — API-key issuance and verification (key identity).
- Polar — payments and invoicing, as Merchant of Record (handles card data and EU VAT; we never see card details).
- Modal — compute that runs the verification API.
- Resend — sending transactional + (if opted-in) marketing email.
- GitHub / Google — optional "Sign in with" identity verification; if you use it, the provider confirms your identity and we receive only your verified email address.
- Google — our inbound contact mailbox (email forwarding).
Some providers are based in the United States; transfers rely on appropriate safeguards (e.g. EU Standard Contractual Clauses or an adequacy framework). We can provide details on request.
5. Retention
Circuit payloads: not retained beyond the request. Account email + usage/billing records: kept while your account is active and for the period required by tax/accounting law, then deleted. Technical logs: short rolling windows at our providers.
6. Your rights
Under the GDPR you may request access, rectification, erasure, restriction, portability, and object to processing; and you may withdraw marketing consent at any time. You can download your data and delete your account yourself from the dashboard (deleting also revokes your API key; billing records are retained only for the statutory tax/accounting period). For any other request, email [email protected]. You also have the right to lodge a complaint with your supervisory authority — in Italy, the Garante per la protezione dei dati personali (garanteprivacy.it).
7. Cookies & storage
When you sign in we set one essential cookie that holds your login session — it is required for the dashboard to work and is never used for advertising or tracking. The marketing site also uses your browser's local storage for a single functional preference (your Human/AI view choice), which is never sent to us. We do not use advertising or third-party tracking cookies, so there is no consent banner. Your API key is shown once when you create it and is not stored in your browser by us; agents send it only to our own API to authenticate requests, never to any third party.
8. Children
The service is intended for professional/developer use and is not directed to children. You must be at least 14 — the age of valid consent for information-society services in Italy — and able to agree to the Terms.
9. Changes
We may update this policy; material changes will be posted here with a new effective date.