Privacy Policy

1. Information We Collect

We collect information that you provide directly to us, information that is automatically collected when you use our Services, and information from third-party sources, as described below.

1.1 Information You Provide to Us

• Account Information: When you create an account, we collect your name or nickname, email address, profile image (if provided), and authentication credentials. If you sign in using a third-party service (such as Google or Apple), we may receive your name, email address, and profile information from that service.
• User Content: We collect Go game records in SGF format, move sequences, analysis annotations, custom board configurations, and any messages or feedback you send through our Services.
• Communication Information: When you contact us for support or communicate with us in any way, we collect your contact information and the content of your communications.
• Payment Information: For premium subscribers, our third-party payment processors (Apple, Google, RevenueCat) collect payment information. We do not store full payment card details on our servers. We may receive transaction information such as subscription status and billing dates.
• Preferences and Settings: We collect your preferences and settings within the Services, such as language, notification settings, and AI analysis preferences.

1.2 Information Automatically Collected

• Device Information: Device type, operating system, device identifiers (e.g. IDFA, AAID, installation ID), and mobile carrier.
• Usage Information: How you use Omoyo, including features accessed, games played, AI analysis usage, time spent, and interactions with content.
• Log Information: IP address (masked where appropriate), browser type and version, language settings, access times, referring URLs, and error logs.
• Performance Metrics: Latency between your device and our AI Workers, crash logs, and resource utilization related to AI analysis.
• Cookies and Similar Technologies: We use cookies, web beacons, and similar technologies to collect information about your interactions with our Services. See Section 8 for details.

1.3 Information from Third Parties

• Authentication Providers: If you sign in via Google or Apple, we receive information from that service as described above.
• Analytics Providers: We may receive aggregated analytics data from third-party services to understand how our Services are used.
• Payment Processors: We receive transaction and subscription status from Apple, Google, and RevenueCat.

2. How We Use Your Information

We use the information we collect for the following purposes:

• To Provide and Operate the Services: To create and manage your account, authenticate you, store and sync your game records (SGF), provide AI analysis, and offer customer support.
• To Improve and Develop Our Services: To analyze usage patterns, identify issues, develop new features, and improve our Go engine and AI personalities.
• To Communicate with You: To send service-related communications (account notifications, security alerts, updates) and respond to inquiries. We may send marketing communications only with your consent (you may opt out at any time).
• To Ensure Security and Prevent Fraud: To detect, prevent, and investigate security threats, cheating, fraud, and abuse, and to protect the integrity of ranked play.
• To Comply with Legal Obligations: To comply with applicable laws, regulations, legal processes, and government requests, and to enforce our Terms of Service.
• To Process Payments: To process transactions, manage subscriptions, and handle refund requests (subject to platform policies).
• For Business Purposes: We may use aggregated, anonymized data for analytics, research, and service improvement.

Legal Basis for Processing (EU/UK Users): If you are in the EEA or UK, we process your personal data based on: Consent (e.g. marketing); Contract Performance (providing the Services); Legal Obligation (tax, legal requests); and Legitimate Interests (improving services, preventing fraud, optimizing our edge network), where your interests do not override ours.

3. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

3.1 With Your Consent

We may share your information with third parties when you have given explicit consent, for example when you choose to share a game or analysis with specific users or via a link.

3.2 Service Providers

We share your information with trusted third-party service providers who perform services on our behalf, including cloud and edge infrastructure (Cloudflare), authentication (Supabase), payment and subscription management (RevenueCat, Apple, Google), and analytics (e.g. Firebase). These providers are contractually obligated to protect your information and use it only for the purposes we specify.

3.3 Legal Requirements

We may disclose your information if required by law or if we believe disclosure is necessary to: comply with applicable laws or legal processes; respond to valid requests from law enforcement or government authorities; enforce our Terms of Service; protect the rights, property, or safety of Omoyo, our users, or others; or detect, prevent, or address fraud, security, or technical issues.

3.4 Business Transfers

If Omoyo is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

3.5 Aggregated or Anonymized Data

We may share aggregated or anonymized information that cannot reasonably identify you with third parties for research, analytics, or other purposes.

4. Data Retention

We retain your personal information for as long as necessary to provide the Services, fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Retention depends on the type of information:

• Account Information: Retained while your account is active. If you delete your account, we delete or anonymize account information within 30 days, except where we must retain data for legal or compliance reasons.
• Game Records (SGF): SGF records are preserved as archival historical data. When you delete your account, PII linked to the account is removed, but game moves and usernames recorded at the time of play may remain in the file to preserve the integrity of opponents' match history.
• Analysis Data: AI interaction logs and analysis data are anonymized and retained for up to 12 months to improve our AI and services.
• Backups: Encrypted backups may retain deleted data for up to 90 days for disaster recovery. We will not restore or make accessible data you have deleted unless required by law.
• Log Information: Logs (IP, access times, etc.) are retained for 12–24 months for security and debugging, then deleted or anonymized.
• Transaction and Payment Records: Retained for 7 years to comply with tax and accounting regulations.
• Legal and Compliance: We may retain certain information longer if required by law, legal processes, or for fraud prevention and security (e.g. up to 2 years where applicable).

