Privacy Policy

Introduction

Onederous Inc. ("Onederous," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-native brand strategy platform at onederous.ai and any associated services (collectively, the "Service").

Please read this policy carefully. By using the Service, you agree to the practices described here.

1. Information We Collect

1.1 Information You Provide Directly

• Account information: Name, email address, company name, and password when you register.
• Project inputs: Brand briefs, strategic inputs, uploaded documents, and any content you submit to our AI agents to process.
• Communications: Messages you send to our support team or via in-product feedback tools.
• Billing information: Payment details processed securely through our third-party payment processor. We do not store full credit card numbers.

1.2 Information Collected Automatically

• Usage data: Pages visited, features used, time spent, click patterns, and workflow interactions within the platform.
• Device and log data: IP address, browser type, operating system, referring URLs, and error logs.
• Cookies and similar technologies: See Section 7 (Cookie Policy) for full details.

1.3 Information from Third Parties

• Authentication providers: If you sign in via Google or another SSO provider, we receive basic profile data (name, email) as permitted by your settings with that provider.
• Analytics partners: Aggregated, de-identified usage statistics from analytics services we use to improve the platform.

2. How We Use Your Information

We use the information we collect to:

• Provide and operate the Service: Process your inputs through our AI agent system and deliver strategy and creative outputs.
• Improve platform performance: Analyze aggregated interaction patterns (e.g., workflow navigation, agent usage sequences) to refine system behavior. See Section 3 for our specific AI training policy.
• Personalize your experience: Remember your preferences, project history, and settings.
• Communicate with you: Send transactional emails (receipts, account alerts), product updates, and, with your consent, marketing communications.
• Ensure security and prevent fraud: Monitor for suspicious activity and protect the integrity of the platform.
• Comply with legal obligations: Respond to lawful requests from regulatory or law enforcement authorities.

Summary: Data Categories, Purposes, and Legal Bases

For details on our use of aggregated, de-identified interaction patterns (which do not include Customer Content), see Section 3.

3. Our AI Training Policy — What We Will and Won't Do

Onederous will never use your customer content to train our AI models.

"Customer content" means any proprietary data you provide to the platform: your brand briefs, uploaded documents, strategic inputs, creative outputs, or any other material specific to your business or your clients' businesses.

What we do use to improve the system:
Onederous's platform learns from process-level interaction patterns — such as how users navigate between agents, which workflow steps generate the most iteration, and where users tend to pause or refine outputs. This behavioral and operational data is aggregated and de-identified; it contains no proprietary brand content. It is used solely to improve the speed, accuracy, and usability of the platform's underlying workflows.

This distinction matters: we improve the system, not the model, using your data.

Automated Decision-Making and Profiling

Under GDPR Article 22, you have rights related to automated decision-making, including profiling. We want to be transparent about how this applies to Onederous:

AI-Generated Outputs. The Service uses AI agents to process your Customer Content and generate strategic and creative Outputs. These AI-generated Outputs are recommendations and tools for your consideration — they do not constitute automated decisions that produce legal effects concerning you or similarly significantly affect you. All Outputs require your independent review, judgment, and decision-making before use.

Usage-Based Billing. Certain subscription tiers may involve automated detection of your usage activity — for example, detecting that you have started or completed a project under a pre-project pricing plan — in order to calculate and apply the correct charges to your account. These automated billing determinations are based on objective usage events (such as project initiation or completion) and predetermined pricing rules disclosed to you at the time of subscription. Because billing decisions may have financial effects on you, you have the right to:

• Request a clear explanation of how any automated billing determination was calculated;
• Contest any charge you believe was applied in error;
• Request human review of any automated billing decision.

The specific usage events and pricing rules applicable to your subscription tier will be disclosed to you at the time of purchase and in your account settings.

To exercise any of these rights, contact us at support@onederous.ai.

Account Decisions. Onederous does not use automated profiling to make decisions about your access to the Service or your account standing. Account-related decisions (such as access restrictions or termination) are made by Onederous personnel, not automated systems.

If you have concerns about how automated processing affects you, please contact us at privacy@onederous.ai.

4. How We Share Your Information

We do not sell your personal data. We may share information as follows:

For a complete and current list of third-party sub-processors that process personal data on our behalf, including their names, purposes, and locations, please see our Sub-Processor List. We use commercially reasonable efforts to keep this list current as sub-processors change.

• Service providers: Vendors who help us operate the platform, including cloud infrastructure and database hosting, AI model providers, payment processing, email delivery, analytics, image and media services, document processing, and scheduled task management. These providers are contractually required to handle your data only as directed by us. For a complete list, see our Sub-Processor List.
• AI infrastructure partners: Our platform is built on cloud infrastructure and uses third-party AI model providers for inference. Data processed through these services is governed by our data processing agreements with those providers, which prohibit use of your data for their own model training purposes.
• Business transfers: If Onederous merges with or is acquired by another company, your information may be transferred. We will provide notice before such a transfer takes effect.
• Legal compliance: If required by law, subpoena, or to protect the rights, property, or safety of Onederous or others.
• With your consent: For any other purpose with your explicit permission.

Data Processing Agreement (DPA)
If you require a Data Processing Agreement for GDPR compliance or other regulatory purposes, Onederous offers a standard DPA that governs how we process personal data on your behalf. To request a copy of our DPA, please contact privacy@onederous.ai. For details on our data processing commitments, see also our Terms of Service, Section 15 (GDPR and Data Protection).

5. Data Retention

We retain different categories of data for different periods, based on the purpose of collection and our legal obligations:

• Account information (name, email, company, preferences): Retained for as long as your account is active. Upon account deletion, this data is deleted within 90 days, except as required for legal compliance.
• Customer Content and Outputs (brand briefs, strategic inputs, AI-generated outputs): Retained for as long as your account is active. Upon account deletion or termination, this data is deleted within the timeframes described under "Post-Termination Data Retrieval" below, unless retention is required by law.
• Billing and transaction records: Retained for as long as your account is active, plus up to 7 years after account closure to comply with tax, accounting, and financial reporting obligations.
• Usage and analytics data (pages visited, features used, interaction patterns): Retained in identifiable form for up to 24 months. After 24 months, this data is either deleted or permanently de-identified and aggregated.
• Communications and support data (support tickets, feedback): Retained for up to 3 years after your last interaction with our support team, unless deletion is requested earlier.
• Server and security logs (IP addresses, error logs, access logs): Retained for up to 12 months for security monitoring and incident investigation purposes.

Requesting Deletion
You may request deletion of your account and associated data at any time by contacting privacy@onederous.ai. We will process deletion requests within 90 days. Certain data may be retained beyond deletion where required by law, necessary to resolve disputes, or needed to enforce our agreements.

Post-Termination Data Retrieval
Upon termination or expiration of your account, you will have 30 days to export your Customer Content and Outputs using the export tools available in the Service (or by contacting us if export tools are not yet available). After this 30-day retrieval period, we will delete your Customer Content and Outputs within an additional 60 days, unless retention is required by law.

6. Your Rights

6.1 Rights for All Users

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data, subject to certain exceptions.
• Data portability: Request your data in a structured, machine-readable format.
• Opt-out of marketing: Unsubscribe from marketing emails at any time using the link in those emails or by contacting us.

6.2 Additional Rights Under GDPR (EEA, UK, and Switzerland)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) or equivalent local law:

Right to object. You have the right to object to our processing of your personal data where that processing is based on our legitimate interests (Section 2). If you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless the processing is necessary for the establishment, exercise, or defense of legal claims. You have an absolute right to object to processing for direct marketing purposes at any time.

Right to restrict processing. You may request that we restrict (i.e., limit) the processing of your personal data in certain circumstances: when you contest the accuracy of the data (for the period needed to verify accuracy); when the processing is unlawful but you prefer restriction over deletion; when we no longer need the data but you require it for legal claims; or when you have objected to processing and we are evaluating whether our legitimate grounds override yours. When processing is restricted, we will continue to store your data but will not process it further without your consent (except for legal claims, protection of others' rights, or important public interest reasons).

Right to withdraw consent. Where our processing of your personal data is based on your consent (e.g., marketing communications, non-essential cookies), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of any processing carried out before you withdrew consent.

Right to data portability. Where processing is based on consent or contract performance and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format. You may also request that we transmit this data directly to another controller where technically feasible. This right does not apply where it would adversely affect the rights and freedoms of others.

Right to lodge a complaint. You have the right to lodge a complaint with your local supervisory authority if you believe our processing of your personal data infringes data protection law. You may do so in the EU member state of your habitual residence, your place of work, or the place of the alleged infringement. In the UK, the relevant authority is the Information Commissioner's Office (ICO).

Legal bases for processing (GDPR). We process personal data on the following legal bases:

• (a) Contract performance — to provide the Service you have signed up for, including processing your inputs through our AI agents and delivering outputs;
• (b) Legitimate interests — to improve our platform, ensure security, prevent fraud, and analyze aggregated usage patterns (see Section 3 for our AI training policy);
• (c) Legal obligation — where required by applicable law, regulation, or legal process;
• (d) Consent — for marketing communications and non-essential cookies, which you may withdraw at any time.

