Privacy Policy

Last updated: February 17, 2026

Ossum Inc. ("Ossum," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services, websites, and applications (collectively, the "Services").

We are headquartered in Virginia and comply with the Virginia Consumer Data Protection Act (VCDPA) as well as other applicable privacy laws.

1. Information We Collect

1.1 Information You Provide

  • Account Information: Name, email address, password, and company name when you register
  • User Content: RIDDL models, specifications, and other content you create or upload
  • Communications: Information you provide when contacting support or providing feedback
  • Newsletter Subscriptions: Email address when you subscribe to our newsletter
  • Learning Materials: Name and email address when you request gated white papers or learning materials
  • Bug Reports and Feature Requests: Product name, description, steps to reproduce, and other details you provide when submitting feedback through our support forms

1.2 Information Collected Automatically

  • Usage Data: How you interact with our Services, features used, and actions taken
  • Device Information: Browser type, operating system, IP address, and device identifiers
  • Log Data: Server logs including access times, pages viewed, and referring URLs
  • Cookies: We use cookies and similar technologies as described in Section 6

1.3 Information from Third Parties

We may receive information from third-party services you connect to your account, such as authentication providers or code repositories.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our Services
  • Process transactions and send related information
  • Send technical notices, updates, and support messages
  • Respond to your comments, questions, and requests
  • Monitor and analyze usage trends to improve user experience
  • Detect, prevent, and address technical issues and security threats
  • Comply with legal obligations

3. AI Processing

Our Services include AI-powered features that use Anthropic's Claude API. When you use AI features:

  • Your prompts and relevant content are sent to Anthropic for processing
  • Anthropic processes this data according to their privacy policy and data retention practices
  • AI-generated responses are returned to you through our Services
  • We do not use your content to train AI models
  • Chat conversations are stored on our servers to maintain continuity across sessions
  • Chat history is also cached in your browser's local storage for convenience
  • If you are authenticated, your chat messages may be associated with your account

You can choose not to use AI-powered features if you prefer not to have your content processed by third-party AI services.

4. How We Share Your Information

We share your information only in the following circumstances:

4.1 Service Providers

We share information with third-party service providers who perform services on our behalf:

  • Anthropic: AI processing for chatbot and AI-powered features
  • Cloudflare: Website hosting, content delivery, and edge security (including IP-based rate limiting)
  • Google Analytics: Website analytics and usage tracking
  • Google Fonts: Web font delivery (browser requests are sent to Google servers)
  • GitHub: Bug reports and feature requests submitted through our support forms are stored as issues in a private GitHub repository
  • Resend: Email delivery for blog notifications and newsletters

4.2 Authentication

We use Keycloak for authentication, which we self-host. Your authentication data remains under our control and is not shared with third parties.

4.3 Legal Requirements

We may disclose your information if required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

4.5 No Sale of Personal Information

We do not sell your personal information. We do not share your personal information for targeted advertising purposes.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you Services. Upon account deletion:

  • Your account information is deleted within 30 days
  • Your Content is deleted within 30 days (you may export it before deletion)
  • Billing records are retained as required by law (typically 7 years)
  • Anonymized usage data may be retained for analytics purposes

6. Cookies and Local Storage

Cookies

We use the following cookies:

  • ossum-session: A secure, same-site JWT token that keeps you logged in to your account. This cookie is required for authenticated features such as members-only blog content.
  • Analytics cookies: Google Analytics uses cookies to help us understand usage patterns, including pages visited, time on site, and navigation paths.

Browser Local Storage

We use your browser's local storage (not cookies) to store the following data on your device:

  • Authentication tokens: Access and refresh tokens for maintaining your session
  • Chat history: Your AI chatbot conversation history for convenience across page loads
  • Theme preference: Your dark/light mode setting
  • Playground code: RIDDL source code you write in the interactive playground

All local storage data remains on your device and is not transmitted to our servers except as needed to provide the Services (e.g., authentication tokens are sent with API requests). You can clear this data at any time through your browser settings.

7. Your Privacy Rights

Under the Virginia Consumer Data Protection Act (VCDPA) and other applicable laws, you have the following rights:

7.1 Right to Access

You have the right to confirm whether we are processing your personal data and to access that data.

7.2 Right to Correct

You have the right to correct inaccuracies in your personal data.

7.3 Right to Delete

You have the right to request deletion of your personal data, subject to certain legal exceptions.

7.4 Right to Data Portability

You have the right to obtain a copy of your personal data in a portable, readily usable format.

7.5 Right to Opt Out

You have the right to opt out of:

  • The sale of personal data (we do not sell your data)
  • Targeted advertising (we do not use your data for targeted advertising)
  • Profiling in furtherance of automated decisions

7.6 Right to Appeal

If we decline to take action on your request, you have the right to appeal. We will respond to appeals within 60 days.

Exercising Your Rights

To exercise any of these rights, please contact us at legal@ossuminc.com. We will respond to your request within 45 days. We may request additional information to verify your identity before processing your request.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of sensitive data at rest
  • Regular security assessments and updates
  • Access controls and authentication requirements
  • Employee training on data protection

However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

9. International Data Transfers

Our Services are hosted in the United States. If you access our Services from outside the United States, your information may be transferred to, stored, and processed in the United States. By using our Services, you consent to such transfer.

10. Children's Privacy

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will delete that information promptly.

11. Third-Party Links

Our Services may contain links to third-party websites. We are not responsible for the privacy practices of these websites. We encourage you to review the privacy policies of any third-party sites you visit.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. Your continued use of the Services after such changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us at:

Ossum Inc.
7870 Tidewater Drive STE 206-139
Norfolk, VA 23505-3717
Email: legal@ossuminc.com

14. Virginia Residents

If you are a Virginia resident, you have additional rights under the Virginia Consumer Data Protection Act (VCDPA). We honor all VCDPA rights as described in Section 7. If you believe we have not adequately addressed your privacy concerns, you may contact the Virginia Attorney General's Office.