Privacy Policy
Last updated: May 26, 2026
OV is a local-first desktop app. There are no accounts, no telemetry, and the contents of your notes never reach our servers. This policy is mostly a list of things we don't collect, followed by the unavoidable minimum that we do process.
It is written to satisfy the core obligations of PIPA (South Korea), GDPR (EU), and CCPA/CPRA (California) simultaneously.
1. Controller
| Item | Value |
|---|---|
| Service | OV (ovapp.io · desktop app) |
| Operator | ouomoxo (independent developer) |
| Contact | adadgogo1212@gmail.com |
| Data protection enquiries | Same |
For GDPR rights (EU/EEA), CCPA requests (California), or PIPA data-subject rights (Korea), email the address above. We respond within 30 days.
2. What we collect
2.1 Desktop app (OV)
| Category | Collected? | Notes |
|---|---|---|
Note contents (.md files) | No | Stay on your computer |
| Vault location & folder structure | No | |
| Usage stats · analytics · telemetry | No | Zero events |
| Crash reports | No | Local userData/Crashpad/ only |
| IP / device identifiers (for ads) | No | |
| Email / account info | No | No account exists |
| OpenAI API key | Only in your OS keychain | Never reaches our servers |
The desktop app contacts the outside world in only two situations:
- AI Copilot calls — only when you explicitly send a message. The request goes directly from your machine to OpenAI using your API key; OV is not a relay. We don't see your key, prompt, or response. Retention and handling on the OpenAI side follow OpenAI's privacy policy.
- Update check — once at launch and every 6 hours afterwards, OV fetches the release list from
api.github.com. This leaves an entry containing your IP address in GitHub's server logs, governed by GitHub's Privacy Statement. OV reads the response in memory and does not store it separately.
2.2 Website (ovapp.io)
| Category | Collected? | Retention |
|---|---|---|
| Server access logs (IP · UA · timestamp · URL) | Hosting default | 30 days |
| Analytics cookies · pixels · trackers | None | — |
ov.site.theme localStorage key | In your browser | Until you clear it |
/api/revalidate bearer token | Verified in memory | Not stored |
The website does not use cookies and does not load any third-party analytics. As a consequence we do not display an ePrivacy consent banner.
3. Purposes and legal bases
| Processing | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|
| Update check | Notify users of security patches | (f) legitimate interest |
| AI Copilot call | Provide the feature you triggered | (b) contract performance |
| Access logs | Site availability & abuse prevention | (f) legitimate interest |
Under PIPA, we will request explicit consent for any future processing that requires it. None of the current processing does.
4. Retention and deletion
Server access logs are auto-deleted after 30 days. Notes and keys live only on your disk, so they are erased the moment you delete the file.
5. Sub-processors and international transfers
We do not sell or share user data with third parties. We rely on the following processors for technical infrastructure:
| Processor | Role | Region |
|---|---|---|
| Vercel | Website hosting | US, EU edge |
| GitHub | Release distribution & issue tracking | US |
| OpenAI | (Optional) AI Copilot — called with your key | US |
Transfers from the EU/EEA to the US are based on GDPR Standard Contractual Clauses or each processor's own adequacy mechanism.
6. Your rights
Regardless of where you live, you have:
- Right of access — request whatever information we hold about you. Beyond access logs, there is almost none.
- Right to erasure — request early deletion of your access-log entries.
- Right to object — disable the update check in app settings (
Settings → Check for updates). - Right to portability (GDPR Art. 20) — your notes are plain
.mdfiles, so portability is already complete. - Right to lodge a complaint — Korea: PIPC (1833-6972, privacy.go.kr). EU: your local supervisory authority. California: California Privacy Protection Agency.
To exercise any of these: email adadgogo1212@gmail.com with the right you wish to exercise and enough information to verify your identity. We reply within 30 days.
7. Children's data
OV is not intended for children under 14 (Korea) or under 13 (US COPPA). We do not knowingly collect information from these age groups; if we discover such data, we delete it.
8. Security measures
Technical security is detailed on a separate page. In brief:
- Per-note AES-GCM-256 encryption (optional)
- OS keychain protection for API keys
- HTTPS everywhere, HSTS preloaded
- Automated dependency security scanning (Dependabot)
9. Changes to this policy
Material changes are announced on the site, in release notes, and committed to GitHub with a visible history. Changes that require new user consent will be announced 30 days in advance.
10. Governing law
This policy is written under and interpreted by the laws of the Republic of Korea, with Seoul Central District Court as the court of first instance. Mandatory provisions of GDPR (for EU/EEA residents) and CCPA (for California residents) override this clause where applicable.