A digital wallet that represents your mind, which you control. It carries your data, so apps can improve your experience with your permission.

What type of data is used to create my persona?

Sentiment (likes and dislikes/saved posts). We also use context from your LLM conversations and your LinkedIn profile. No private messages, passwords, or sensitive personal information.

How do you protect my privacy?

Complete control. Nothing shared without explicit consent. Revoke access anytime.

What apps work with Onairos?

Dating, social, productivity, entertainment—any app that benefits from understanding users. All your favorite and upcoming consumer apps that have your wellbeing at heart.

How quickly does Onairos work?

Less than 1-minute setup. Any app you're on is instantly tailored to you.

Can I control what each app knows?

Yes. Granular permissions for every piece of data.

What's the difference between Onairos and Google/Apple Login?

We share rich context about who you are, not just authentication, with your explicit permission.

Onairos – Own Your Mind

1. Introduction

Onairos ("we," "our," or "us") is committed to protecting your privacy and ensuring you have control over your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services.

Our Core Philosophy: We don't want your data—we help you use it. Your data never leaves your control. Onairos exists to put you in the driver's seat, providing infrastructure that lets you leverage your personal data on your terms, for your benefit. We never see it. We never store it. We never sell it.

This policy applies to all users of Onairos services, including residents of the European Economic Area (EEA), United Kingdom, and California. By using our services, you agree to the collection and use of information in accordance with this policy.

2. Data Controller Information

For the purposes of the General Data Protection Regulation (GDPR) and other applicable data protection laws, the data controller is:

Onairos Inc.

131 Continental Drive, Suite 305

Newark, DE 19713, United States

Email: [email protected]

Data Protection Inquiries: [email protected]

3. Information We Collect

We practice strict data minimization and only collect information that is necessary for our services:

3.1 Information You Provide

Account Information: Email address, username, and authentication credentials when you create an account.
Profile Information: Optional information you choose to provide to enhance your experience.
Communications: Information you provide when contacting our support team.

3.2 Information Collected Automatically

Usage Data: Basic interaction data with our platform for service improvement.
Device Information: Browser type, operating system, and device identifiers.
Log Data: IP address, access times, and pages viewed for security purposes.

3.3 Data You Process Through Our Platform

Important: Personal data that you choose to process through our platform remains under your complete control. This data is processed ephemerally and is never stored on our servers. Our privacy-preserving architecture is designed to minimize data exposure and ensure we do not retain your processed data.

Technical Implementation: "Ephemeral processing" means your data is processed entirely in-memory during a single session. No raw data or intermediate results are written to disk, persisted in databases, or retained after the processing session ends. Once your request is complete, the data is immediately deallocated from memory with no residual copies.

Derived Insights: Any personality traits, preferences, or other insights derived from your data are similarly ephemeral—they exist only for the duration of the session and are not stored, cached, or retained in any form after processing completes.

4. Google API Services User Data

Onairos uses Google API Services to access certain user data with your explicit consent. This section describes our use and protection of Google user data in compliance with the Google API Services User Data Policy, including the Limited Use requirements.

4.1 Data We Access

With your explicit consent, we may access the following Google user data:

Basic profile information (name, email address, profile picture)
Account identifiers for authentication purposes
Other data you explicitly authorize during the consent flow

4.2 How We Use Google User Data

Google user data is used solely for the following purposes:

Personality Analysis: To generate insights about your preferences and personality traits based on data you choose to share, enabling personalized experiences.
Personalization: To customize your experience on our platform and provide relevant recommendations tailored to your interests.
Authentication: To verify your identity and provide secure access to your account.

4.3 Limited Use Disclosure

Onairos's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

We only use Google user data for providing or improving user-facing features that are prominent in our application's user interface.
We do not transfer Google user data to third parties unless necessary to provide or improve user-facing features, as required by law, or with your explicit consent.
We do not use Google user data for serving advertisements.
We do not allow humans to read Google user data unless we have your affirmative agreement, it is necessary for security purposes, to comply with applicable law, or for our internal operations (and even then, only when the data has been aggregated and anonymized).

4.4 Data Storage and Security

Google user data is protected with the same security measures as all other data on our platform:

Encrypted at rest using AES-256 encryption
Encrypted in transit using TLS 1.3
Processed on our secure, on-premise infrastructure
Subject to strict access controls and regular security audits

4.5 Data Retention and Deletion

You maintain full control over your Google user data:

Revoke Access: You can revoke Onairos's access to your Google account at any time through your Google Account settings.
Request Deletion: You can request deletion of all Google user data we have collected by contacting us at [email protected].
Automatic Deletion: Upon revoking access or deleting your Onairos account, all associated Google user data is permanently deleted within 30 days.
In-App Controls: You can manage and delete your data directly within the Onairos application settings.

4.6 Consent and Authorization

We only access Google user data after you have provided explicit, informed consent through Google's OAuth consent flow. You will be clearly informed about what data we are requesting and why before granting access. You can withdraw consent at any time.

5. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation, we process your personal data based on the following legal grounds:

Consent (Article 6(1)(a)): Where you have given explicit consent for processing for specific purposes.
Contractual Necessity (Article 6(1)(b)): Processing necessary to perform our contract with you and provide our services.
Legal Obligation (Article 6(1)(c)): Processing necessary to comply with legal requirements.
Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests, such as security and fraud prevention, provided these interests do not override your rights.

6. How We Use Your Information

We use the information we collect for the following purposes:

To provide, maintain, and improve our services
To authenticate your identity and manage your account
To communicate with you about services, updates, and support
To ensure the security and integrity of our platform
To comply with legal obligations
To protect against fraud and unauthorized access

We do not:

Sell your personal data to third parties
Use your data for advertising or marketing purposes without consent
Share your data with third-party analytics vendors or ad networks
Make backdoor data deals or broker your information

7. Data Security

We implement comprehensive technical and organizational measures to protect your personal data:

Encryption at Rest: All stored data is encrypted using AES-256 military-grade encryption standards.
Encryption in Transit: All data transmitted to and from our services uses TLS 1.3 encryption.
End-to-End Encryption: Your data remains encrypted throughout its entire lifecycle on our platform.
100% On-Premise Infrastructure: We do not use third-party AI services (OpenAI, Google, etc.). All processing occurs on our own infrastructure.
Privacy-Preserving Design: Our system architecture minimizes data exposure and is designed to limit access to your processed data.
Regular Security Audits: We conduct regular security assessments and penetration testing.
Access Controls: Strict access controls and authentication mechanisms protect all systems.

7.1 Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify you without undue delay and, where required by law (such as under GDPR Article 34), within 72 hours of becoming aware of the breach. We will also notify the relevant supervisory authorities as required. Our notification will include the nature of the breach, likely consequences, and measures taken or proposed to address it.

8. Data Retention

We adhere to strict data minimization and retention principles:

Processed Data: Data you process through our platform is never stored. It is processed ephemerally and immediately forgotten.
Account Data: Retained for the duration of your account plus any legally required retention period.
Log Data: Retained for a maximum of 90 days for security purposes only (fraud detection, abuse prevention, system diagnostics), then automatically deleted. IP addresses are pseudonymized after 30 days. Log data is never used for behavioral profiling, analytics, or marketing purposes.
Support Communications: Retained for up to 2 years to improve our services and for legal compliance.

You may request deletion of your data at any time. Upon account deletion, we remove your personal data within 30 days, except where retention is required by law.

9. Third-Party Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share data only in the following limited circumstances:

Service Providers: With trusted service providers who assist in operating our platform, bound by strict data protection agreements.
Legal Requirements: When required by law, court order, or governmental regulation.
Protection of Rights: To protect the rights, property, or safety of Onairos, our users, or others.
Business Transfers: In connection with a merger, acquisition, or sale of assets, with continued protection of your data.
With Your Consent: When you explicitly authorize us to share specific information.

No Third-Party Tracking: We do not use third-party analytics vendors, advertising networks, or data partners.

9.1 Subprocessors and Service Providers

Core Data Processing: All core data processing—including personality analysis, preference extraction, user profile generation, and personalization via the Onairos SDK and service—occurs entirely on our own infrastructure. We do not use third-party AI services (such as OpenAI, Google AI, Anthropic, or similar) for processing your personal data in our core platform.

Infrastructure Subprocessors: We use the following service providers for essential platform operations:

Amazon Web Services (AWS) — Cloud infrastructure and hosting (USA/EU regions)
Cloudflare — CDN, DDoS protection, and DNS (Global)
Stripe — Payment processing (USA)
Resend — Transactional email delivery (USA)

All subprocessors are bound by data processing agreements (DPAs) that ensure GDPR and CCPA-compliant handling of any data they process.

9.2 Onairos Hosted Applications

Onairos offers hosted demo applications (such as love.onairos.uk, unwrap.onairos.uk) that showcase personalization capabilities. These applications operate as separate, independent services and may use third-party AI providers (such as OpenAI or similar) for their functionality.

Important distinction: These hosted apps receive only the final personalization output from Onairos—the same data that any third-party developer integrating with Onairos would receive. They do not have access to your raw source data, Google account data, or internal Onairos profile processing. The hosted apps function exactly as a customer application would, demonstrating how developers can use Onairos data in their own products.

Your core Onairos profile data never touches third-party AI providers. Only the downstream demo applications, which process already-anonymized outputs, may use external AI services.

