Privacy Policy

Effective Date: February 2, 2026

The Short Version

Most privacy policies tell you what the company promises. This one tells you what the architecture enforces. We built Ourclave so that protecting your privacy isn't a choice we make — it's a constraint of the system.

Here's what matters:

Your health data is encrypted on your device. We cannot read it.
Your password never leaves your device. We never see it, store it, or transmit it.
Third-party apps run in a sandbox with no network access. They can analyze your data but cannot send it anywhere.
When you sync across devices, we store encrypted blobs that are meaningless to us.
We have zero ability to sell, share, or analyze your health data — because we never have it in readable form.

This is not a promise. It is a description of how the software works.

1. Who We Are

Ourclave, Inc. ("Ourclave," "we," "us," "our") operates the Ourclave privacy-preserving health analytics platform, including the desktop application, mobile application (when available), and related services.

Ourclave is a consumer wellness platform. We are not a healthcare provider, health plan, or healthcare clearinghouse. We do not diagnose, treat, or prescribe. We do not process insurance claims.

2. What We Mean by "Your Data"

Throughout this policy, we distinguish between two categories:

Health Data (Local-Only): Your wellness and health information — wearable metrics, lab results, notes, experiments, documents, and any data you import from connected services. This data is encrypted on your device and never transmitted to us in readable form.

Account Data (Server-Stored): Your email address, subscription status, and authentication tokens. This is the minimal information we need to provide you an account and process payments.

These two categories are handled completely differently, and this policy explains each in detail.

3. How Your Data Is Protected: The Architecture

We believe you should know exactly how your data is protected, not just that it is. Here is the technical architecture:

3.1 Encryption at Rest

Your Health Data is stored in an encrypted database on your device using SQLCipher — an open-source, peer-reviewed encryption extension for SQLite. The encryption uses AES-256 in CBC mode with HMAC-SHA512 authentication.

Your encryption key is derived from your password using Argon2id — the winner of the Password Hashing Competition (2015) and the current state-of-the-art for password-based key derivation. Argon2id is resistant to GPU-based and ASIC-based cracking attacks.

What this means in practice:

Your password is never stored anywhere — not on your device, not on our servers, not anywhere
Your password never leaves your device — it is used locally to derive the encryption key
Without your password, the database is a meaningless blob of encrypted bytes
We cannot reset your password for you — this is a feature, not a limitation
If you lose your password, your data is unrecoverable — because no one else can decrypt it

3.2 Encryption in Transit

When your data syncs across devices, it is encrypted before it leaves your device using AES-256-GCM (Galois/Counter Mode). The encryption key is derived from your password, which we never have.

What our servers see: Encrypted blobs. We store them, sync them to your other devices, and have zero ability to read them. A breach of our servers would expose only encrypted data that is computationally infeasible to decrypt.

3.3 The Sandbox

Third-party applications on Ourclave run in a sandboxed JavaScript runtime (based on QuickJS) with the following architectural constraints:

No network primitives. The sandbox has no fetch(), XMLHttpRequest, WebSocket, or any other mechanism to make network requests. These APIs do not exist in the runtime.
Controlled data exit. The only way for data to leave the sandbox is through nexus.fetch(), a controlled API provided by our Rust SDK.
PII scanning. Every outbound request through nexus.fetch() is scanned for personal information using 16 pattern categories (see Technical Appendix). If personal information is detected, the request is blocked.
Recursive decode. The PII scanner decodes Base64 and hexadecimal encoding recursively to prevent obfuscation.
Domain whitelisting. Outbound requests are restricted to pre-approved domains.

What this means: A third-party app can read and analyze all of your health data locally. It cannot send that data anywhere. This is enforced by the architecture of the runtime, not by a policy or agreement.

4. What We Collect (And What We Don't)

Data We NEVER Collect

Data Type	Collected?	Why Not
Your health metrics (heart rate, sleep, steps, HRV, etc.)	Never	Encrypted on your device. We cannot read it.
Your lab results or medical documents	Never	Encrypted on your device. We cannot read it.
Your notes, health journal entries	Never	Encrypted on your device. We cannot read it.
Your N=1 experiment data or results	Never	Computed locally. Never transmitted.
Your password or encryption key	Never	Derived locally via Argon2id. Never transmitted.
Your biometric data (fingerprint, face)	Never	We do not use biometric authentication.
Your location	Never	We do not request or use location services.

