Privacy Policy

1. Who We Are

Ovarra LLC ("Ovarra," "we," "us," "our") operates the Ovarra.ai content protection platform. We help digital creators detect and remove unauthorized copies of their content from the internet through automated scanning, AI-based matching, and DMCA takedown services.

This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, and what rights you have over it. It applies to all users of our website, dashboard, and services regardless of location.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Full name and email address
• Password (stored in hashed form — we never store plaintext passwords)
• Subscription tier and billing status
• Account creation date and login history
• IP address at signup and login (used for fraud prevention)
• General geographic location derived from IP (country, city — not precise GPS)

2.2 Creator Profile Information

To use our content protection services, you provide:

• Platform usernames and profile URLs (e.g., OnlyFans, Instagram, TikTok)
• Stage names or aliases used across platforms
• Social media profile links and associated public data
• Content identifiers used to detect unauthorized copies of your material

2.3 Biometric and Facial Data

If you use our FaceMatch feature, you may upload reference photos. We use these to create a mathematical facial embedding (a numerical representation of facial features) that our AI uses to detect your likeness in third-party content. We do not share facial embeddings with third parties and delete them when you delete your account or turn off FaceMatch.

Where required by law (including Illinois BIPA, Texas CUBI, and similar biometric privacy laws), we will obtain your explicit consent before processing biometric data and will honor all applicable retention and deletion requirements.

2.4 Legal Identity Documents

If you complete our Letter of Authorization (LOA) process — required by certain platforms (such as Telegram) before processing takedown requests — we collect:

• Legal full name
• Residential or mailing address
• Phone number (optional)
• Government-issued ID type and, if you choose to upload it, a copy of your ID document
• Electronic signature (typed name) and timestamp
• IP address at the time of signing

ID documents are stored encrypted in isolated, access-controlled storage. They are used solely to fulfill LOA requirements from third-party platforms when you request a takedown and are never sold or shared for any other purpose.

2.5 Payment Information

Payment processing is handled by Stripe, Inc. We do not store your full credit card number, CVV, or bank account details. Stripe stores your payment method and returns a token that we associate with your account. We receive and store: billing name, last four digits of card, card type, expiration date, and transaction history.

2.6 Content Scan Data

When our system scans for leaked content, we collect and store:

• URLs where potentially infringing content was found
• Metadata about those URLs (domain, hosting provider, page title, snippet)
• AI classification results (e.g., "likely match," "potential," "safe")
• Takedown request status and submission history
• Responses received from hosting providers and platforms

2.7 Usage and Technical Data

We automatically collect:

• Browser type, device type, and operating system
• Pages visited, features used, and time spent on the platform
• Referrer URL and search terms that brought you to our site
• Error logs and crash reports
• Session tokens and authentication events

2.8 Communications

If you contact us by email or through support channels, we retain those communications and any information you include in them.

3. How We Use Your Information

We will not use your data for purposes materially different from those listed above without your consent.

4. Who We Share Your Information With

We do not sell your personal information. We share data only as described below:

4.1 Service Providers (Sub-processors)

Each sub-processor is bound by data processing agreements and is only permitted to use your data to provide their service to us.

4.2 Third-Party Platforms (Takedown Recipients)

When we submit takedown notices on your behalf, we share necessary identifying information — such as your name, email address, and the content URLs in question — with hosting providers, CDNs, registrars, and platforms (e.g., Telegram, Google, Cloudflare). This is inherent to the takedown process and is done under your instruction.

4.3 Legal Requirements

We may disclose your information if required to do so by law, court order, or government authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Ovarra, our users, or the public.

4.4 Business Transfers

If Ovarra is involved in a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you before your data is subject to a different privacy policy.

5. Data Retention

When you delete your account, we anonymize your personal data within 30 days and fully delete it within 1 year, except where retention is required by law (e.g., financial records, legal hold).

6. Security

We implement industry-standard technical and organizational measures to protect your data, including:

• Encryption of data in transit (TLS 1.2+) and at rest
• Row-level security on our database, ensuring users can only access their own data
• Hashed password storage (we never store plaintext passwords)
• Access controls limiting staff access to personal data on a need-to-know basis
• Isolated, access-controlled storage for sensitive documents (ID documents, LOAs)

No security system is impenetrable. In the event of a data breach affecting your personal data, we will notify you as required by applicable law.

7. Cookies and Tracking

We use the following types of cookies and similar technologies:

• Strictly necessary: Session cookies required for authentication and security. These cannot be disabled.
• Analytics: We use privacy-respecting analytics to understand how users interact with the Services. These do not track you across other websites.
• Preferences: Cookies that remember your language and display preferences.

You can control cookies through your browser settings. Disabling strictly necessary cookies may prevent you from using the Services.

8. International Data Transfers

Ovarra is based in the United States. If you access our Services from outside the US — including from the European Union, United Kingdom, Australia, or other jurisdictions — your data will be transferred to and processed in the United States.

For transfers from the EU/EEA or UK, we rely on Standard Contractual Clauses (SCCs) and appropriate data transfer mechanisms as required by applicable law. We ensure that our sub-processors maintain equivalent protection standards.

9. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights:

9.1 All Users

• Access: Request a copy of the personal data we hold about you
• Correction: Ask us to correct inaccurate or incomplete data
• Deletion: Request deletion of your personal data (subject to legal retention requirements)
• Opt-out: Unsubscribe from marketing emails at any time via the unsubscribe link or by contacting us

9.2 EU / UK Users (GDPR / UK GDPR)

• Restriction: Request that we restrict processing of your data in certain circumstances
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Withdraw any consent you have given at any time
• Complaints: Lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or your national DPA in the EU)

9.3 California Users (CCPA / CPRA)

California residents have the right to:

• Know what personal information we collect, use, disclose, or sell
• Delete personal information we have collected (subject to exceptions)
• Opt out of the sale or sharing of personal information — we do not sell or share your personal information
• Non-discrimination for exercising privacy rights
• Correct inaccurate personal information
• Limit the use of sensitive personal information

9.4 Australian Users (Privacy Act 1988)

Australian users have the right to access and correct their personal information, and to complain to the Office of the Australian Information Commissioner (OAIC) if they believe we have not handled their data in accordance with the Australian Privacy Principles.

9.5 How to Exercise Your Rights

To exercise any of the above rights, contact us at privacy@ovarra.ai. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before fulfilling your request.

10. Children's Privacy

The Services are intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under the age of 18. If we learn that we have collected data from a minor, we will delete it promptly. If you believe a minor has provided us with personal data, contact us at privacy@ovarra.ai.

11. Third-Party Links and Services

Our Services may contain links to third-party websites or integrate with third-party platforms. This Privacy Policy does not apply to those sites. We are not responsible for the privacy practices of any third party and encourage you to review their privacy policies before providing personal data.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on our website at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

13. Contact Us

For any privacy-related questions, requests, or concerns: