Privacy Policy
1. Who we are
Octavia Works is operated by Sankhya Ventures, LLC ("Sankhya Ventures," "we," "us," or "our"), a Delaware limited liability company with a registered address at 2810 N Church St. Ste. 40809, Wilmington, DE 19802, United States.
For the purposes of the EU General Data Protection Regulation ("GDPR") and the UK GDPR, Sankhya Ventures, LLC is the data controller of personal data processed through Octavia Works, except where we act as a processor on behalf of a business customer.
2. Scope
This Policy explains how we collect, use, disclose, and protect personal data when you use the Octavia Works website and service (the "Service"). It applies to visitors, registered users, and anyone whose data we process in connection with the Service. It does not apply to third-party websites or services we link to, including Google, Stripe, and Anthropic, each of which maintains its own privacy policy.
3. Personal data we collect
| Category | Examples | Source |
|---|---|---|
| Account & identity data | Name, email address, profile picture, unique Google account identifier | Google Sign-In, provided when you authenticate |
| Profile preferences | Preferred name, work description, standing instructions, appearance/font settings | Provided by you in My Account |
| Usage & query data | The text of requests you submit, timestamps, token counts, per-query cost | Generated as you use the Service |
| Billing data | Wallet balance, transaction history, invoice records; not full card numbers | Generated by the Service; card details are handled entirely by Stripe |
| Technical data | IP address (processed transiently by our hosting infrastructure), browser type, device information | Automatically collected by Cloudflare, our hosting provider |
What we deliberately don't keep
The text of your requests is retained only long enough to generate an invoice line-item summary for the billing session it belongs to (see Section 6). Once that summary is generated, the underlying request text is permanently deleted from our database. We do not build a persistent chat history or long-term transcript of your requests.
4. How we use personal data, and our legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Authenticate you and maintain your account | Performance of a contract |
| Process your queries through our AI pipeline and return a response | Performance of a contract |
| Apply your saved preferences and instructions to personalize responses | Performance of a contract; consent (you choose to set these) |
| Calculate usage, maintain your wallet balance, and process payments | Performance of a contract |
| Generate invoices, including a brief AI-written description of a billing session | Performance of a contract; legal obligation (recordkeeping) |
| Detect, prevent, and investigate fraud, abuse, or security incidents | Legitimate interests |
| Comply with legal obligations (tax, accounting, lawful requests) | Legal obligation |
5. How your requests are processed
Octavia Works answers your requests using a multi-stage AI processing pipeline. Submitting a query causes its text (together with any preferences you've set) to be sent to our AI infrastructure provider for processing, and the resulting response is streamed back to you. We do not control, and are not responsible for, the internal workings of our AI infrastructure provider's models, but we have contractual and technical safeguards in place governing how that provider may use data we send it.
A short, separate AI-generated description of what a billing session was used for (for invoicing purposes only) is created using a lightweight, separate process from the one that answers your queries, and is written in general terms rather than reproducing your original text.
6. Data retention
| Data | Retention |
|---|---|
| Query text | Until the billing session it belongs to is invoiced (typically within hours), then permanently deleted |
| Invoice records (summary description, amount, date) | Retained for the lifetime of your account plus the period required by applicable tax and accounting law |
| Account & profile data | Retained until you delete your account or request erasure |
| Wallet & transaction ledger | Retained for the lifetime of your account plus the period required by applicable financial recordkeeping law |
| Technical/server logs | Retained by our infrastructure providers for a limited operational period (typically weeks), per their own policies |
7. Cookies and similar technologies
Octavia Works itself does not set advertising or analytics cookies, and does not use any third-party tracking or advertising technology. To keep you signed in and remember your interface preferences (such as theme and chat font), the Service stores a small amount of data in your browser's local storage. This is strictly necessary for the Service to function and does not require consent under applicable law, in the same way a "strictly necessary" cookie would not.
When you sign in with Google, or complete a payment through Stripe Checkout, those providers may set their own cookies on their own domains, governed by their own privacy and cookie policies:
The cookie notice shown when you first visit lets you acknowledge this. Choosing "Necessary only" means we will not introduce any additional non-essential cookies without asking you again; it does not retroactively affect cookies already set by Google or Stripe during sign-in or checkout, which are their own tools.
8. Who we share data with
We do not sell personal data. We share personal data only with the following categories of service providers, each acting as our processor (or as an independent controller for their own purposes, as noted), strictly to operate the Service:
| Provider | Purpose | Data involved |
|---|---|---|
| Anthropic | AI processing of queries | Query text, preference context |
| Cloudflare, Inc. | Hosting, database, content delivery | All Service data, in transit and at rest |
| Stripe, Inc. | Payment processing (independent controller) | Payment details, billing email |
| Google LLC | Authentication (independent controller) | Name, email, profile picture, account identifier |
We may also disclose personal data where required by law, to protect our legal rights, or in connection with a merger, acquisition, or sale of assets, subject to standard confidentiality protections.
9. International data transfers
We and our service providers are based in, or process data in, the United States. If you are located in the European Economic Area, the United Kingdom, or Switzerland, your personal data will be transferred outside of those regions. Where required, such transfers are made subject to appropriate safeguards, such as the European Commission's Standard Contractual Clauses, or reliance on a provider's own certified transfer mechanism.
10. Your rights
Depending on your location, you may have some or all of the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate or incomplete data.
- Erasure — request deletion of your personal data, subject to legal retention requirements.
- Restriction — request that we limit how we use your data in certain circumstances.
- Portability — request your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
- Lodge a complaint — with your local data protection supervisory authority, if you believe we have not handled your data lawfully.
To exercise any of these rights, contact us at [email protected]. We will respond within the timeframe required by applicable law.
11. Data security
We use technical and organizational measures designed to protect personal data, including encryption in transit, access controls, and reliance on infrastructure providers that maintain industry-standard security certifications. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
12. Children's privacy
The Service is not directed to, and is not intended for use by, anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will take steps to delete it.
13. Changes to this Policy
We may update this Policy from time to time. If we make material changes, we will update the "Last updated" date above and, where required by law, provide additional notice. Continued use of the Service after changes take effect constitutes acceptance of the revised Policy.
14. Contact us
Sankhya Ventures, LLC
2810 N Church St. Ste. 40809
Wilmington, DE 19802, United States
Email: [email protected]