Privacy Policy

Our Philosophy

Oval is built on a simple principle: your data belongs to you. We designed the app from the ground up to keep your information private. Oval does not sell, share, or monetize your personal data. Ever.

What Data Oval Collects

Account Information

When you create an account, we collect your email address and a securely hashed password. This is the minimum needed to authenticate you and sync your data across devices.

Conversations and Memories

Your conversations with Oval are stored on your device and optionally synced to Firebase Cloud Firestore for cross-device access. Memories extracted from conversations are stored with decay metadata so they naturally fade over time, just like human memory. You can view, reinforce, or delete any memory at any time.

Notebooks and Sources

Documents, notes, and other sources you add to Oval Notebooks are chunked and embedded for semantic search. Embeddings are stored in Cloudflare Vectorize. The original content is stored in Cloudflare D1. All data is associated with your user account and is not shared with other users.

AI API Keys (BYOK)

Oval uses a Bring Your Own Key model. Your AI provider API keys (e.g., Gemini, Mistral, Claude, OpenAI) are stored locally on your device and are never sent to Oval servers. They are transmitted directly from your device to the AI provider when you send a message.

Personality and Preferences

Your Oval personality settings, mood entries, MyMold profile, and insight data are stored on-device and optionally synced to Firebase. This data is used solely to personalize your experience.

How We Use Your Data

• To provide and improve the Oval experience
• To sync your data across your devices (when you opt in)
• To generate personalized insights (mood tracking, memory patterns, temporal analysis)
• To authenticate your account

We do not use your data for advertising, profiling, or training AI models. Your conversations are never used as training data.

Third-Party Services

Oval integrates with the following services:

• Firebase (Google) — Authentication and optional cloud sync. Subject to Google's Privacy Policy.
• AI Providers — When you send a message, it is transmitted directly to your chosen AI provider (Gemini, Mistral, Claude, or OpenAI) using your own API key. Each provider has its own privacy policy and data handling practices.
• Cloudflare — Notebook content is processed and stored using Cloudflare Workers, D1, and Vectorize. Subject to Cloudflare's Privacy Policy.

Data Retention and Deletion

Memories in Oval naturally decay over time based on the Ebbinghaus forgetting curve. Memories you don't revisit will gradually lose confidence and eventually be archived. You can manually delete any memory, conversation, notebook, or source at any time.

To delete your account and all associated data, go to Settings in the app. Account deletion removes all synced data from Firebase and Cloudflare within 30 days.

Data Security

All data in transit is encrypted via TLS. Firebase data is encrypted at rest. API keys are stored locally using secure device storage. We follow industry best practices for securing cloud infrastructure.

Children's Privacy

Oval is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us.

Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes through the app or by email. Continued use of Oval after changes constitutes acceptance of the updated policy.

Contact

Questions about this policy? Reach us at jonathan@myoval.me.