Privacy policy

EFFECTIVE: 11 MAY 2026 · LAST REVIEWED: 11 MAY 2026 · VERSION 2.0

Odahl is built by Fiduci Group Pty Ltd ("Fiduci", "we", "us") in Sydney, Australia. This policy is in plain English first, formal terms second. Where Australian Privacy Principles, the EU GDPR, the UK Data Protection Act 2018, California CPRA, or the New Zealand Privacy Act 2020 apply to you, we honour the stricter of the protections.

Two-sentence summary. Odahl is a zero-knowledge reasoning service — your conversations and your knowledge web stay yours. The single, surgical exception is Minima-Cursie, where you can opt in to send anonymous, summary-only coding traces to help train Odahl's public learning engine; that path is opt-out at any time and never sees your source code.

1. Our zero-knowledge architecture

Odahl does not call frontier model APIs (Anthropic, OpenAI, Google, Mistral, Meta, or anyone else). All reasoning happens on infrastructure we control, using our own Belisama-native engine. There is no third-party model provider that sees your messages.

Inside our infrastructure:

Belisama substrate (your knowledge web) — encrypted at rest with per-user envelope keys. We hold the encryption key wrapper, but never the plaintext content of your substrate alongside your account identifier. Database backups carry the same envelope.
Conversations — stored on Postgres (IONOS, Frankfurt-region by default for EU residents, Sydney for AU residents). Encrypted at rest by the database; envelope-encrypted at the row level for substrate writes.
Operational logs — never carry full message bodies. Only metadata: timestamps, class, latency, error class. Retention: 30 days then aggregated to weekly counters.

2. What we collect — and why

Category	What	Why	Retention
Account	Email, password hash (PBKDF2, 600k iter), display name	Operate the service, authenticate you	Until account closure + 30 days
Session	SHA-256 of session token, IP at issue, user-agent	Detect and revoke compromised sessions	30 days after last use
Substrate	The Belisama node web you build via chat	The product itself; without it the reasoning engine has nothing to ground on	While account active + 90-day grace; cryptographic shred thereafter
Conversations	Messages you send and the reasoning engine's replies	Lets you scroll back, branch, and resume	Subscription lifetime + 90 days; user can delete any time
Billing	Stripe customer ID + plan; never a full PAN, CVV, or expiry — those stay with Stripe	Process subscription payments	7 years (Australian tax-compliance minimum)
Email	Outbound transactional email events from Resend (delivered / bounced / opened metadata)	Detect undeliverable addresses, security alerts	180 days
Minima-Cursie traces (opt-in)	Anonymous, summary-only coding traces tagged by a per-install `trace_token`. Never your source code, never your identity, unless you sign in first and explicitly attach.	Improve the public Cursie learning engine (the "data flywheel")	Until you opt out or request export-then-erasure

3. Minima-Cursie — the only data flow you should know about

Minima-Cursie is our free, MIT-licensed coding companion. By default, the CLI streams a small summary of each indexing run (a histogram of node kinds + up to 50 sample subject strings, never raw source) to https://api.odahl.ai/api/cursie/ingest. This feeds the Cursie Supremi distiller, which produces deterministic nodes that improve the next version of the engine.

Three switches give you full control:

odahl-minima --no-telemetry <command> — skips ingest for one invocation.
odahl-minima opt-out — permanently blocks ingest for your install. The opt-out is honoured at the database layer; subsequent posts with your trace_token are dropped before the payload is read.
odahl-minima export — returns every trace ever ingested under your token as JSON. You can audit exactly what we have.

If you've never invoked Minima-Cursie, none of this applies to your account.

4. How we use it

We use your data only to operate Odahl for you. Specifically, we do not:

Sell, rent, or license your data to anyone, for any purpose, ever.
Use your substrate, conversations, or anything except opt-in Minima-Cursie traces to train any model (ours or anyone else's).
Send any user content to frontier model providers (Anthropic, OpenAI, Google, etc). The reasoning engine is Belisama-native.
Run advertising or third-party analytics. There are no Google Analytics tags, no Meta pixels, no cross-site trackers.
Build advertising profiles, "interest segments", or "lookalike audiences".

5. Your rights

Under the Australian Privacy Principles, GDPR (where it applies to you), UK DPA 2018, CCPA/CPRA, and NZ Privacy Act 2020, you have the right to:

Access — Settings → Privacy → Download my data (JSON + CSV).
Rectify — Settings → Profile, or email [email protected].
Erase — Settings → Delete my substrate (immediate) or Close account (90-day grace then cryptographic shred).
Portability — export in machine-readable JSON or CSV from Settings.
Restrict processing — pause your subscription.
Object — email [email protected]; we acknowledge within 5 business days and respond within 30 days (faster where required by law).
Withdraw consent — for Minima-Cursie traces, use odahl-minima opt-out.
Lodge a complaint — with your local supervisory authority. Australia: OAIC. EU: your national DPA. UK: ICO. California: CCPA AG portal. New Zealand: OPC.

6. Sub-processors

The complete list of companies that touch any byte of your data on our behalf:

Sub-processor	What	Region
IONOS Cloud (1&1)	Hosts the Postgres database, Docker compute, reasoning engine	Germany (Frankfurt)
Cloudflare, Inc.	Edge network & Pages (static site + serverless functions). DDoS protection. WAF.	Global (POPs near you)
Stripe, Inc. + Stripe Payments Australia	Payment processing	USA + AU
Resend, Inc.	Transactional email delivery (signup, password reset, security alerts)	USA
GitHub, Inc.	Our source code & deploy pipeline. We do not host customer data here.	USA

We do not add a sub-processor without first updating this list. If material, you'll get 30 days' notice by email before the change takes effect.

7. Cross-border transfers

EU/EEA residents: data resides in Frankfurt under the GDPR. We rely on the Standard Contractual Clauses (SCC) for any transfer outside the EEA to a sub-processor in the USA (Stripe, Resend, Cloudflare control plane). UK residents: same, under the UK Addendum to the SCCs.

Australian residents: data primarily in Frankfurt; you can request Sydney-only processing by emailing [email protected]. We honour APP 8 cross-border obligations.

8. Cookies

Strictly necessary only: session cookie, CSRF cookie, an optional UI-preferences cookie. No analytics, no advertising, no cross-site trackers. Your browser will see no third-party cookies set by us. We do not require a cookie banner under EU rules because we set only strictly-necessary cookies.

9. Children

Odahl is not directed at children under 16 (under 13 in the USA). We do not knowingly collect data from such users. If we discover an account belonging to a child, we close it and erase the data.

10. Security incidents

We have a documented incident-response plan (see /security). In the event of a personal-data breach that creates a likely risk to your rights, you will be notified within 72 hours of detection (GDPR Article 33 standard, applied globally to everyone regardless of region).

11. Contact

Privacy queries: [email protected]. Founder & Data Protection Officer: Joe Maguire, [email protected]. Postal: Fiduci Group Pty Ltd, Sydney, NSW, Australia.

12. Changes

Material changes to this policy are notified by email at least 30 days before they take effect. The full changelog is at /privacy/changelog. This version supersedes all prior versions.