Data We Collect

Data Type	Purpose	Storage	Retention
Email address	Account creation, login, essential communications	Our servers (encrypted at rest)	Until account deletion
Subscription status	Determine feature access (Free/Pro/Family)	Our servers	Until account deletion
OAuth tokens (for connected services)	Pull data from Strava, Oura, Withings, etc. at your direction	Encrypted on your device	Until you disconnect the service
Encrypted sync blobs	Sync your data across your devices	Our servers (encrypted, we cannot read)	Until you delete or account deletion
App crash reports (opt-in)	Fix bugs and improve stability	Third-party crash reporting service	90 days
Anonymous usage analytics (opt-in)	Understand which features are used	Analytics service (no PII)	12 months

Analytics and Telemetry

If you opt in to analytics, we collect anonymous, aggregated usage data such as:

Which features are used (e.g., "user opened Calendar view" — not what they saw)
App performance metrics (load times, crash frequency)
Device type and OS version

We do not collect:

Any health data content
Search queries or text input
Which data sources you've connected
Any information that could identify you individually

Analytics are opt-in. The app works fully without them. You can change your preference at any time in Settings.

5. Third-Party Apps and the Sandbox

Ourclave supports third-party applications ("modules") that run inside the sandboxed environment described in Section 3.3.

What third-party apps CAN do:

Read your health data (with your permission)
Perform analysis and computation locally on your device
Display results to you within the app

What third-party apps CANNOT do:

Access the network (no fetch, no WebSocket, no network primitives exist in the sandbox)
Send your data to external servers (architecturally prevented)
Access your device's file system, camera, microphone, or other hardware
Access data from other third-party apps
Persist data outside their allocated storage

Our review process: All third-party apps submitted to the Ourclave marketplace are reviewed for compliance with our security requirements before publication. However, the sandbox architecture means that even a malicious app cannot exfiltrate your data — the capability does not exist in the runtime.

6. Data Sources and Connectors

When you connect a data source (e.g., Strava, Oura, Withings), the following happens:

You authorize the connection via OAuth 2.0 with PKCE — an industry-standard secure authorization flow
Our OAuth backend exchanges the authorization code for access tokens
Access tokens are stored encrypted on your device
Data is pulled from the source to your device and encrypted into your local database
The raw data from the source is never stored on our servers in readable form

You can disconnect any data source at any time. This revokes the OAuth token and stops data synchronization from that source. Data already imported remains encrypted on your device until you delete it.

7. Sync Across Devices

If you enable multi-device sync:

Your data is encrypted on your device using a key derived from your password (AES-256-GCM)
The encrypted blob is transmitted to our sync servers over TLS
Our servers store the encrypted blob and make it available to your other devices
Your other device downloads the blob and decrypts it locally using your password

We cannot read synced data. Our servers are a storage relay for encrypted blobs. A complete breach of our sync infrastructure would expose only encrypted data that cannot be decrypted without your password.

We cannot reset your sync data. Because we cannot read it, we cannot modify, filter, or repair it. This is a trade-off we made deliberately in favor of your privacy.

8. AI and Local Language Models

Ourclave includes an AI assistant powered by a language model that runs entirely on your device.

The model runs locally — no data is sent to cloud AI services
Your health data is processed by the local model and never leaves your device
The model's responses are generated on your device and not transmitted anywhere
We use open-source models licensed under Apache 2.0 or MIT

We do not use your data to train AI models. Your health data never leaves your device, so it is technically impossible for us to use it for model training.

9. What We Share With Third Parties

Your Health Data: We share your health data with no one. We cannot — it is encrypted on your device and we do not have the keys.

Your Account Data: We share minimal account data only as necessary:

Recipient	Data Shared	Purpose
Payment processor (Stripe)	Email, subscription plan	Process payments
Email service provider	Email address	Send essential account communications (password reset, security alerts)
Crash reporting (if opted in)	Anonymous crash data, device type	Fix bugs
Analytics (if opted in)	Anonymous usage events	Improve product

We do not sell, rent, lease, or trade any user data — personal, health, or otherwise — to any third party, for any purpose, ever.

We do not use your data for advertising, profiling, or targeting.

10. Data Retention and Deletion

Health Data: Stored on your device until you delete it. When you delete data, it is removed from the encrypted database. If sync is enabled, deletion syncs across your devices.

Account Data: Retained until you delete your account. Upon account deletion:

Your email and subscription data are permanently deleted from our servers within 30 days
All encrypted sync blobs are permanently deleted from our servers within 30 days
Data on your local device is not affected (you control your device)

Sync Blobs: Encrypted sync data is retained on our servers for as long as your account is active. Upon account deletion, sync blobs are permanently deleted within 30 days.

Crash Reports and Analytics: Retained for the periods specified in Section 4 (90 days and 12 months, respectively), then automatically deleted.

11. Your Rights

All Users

Regardless of where you live, you have the right to:

Access your data (it's on your device — you always have access)
Delete your data (from your device and our servers)
Export your data (from the app in standard formats)
Disconnect any data source at any time
Opt out of analytics and crash reporting at any time
Delete your account and all associated data

California Residents (CCPA / CPRA)

Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to:

Know what personal information we collect and how we use it (see Section 4)
Delete your personal information
Opt out of the sale of personal information — we do not sell personal information, so there is nothing to opt out of
Non-discrimination — we will not discriminate against you for exercising your rights

To exercise your rights, contact us at the address in Section 14.

Washington Residents (My Health My Data Act)

Under the Washington My Health My Data Act, you have the right to:

Know what consumer health data we collect (see Section 4 — we collect none in readable form)
Withdraw consent for the collection of consumer health data
Delete your consumer health data

Our architecture is inherently compliant with this law: your health data is encrypted on your device, and we never have access to it in readable form.

European Economic Area Residents (GDPR)

If you are located in the EEA, you have additional rights under the General Data Protection Regulation:

Access your personal data
Rectification of inaccurate personal data
Erasure ("right to be forgotten")
Restriction of processing
Data portability — receive your data in a structured, machine-readable format
Object to processing based on legitimate interests
Withdraw consent at any time

Legal basis for processing: We process your Account Data based on contractual necessity (providing you the service you signed up for). Analytics, if you opt in, are processed based on your consent.

Data transfers: If your Account Data is stored on servers outside the EEA, we use Standard Contractual Clauses (SCCs) or other approved transfer mechanisms.

12. Children's Privacy

Ourclave is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, please contact us and we will delete the account.

The Ourclave Family plan allows parents/guardians to manage health data for family members, including minors over 13 with parental consent. All family member data is subject to the same encryption and privacy protections described in this policy.

13. Changes to This Policy

We will notify you of material changes to this Privacy Policy by:

Email (to the address associated with your account)
In-app notification
Posting the updated policy with a new "Last Updated" date

We will not materially reduce the privacy protections described in this policy without your affirmative consent.

14. Contact Us

For privacy questions, data requests, or concerns:

Email: privacy@ourclave.com

Mail: Ourclave, Inc.

Response Time: We aim to respond to all privacy inquiries within 10 business days.

15. Technical Appendix

For users, researchers, and regulators who want to verify our claims.

Encryption Specifications

Component	Algorithm	Key Size	Notes
Database encryption	AES-256-CBC (via SQLCipher)	256-bit	HMAC-SHA512 page authentication
Key derivation	Argon2id	256-bit output	Memory-hard, GPU/ASIC resistant
Sync encryption	AES-256-GCM	256-bit	Authenticated encryption with associated data
Transport	TLS 1.2+	—	All network communication

PII Scanner Pattern Categories

The sandbox PII scanner checks outbound requests for the following 16 categories:

Email addresses
Phone numbers
Social Security Numbers (SSN)
Credit card numbers
Date of birth patterns
Street addresses
GPS coordinates
IP addresses
Medical record numbers
Health metric values (heart rate, blood pressure, weight, etc.)
Lab result values
Medication names
Full names (when combined with health context)
Driver's license numbers
Passport numbers
Biometric identifiers

The scanner applies recursively — it decodes Base64 and hexadecimal encoding to detect obfuscated PII.

Open Source Components

Component	License	Purpose
SQLCipher	BSD-3-Clause	Encrypted database
Argon2 (via argon2 crate)	Apache 2.0 / MIT	Password-based key derivation
ring (Rust)	ISC-style	Cryptographic primitives
QuickJS	MIT	Sandboxed JavaScript runtime

Full license texts and attribution notices are available in the application under Settings > Open Source Licenses.