Account Deletion Summary: When you delete your account: (1) Your account is deactivated immediately; (2) Within 30 days, account data is deleted from active systems; (3) Within 90 days, data is removed from backup systems where applicable; (4) Exceptions apply for transaction records (7 years) and data subject to legal holds. Once data is deleted, it cannot be recovered. Download your SGF library before deleting your account if you wish to keep copies.

5. Data Security

We implement appropriate technical, administrative, and physical safeguards to protect your personal information, including:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256 where applicable);
• Access controls and authentication to restrict access to authorized personnel;
• Salted hashes for passwords and anonymized IDs for internal analytics;
• Zero-Trust principles for administrative access to production environments;
• Regular security assessments and incident response procedures.

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials. If we become aware of a security breach that may affect your personal information, we will notify you and relevant authorities as required by applicable law.

6. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information. We will honor your rights to the extent required by applicable law.

6.1 Access and Portability

You have the right to access the personal information we hold about you and to receive a copy in a structured, machine-readable format (including your SGF library). You can request a copy by contacting us.

6.2 Correction

You have the right to correct inaccurate or incomplete personal information. You can update your account information in the app settings or contact us to request corrections.

6.3 Deletion

You have the right to request deletion of your personal information. You can delete your account via the app (e.g. Settings → Delete Account) or by contacting us. We will delete your information within a reasonable time, subject to legal obligations and the archival treatment of game records described in Section 4.

6.4 Objection and Restriction

You have the right to object to certain processing (e.g. direct marketing) and to request restriction of processing in certain circumstances.

6.5 Withdrawal of Consent

Where we process your data based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

6.6 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights: Right to Know what personal information we collect and use (we do not sell personal information); Right to Delete; Right to Correct; Right to Opt-Out of sale or sharing (we do not sell or share for cross-context behavioral advertising); Right to Non-Discrimination. To exercise these rights, contact us at [email protected].

6.7 European Privacy Rights (GDPR)

If you are in the EEA or UK, you have rights under the GDPR, including: right of access (Article 15); right to rectification (Article 16); right to erasure (Article 17); right to restriction of processing (Article 18); right to data portability (Article 20); right to object (Article 21); right to withdraw consent (Article 7(3)). To exercise these rights, contact us at [email protected].

6.8 How to Exercise Your Rights

To exercise any of your rights, contact us at [email protected]. We will respond within the timeframes required by applicable law (typically 30 days). We may need to verify your identity before processing your request.

7. Children's Privacy

Omoyo is not intended for individuals under the age of 13 (or the minimum age required in your jurisdiction). We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us at [email protected], and we will take steps to delete such information. In some jurisdictions the minimum age may be higher (e.g. 16); we comply with applicable minimum age requirements.

8. Cookies and Tracking Technologies

We use cookies, web beacons, and similar technologies to collect information about your interactions with our Services. Types we use: Essential (required for the Services to function, e.g. authentication); Functional (preferences and settings); Analytics (to understand and improve usage). You can control cookies through your browser settings; disabling certain cookies may affect functionality.

9. International Data Transfers and Edge Infrastructure

Omoyo is edge-native: your data is processed across a global network (via Cloudflare Workers and D1) to provide low-latency service. Data may be processed in countries outside the EEA/UK.

Safeguards for EEA/UK/Switzerland: We use Standard Contractual Clauses (SCCs) approved by the European Commission (Article 46(2)(c) GDPR) with our infrastructure and service providers so that transfers receive a level of protection essentially equivalent to that in the EEA. We also rely on supplementary measures such as encryption in transit and at rest, access controls, and compliance monitoring. Your GDPR rights continue to apply. By using Omoyo, you acknowledge and consent to the transfer of your personal data to these locations subject to the safeguards in this Policy. If you do not consent, you should not use our Services; you may delete your account at any time.

10. Third-Party SDKs and Services

Omoyo integrates third-party SDKs and services. Your information may be collected, processed, and shared with these providers in accordance with their privacy policies. We share only the minimum necessary (e.g. device identifiers, usage data, subscription status, crash data) to enable functionality. We do not share your game records or personal content with these services unless required for a feature you choose. Key partners:

11. Changes to This Privacy Policy

We may update this Policy to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will provide notice through the Services, by email, or other reasonable means, and update the "Last Updated" date. Where required by law (e.g. in the EU), we will give at least 30 days' notice before material changes take effect. Your continued use after the effective date constitutes acceptance of the revised Policy. If you do not agree, you must stop using the Services and may delete your account.

12. Data Controller and Contact

Controller: For account data, service usage data, payment and subscription data, and communications with us, Omoyo is the data controller. For the game records (SGF) and other content you create and store through the Services, you determine the purposes and means of processing; we act as processor in providing storage and sync. You are responsible for ensuring you have the right to upload and share that content and for responding to data subject requests relating to it where applicable.

For all privacy-related inquiries, data access requests, or complaints, contact: