Privacy Policy
Effective: 2026-05-10
Last updated: 2026-06-10
OntoRamp LLC ("OntoRamp", "we", "us", "our") provides governance assessment, decision-quality, and AI architecture safety services through APIs, web applications, and integrations (the "Service"). This Privacy Policy explains what data we collect, why we collect it, what we do with it, and what choices you have.
In plain English We collect what we need to run the service for you, store it carefully, name every outside vendor that touches it, and don't use your content to train AI models. If you're in the EU, UK, California, or Canada, you have specific rights — they're listed below.
1. Who this applies to
This Policy applies to:
- Customers — organizations and individuals who sign up for and use the Service
- End users — people who use applications built on the Service by our customers (e.g., users of a customer's product that integrates the Service)
- Visitors — anyone who visits ontoramp.com or related sites
If you are an end user of a customer's product: the customer is the controller of your personal data. Their privacy policy governs that relationship; this Policy describes our role as their processor.
2. What we collect
2.1 — Information you give us
| Category | Examples | Purpose |
|---|---|---|
| Account information | Name, email, password (hashed), organization name, role | Account creation; authentication; team access control |
| Billing information | Payment method (held by Stripe), billing address, tax ID, invoice history | Payments, tax automation, invoicing |
| Communication content | Emails to m@ontoramp.com, in-product messages | Customer support; service improvement |
| Service inputs | Prompts, governance subjects, decision contexts, organizational artifacts you submit to the Service | Producing verdicts and other Service outputs for you |
2.2 — Information generated through your use of the Service
| Category | Examples | Purpose |
|---|---|---|
| Service outputs | Verdicts, scores, recommendations, remediation paths, exports | Delivering the Service |
| Usage telemetry | API call counts, latency, error rates, feature usage | Operations, billing, performance monitoring |
| Account events | Login times, plan changes, payment events, audit log entries | Security; account history; billing |
2.3 — Information collected automatically
| Category | Examples | Purpose |
|---|---|---|
| Device + browser | IP address, user-agent, browser type, device type, language | Security, fraud prevention, analytics |
| Cookies + local storage | Session cookies, authentication tokens, preference cookies, analytics identifiers | See §10 (Cookies) |
| Network metadata | Approximate location (city-level, derived from IP), connection metadata | Security; geo-aware behaviors (e.g., tax determination) |
2.4 — Information we do NOT collect
We do not collect:
- biometric data
- precise GPS location
- any data we have not disclosed in this Policy
3. How we use your data — and what we never use it for
3.1 — Purposes for which we use your data
- to deliver the Service to you (process inputs, return verdicts, store account state)
- to bill you (process payments, calculate tax, issue invoices)
- to communicate with you (account notifications, billing notices, transactional emails, support replies)
- to secure the Service (detect abuse, investigate incidents, prevent fraud)
- to comply with legal obligations (respond to lawful requests, meet tax reporting requirements)
- to operate and improve the Service (described in §3.2 with strict limits)
3.2 — What we never do
- We do not use your data to train foundation AI models or share it with any third-party model provider.
- We do not mine, analyze, or learn from the content of your verdicts, prompts, decisions, or any artifact you submit.
3.3 — What we do — strictly at the structural level
We observe abstracted patterns about how the Service is used — things like graph topology, call sequences, gate-trigger frequency, and how the platform's underlying structures evolve in shape. All measurements are stripped of customer, user, and tenant identifiers before any analysis.
The distinction matters: we learn from the shape and rhythm of how the platform is used, never from the substance of what you put through it. Your verdicts, decisions, and organizational data belong to you, are processed only to deliver your Service to you, and never inform anything outside your account.
In plain English
We watch how the system is used. We do not read what you put into it.
Our pattern-extraction pipelines are designed so that re-identifying you or your data is impossible by construction — not just by promise.
3.4 — Ownership of Service outputs
You own the verdicts, scores, recommendations, and other outputs the Service produces for you. We license you the Service; we do not claim ownership of the outputs of your use of it.
4. Legal bases for processing (GDPR / UK GDPR)
If you are located in the EU, the European Economic Area, or the United Kingdom, the legal bases on which we process your personal data are:
| Basis | Used for |
|---|---|
| Contract (GDPR Art 6(1)(b)) | Delivering the Service to you under our Terms of Service; processing payments; providing support |
| Legitimate interests (Art 6(1)(f)) | Securing the Service; fraud prevention; observing structural usage patterns (§3.3); communicating about service-essential changes |
| Legal obligation (Art 6(1)(c)) | Tax reporting; responding to lawful requests; record-keeping |
| Consent (Art 6(1)(a)) | Optional cookies and analytics (§10); marketing communications (where we send any) |
You can withdraw consent at any time by contacting m@ontoramp.com or by using the cookie-preferences control on our sites.
5. Sub-processors — outside services that touch your data
We use a small number of carefully chosen vendors to operate the Service. Each is bound by data-protection terms equivalent to those we offer you.
5.1 — Current sub-processor list (as of this Policy version)
| Vendor | Role | Data categories | Region |
|---|---|---|---|
| Supabase | Database, authentication, storage | Account data, service inputs and outputs, audit log | United States (primary) |
| Fly.io | Application hosting and container orchestration | All Service traffic; transient processing | Multi-region (primary US; edge regions where required for performance) |
| Stripe | Payment processing, tax automation, invoicing | Billing information, transaction history, tax data | United States (with global edge for Stripe Tax) |
| Resend | Transactional email delivery | Email address, message content of transactional emails | United States |
| Anthropic | AI model inference (Claude family models) for producing verdicts, scoring, and structured outputs | Service inputs (prompts and contexts); model outputs returned to OntoRamp | United States |
| Vercel | Hosting and edge delivery of the OntoRamp website and web application | Web/application requests; IP address and request metadata; transient processing | United States (primary; global edge network) |
5.2 — Notice of changes
We will notify you of new sub-processors before they begin processing your data. Notice is given via:
- email to the account-admin contact, AND
- update to this Policy with a new effective date
Customers on a Data Processing Addendum (see Data Processing Addendum) may object to new sub-processors per the terms of that addendum.
5.3 — Cross-border transfers
Most sub-processors are based in the United States. Where personal data is transferred from the EU, EEA, or UK to the United States (or to other countries without an adequacy decision), we rely on:
- the EU Standard Contractual Clauses (2021 SCCs, Module 2 controller-processor and Module 3 processor-processor as applicable), and
- the UK Addendum to the EU SCCs
Copies of these are available on request to m@ontoramp.com and are referenced in our Data Processing Addendum.
6. How long we keep your data — retention
| Data category | Free tier | Paid tier |
|---|---|---|
| Account information | While your account is active; deleted within 90 days of account closure | While your account is active; deleted within 90 days of account closure |
| Verdicts, scores, recommendations | 30 days after generation, then deleted | 1 year after generation, then deleted |
| Service inputs (prompts, contexts, artifacts) | 30 days, then deleted | 1 year, then deleted |
| Usage telemetry | 12 months in identifiable form; longer in aggregated, identifier-stripped form per §3.3 | Same |
| Billing records | As required by tax law (typically 7 years in the United States; varies by jurisdiction) | Same |
| Audit log entries | 12 months | 12 months (longer plans available on request for regulated customers) |
| Support communications | 24 months from last reply | 24 months from last reply |
Retention schedules may be extended where legally required (litigation hold, regulatory request, tax obligation).
7. Your rights
7.1 — Rights for everyone
You can:
- ask us what personal data we hold about you;
- ask us to correct inaccurate data;
- ask us to delete your data (subject to retention limits in §6 and any legal-hold obligations);
- withdraw consent for optional processing (cookies, marketing).
To exercise these rights, email m@ontoramp.com. We will respond within 30 days. If we need more time (rare), we will tell you why.
7.2 — Additional rights for EU / EEA / UK residents (GDPR + UK GDPR)
In addition to the rights above, you have the rights to:
- access (GDPR Art 15) — receive a copy of the personal data we hold about you
- rectification (Art 16) — have inaccurate data corrected
- erasure (Art 17) — have your data deleted (the "right to be forgotten")
- restriction of processing (Art 18) — limit how we process your data
- data portability (Art 20) — receive your data in a structured, commonly used format
- objection (Art 21) — object to processing based on legitimate interests
- not be subject to solely automated decision-making (Art 22) — note that our verdicts are advisory only and do not constitute solely automated decisions; see the Verdict Liability Disclaimer
Note on data portability (Art 20): Phase 1, we handle export requests manually within 30 days. Self-serve data-export tooling is on our roadmap for Phase 2.
You have the right to lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is at https://edpb.europa.eu/about-edpb/board/members_en. For the UK: https://ico.org.uk.
7.3 — Additional rights for California residents (CCPA / CPRA)
If you are a California resident, you have the rights to:
- know what personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it
- access a copy of the specific personal information we have collected about you (in the past 12 months)
- delete your personal information (subject to limited exceptions)
- correct inaccurate personal information
- opt out of sale or sharing of your personal information (we do not sell or share personal information as defined under CPRA — see §7.3.1)
- limit use of sensitive personal information (we do not collect sensitive personal information as defined under CPRA in any way that would trigger this right)
- non-discrimination — exercising your rights will not result in different pricing or service quality
7.3.1 — Sale and sharing disclosure
We do not sell personal information for monetary or other valuable consideration. We do not share personal information for cross-context behavioral advertising. We have not sold or shared personal information in the prior 12 months.
7.3.2 — Categories collected (CPRA disclosure)
In the prior 12 months, we have collected the following categories of personal information (mapped to CPRA categories):
- Identifiers — name, email, IP address, account identifiers
- Customer records — billing address, payment information (held by Stripe)
- Commercial information — purchase history, plan information
- Internet/network activity — Service usage logs, cookies, device information
- Geolocation — IP-derived approximate (city-level) location
- Inference data — none (per §3.3, we do not infer personal characteristics from your content)
7.3.3 — How to exercise California rights
Email m@ontoramp.com with subject line "California privacy request" and the right(s) you wish to exercise. We will verify your identity using account information and respond within 45 days (extendable by 45 days where reasonably necessary).
You may designate an authorized agent to make a request on your behalf. Authorized agents must provide written authorization and proof of identity.
7.4 — Additional rights for Canadian residents (PIPEDA)
If you are a Canadian resident, you have the rights to:
- access the personal information we hold about you
- challenge the accuracy of that information and have it corrected
- withdraw consent (where consent was the basis for processing)
To exercise these rights, email m@ontoramp.com. We will respond within 30 days, consistent with PIPEDA Principle 9 (Individual Access).
The Office of the Privacy Commissioner of Canada is at https://www.priv.gc.ca.
8. How we protect your data
8.1 — Technical measures
- Encryption in transit — TLS 1.2 or higher on all customer-facing endpoints
- Encryption at rest — AES-256 (or equivalent) for stored data; managed-key infrastructure via Supabase
- Access controls — role-based access for OntoRamp personnel; principle of least privilege; multi-factor authentication required for production access
- Audit logging — all production access logged and retained for 12 months minimum
- Network isolation — production segregated from non-production environments
- Secure software development — code review, automated static analysis, dependency vulnerability scanning
8.2 — Organizational measures
- Personnel sign confidentiality agreements
- Access to customer data is restricted to personnel with a need-to-know
- Vendor selection includes data-protection assessment
- Incident response process for breach notification (see §8.3)
8.3 — Breach notification
If we become aware of a personal-data breach affecting your data, we will notify:
- you, where required by law (GDPR Art 34 high-risk; equivalent state-law thresholds), without undue delay
- relevant supervisory authorities, as required by GDPR Art 33 (within 72 hours of awareness) and equivalent jurisdictional rules
- our Data Processing Addendum customers per the terms of their DPA (see Data Processing Addendum)
8.4 — No system is perfectly secure
We use industry-standard practices. Despite our best efforts, no security measure is perfect. If you become aware of any vulnerability or incident, please report it to m@ontoramp.com.
9. Children
The Service is not directed to children under 16 (or, in some jurisdictions, 13). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact m@ontoramp.com and we will delete it.
10. Cookies and similar technologies
10.1 — Categories of cookies we use
| Category | Purpose | Examples | Consent required? |
|---|---|---|---|
| Strictly necessary | Authentication, session management, security | Auth tokens, CSRF tokens | No (essential to provide the Service) |
| Functional | Remembering preferences (theme, language) | Preference cookies | EU/UK: yes (granular) |
| Analytics | Aggregated usage statistics for product improvement | Per §3.3 (identifier-stripped) | EU/UK: yes |
| Marketing | Not used in Phase 1 | — | — |
10.2 — EU / UK cookie consent
If you visit our sites from the EU, EEA, or UK, you will see a cookie banner the first time you arrive. You can accept all, reject all (except strictly necessary), or customize per category. You can change your preferences any time via the "Cookie preferences" link in our site footer.
10.3 — Do Not Track
We honor the GPC (Global Privacy Control) signal where applicable. We do not currently use cookies that respond to legacy DNT headers, but we treat GPC as an opt-out of any optional processing.
11. International users — data location and transfer
OntoRamp's primary infrastructure is in the United States. By using the Service, you consent to the transfer of your personal data to the United States and, where applicable, to other countries where our sub-processors operate.
For EU / EEA / UK personal data transfers to the United States or other non-adequate countries, we rely on:
- the EU Standard Contractual Clauses (2021)
- the UK Addendum to the EU SCCs
Copies are available on request and referenced in our Data Processing Addendum.
If, in future, regional infrastructure becomes available (e.g., EU-only hosting), we will update this Policy.
12. Changes to this Policy
We may update this Policy from time to time. When we do, we will:
- update the "Last updated" date at the top
- notify account admins by email for material changes
- provide a 30-day notice period before material changes take effect (where notice is feasible and not overridden by legal obligation)
Material changes include changes to the categories of data collected, the purposes of processing, the sub-processor list, or the rights available to you.
13. Contact us
For all privacy questions, requests, or complaints:
Email: m@ontoramp.com
Subject prefix: "Privacy" (helps us route)
For Data Processing Addendum requests (business customers): same email, subject "DPA request".
For supervisory-authority complaints: see §7.2 (EU/UK), §7.3 (California), §7.4 (Canada).
OntoRamp LLC, a Wyoming limited liability company. Governing law: Wyoming.