10. International Data Transfers

If we transfer personal data outside the European Economic Area (EEA) or United Kingdom, we ensure appropriate safeguards are in place:

Standard Contractual Clauses approved by the European Commission
Transfers to countries with adequate data protection laws
Binding Corporate Rules where applicable

11. Your Rights Under GDPR (EEA and UK Residents)

If you are a resident of the European Economic Area or United Kingdom, you have the following rights, which we fully support and have implemented:

Right of Access (Article 15): Request a copy of your personal data we hold. We will provide this within 30 days of your request.
Right to Rectification (Article 16): Request correction of inaccurate or incomplete data. You can update most information directly in your account settings, or contact us for assistance.
Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten"). You can delete your account through the app settings, or contact us to request complete data deletion.
Right to Restriction (Article 18): Request restriction of processing in certain circumstances.
Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format (JSON). Contact us to request an export of your data.
Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing.
Right to Withdraw Consent: Withdraw consent at any time through your account settings or by contacting us. This will not affect the lawfulness of processing before withdrawal.
Right to Lodge a Complaint: File a complaint with your local data protection authority (e.g., the ICO in the UK).

How to Exercise Your Rights

You can exercise your rights through the following methods:

In-App: Access account settings to update, export, or delete your data.
Email: Contact [email protected] with your request.

We will respond to all requests within 30 days. We may ask you to verify your identity before processing your request to protect your data.

12. Your Rights Under CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights:

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
Right to Delete: Request deletion of your personal information, subject to certain exceptions.
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out: Opt-out of the sale or sharing of your personal information. Note: Onairos does not sell or share personal information for cross-context behavioral advertising.
Right to Limit Use: Limit the use and disclosure of sensitive personal information.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Categories of Personal Information Collected

In the past 12 months, we may have collected:

Identifiers (email address, username, IP address)
Internet or network activity (browsing history on our platform, interactions)
Geolocation data (general location based on IP)

Sale of Personal Information

We do not sell your personal information. We have not sold personal information in the preceding 12 months and do not intend to do so.

To submit a verifiable consumer request, contact us at [email protected]. You may also designate an authorized agent to make a request on your behalf.

13. Cookies and Tracking Technologies

We use minimal, essential cookies necessary for the operation of our services:

Essential Cookies: Required for authentication and security.
Preference Cookies: Remember your settings and preferences.

We do not use: Third-party tracking cookies, advertising cookies, or analytics cookies from external vendors.

You can control cookies through your browser settings. Disabling essential cookies may affect service functionality.

14. Sensitive Personal Data

Onairos does not intentionally collect, process, or store special categories of personal data as defined under GDPR Article 9, including but not limited to:

Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic or biometric data
Health data
Data concerning sex life or sexual orientation

Important: While we analyze personality traits and preferences from your connected platforms, we do not extract, store, or process any sensitive personal information, private messages, passwords, or protected health information. If such data inadvertently appears in content you process through our platform (such as LLM conversations), it is processed ephemerally and immediately discarded—we never retain it.

If you believe sensitive personal data has been inadvertently collected, please contact us immediately at [email protected].

15. Age Requirements

You must be at least 18 years old to use our Services. Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from anyone under 18 years of age.

If we become aware that we have collected personal data from someone under 18, we will take steps to delete that information immediately. If you believe we have collected information from someone under 18, please contact us at [email protected].

16. Transparency and User Control

We believe in giving you control over your data:

Instant Access Revocation: Withdraw access at any moment with no delays or exceptions.
Data Export: Request a copy of your data in a portable, machine-readable format at any time.
Account Deletion: Delete your account and all associated data through our platform or by contacting support.

17. Regulatory Compliance

GDPR: Fully Compliant
CCPA/CPRA: Fully Compliant
SOC 2 Type II: Certification in progress (Target: Q2 2026)
HIPAA: Coming Soon

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on this page with a new "Last Updated" date. For significant changes, we will provide additional notice, such as an email notification. We encourage you to review this policy periodically.

18.1 Policy Version History

We maintain a record of changes to this Privacy Policy for transparency and accountability:

Version 2.1 (March 3, 2026): Added breach notification procedures, sensitive data handling, full subprocessor list (AWS, Cloudflare, Stripe, Resend), hosted apps disclosure, policy versioning, and legal entity details.
Version 2.0 (January 29, 2026): Major update including GDPR/CCPA compliance sections, Google API Limited Use disclosure, and enhanced user rights.
Version 1.0 (Initial): Original privacy policy.

Previous versions of this policy are available upon request by contacting [email protected].

19. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your rights, or have concerns about our data practices, please contact us:

General Support: [email protected]

Privacy Inquiries: [email protected]

Data Subject Requests: [email protected]

We will respond to all requests within 30 days (or sooner as required by applicable law).

20. EU/EEA Representative

As Onairos Inc. is established in the United States, we have designated a representative in the European Union for data protection matters pursuant to GDPR Article 27.

For users in the European Economic Area or United Kingdom, you may contact our representative for data protection matters at [email protected].