To exercise any of these rights, contact us at privacy@onederous.ai. We will respond to your request within one month. If your request is complex or we receive a high volume of requests, we may extend this period by up to two additional months, in which case we will notify you of the extension and the reasons for the delay.

6.3 Your Rights Under U.S. State Privacy Laws

If you are a resident of California, Colorado, Connecticut, Virginia, Texas, or another U.S. state with a comprehensive consumer privacy law, you may have additional rights regarding your personal information.

Categories of Personal Information We Collect
In the preceding 12 months, we have collected the following categories of personal information (as defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, "CCPA/CPRA"):

• Identifiers: Name, email address, IP address, account credentials.
• Commercial information: Subscription and billing records, purchase history.
• Internet or electronic network activity: Usage data, browser type, interaction logs, pages visited, features used.
• Professional or employment-related information: Company name, job title (if provided during registration).
• Inferences: Preferences and usage patterns derived from the above categories to improve platform performance.

Sources of Personal Information
We collect personal information directly from you (e.g., registration, project inputs), automatically through your use of the Service (e.g., usage data, device information), and from third-party authentication providers (e.g., Google SSO).

Purposes for Collection
We use personal information for the business purposes described in Section 2 of this Privacy Policy: providing the Service, improving platform performance, communicating with you, ensuring security, and complying with legal obligations.

Your Rights
Depending on your state of residence, you may have the right to:

• Know and access: Request a summary of the categories of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it. You may also request a copy of the specific personal information we hold.
• Delete: Request deletion of your personal information, subject to certain legal exceptions (e.g., completing a transaction, legal compliance, security).
• Correct: Request correction of inaccurate personal information.
• Opt out of sale or sharing: We do not sell your personal information, and we do not share your personal information for cross-context behavioral advertising purposes. Because we do not engage in these practices, there is no need to submit an opt-out request — but if our practices change, we will update this section and provide a mechanism to opt out.
• Non-discrimination: We will not discriminate against you for exercising any of your privacy rights.

How to Exercise Your Rights
To submit a request, email us at privacy@onederous.ai with the subject line "Privacy Rights Request." We will verify your identity before processing any request. We will respond to verified requests within 45 days (or 90 days if an extension is necessary, in which case we will notify you).

Authorized Agents
You may designate an authorized agent to submit requests on your behalf. We may require proof of the agent's authorization and may still verify your identity directly.

Appeals
If we decline to take action on your request, you have the right to appeal that decision. To appeal, reply to the response you received from us or email privacy@onederous.ai with the subject line "Privacy Rights Appeal." If your appeal is denied, you may contact your state's attorney general or applicable regulatory authority.

Our designated privacy contact is Mark Evans, Co-Founder. Onederous does not currently have a formally appointed Data Protection Officer. If our processing activities require the appointment of a DPO under GDPR Article 37, we will update this section accordingly.

7. Cookie Policy

What Are Cookies?

Cookies are small text files placed on your device when you visit a website. We also use similar technologies such as pixels, local storage, and session storage.

Cookie Categories We Use

Cookie Consent Management

When you first visit onederous.ai, a cookie banner will appear allowing you to accept, decline, or customize your cookie preferences. You can change your preferences at any time by clicking the "Cookie Settings" link in the footer of our website.

Third-Party Cookies

Some features may load content from third-party services (e.g., embedded videos, social share buttons) that set their own cookies. We are not responsible for those cookies; please refer to those providers' privacy policies.

8. Data Security

We use industry-standard security measures including encryption in transit (TLS), encryption at rest, access controls, and regular security audits. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security. In the event of a data breach involving your personal data, we will:

• Notify affected users by email within 72 hours of becoming aware of the breach, consistent with GDPR requirements;
• Notify the relevant supervisory authority within 72 hours where required by GDPR;
• Comply with all applicable U.S. state breach notification laws, which may require notification within timeframes ranging from 30 to 60 days depending on the jurisdiction;
• Provide a description of the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach.

If a breach is unlikely to result in a risk to your rights and freedoms, we may not be required to notify you under applicable law, but we will document the breach internally in all cases.

9. International Data Transfers

Onederous is based in the United States. If you are accessing the Service from the EEA, UK, or other regions with data transfer restrictions, your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards for such transfers in compliance with GDPR.

10. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on our website or sending an email to the address associated with your account. Continued use of the Service after such notice constitutes acceptance of the updated policy.

12. Contact Us

For questions, requests, or concerns about this Privacy Policy or our data practices, please contact:

Onederous Inc.
Privacy Contact: Mark Evans, Co-Founder
Email: privacy@onederous.ai
100 W. Imperial Ave. Suite R
El Segundo, CA 90245

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you may also raise concerns with your local data protection authority.