Your privacy is important to us. Learn how we collect, use, and protect your information.
Octopilot ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our macOS application Octopilot ("the App"). This policy applies to all users of our educational writing assistance application.
When you use Octopilot, we may collect the following personal information:
Account Information: When you sign in using Apple Sign In or Google OAuth, we collect your name, email address, unique user identifier, and profile information provided by the authentication service.
Usage Data: We collect information about how you use the App, including features accessed, time spent in the application, user interactions and preferences, and session duration and frequency.
Essays and Documents: Text content you create, edit, or import into the App.
Research Sources: URLs, citations, and reference materials you add.
AI Interactions: Prompts you send to AI services and generated responses.
Export History: Records of documents you've exported or shared.
Device Information: macOS version, device model, app version.
Performance Data: Crash reports, error logs, and diagnostic information.
Network Information: IP address for service connectivity.
We use your information to:
Provide Core Services: Generate AI-powered writing assistance; manage your account and preferences; save and sync your documents; and provide citation and formatting tools.
Improve User Experience: Personalize content recommendations; remember your writing style preferences; optimize app performance; and provide customer support.
Educational Compliance: Add appropriate academic disclaimers; ensure content meets educational standards; and provide plagiarism prevention features.
Your content may be processed by third-party AI services to generate writing suggestions and improvements, provide grammar and style corrections, create outlines and structure recommendations, and generate citations and references.
Important: All AI-generated content includes educational disclaimers and is intended for learning purposes only.
We share limited data with the following service providers: Firebase (Google) for user authentication, data storage, and analytics; AI Service Providers for content generation and writing assistance; Apple Services for Apple Sign In authentication; and Crash Reporting Services for app stability and performance monitoring.
We may disclose your information if required by law or to comply with legal processes, protect our rights and property, ensure user safety, and prevent fraud or abuse.
We do not sell, rent, or trade your personal information to third parties for commercial purposes.
We implement industry-standard security measures including Encryption where data is encrypted in transit and at rest, Access Controls with limited access to personal data on a need-to-know basis, Regular Audits through security assessments and vulnerability testing, and Secure Authentication using OAuth 2.0 and Apple Sign In protocols.
Octopilot runs in Apple's App Sandbox environment, which limits access to system resources, protects your data from unauthorized access, and ensures secure file handling.
We use only the minimum necessary cookies on our website. Essential cookies enable core functionality. Analytics cookies help us understand usage and improve the site and are set only with your consent where required. You can control cookies through your browser settings or in-product privacy controls.
In the macOS app, we do not use third-party tracking cookies. Local storage and secure device storage are used solely to provide core features such as authentication, preferences, and offline access.
We honor Global Privacy Control (GPC) signals by treating them as an opt-out of the sale or sharing of personal information and as an opt-out of targeted advertising where applicable. We do not sell personal information. Due to the absence of a common industry standard, we do not respond to all browser Do Not Track (DNT) signals; however, we apply your privacy settings and provide equivalent opt-out mechanisms within the app and website.
We do not make decisions that produce legal or similarly significant effects based solely on automated processing. Profiling is limited to personalizing content suggestions, improving writing assistance, and product analytics. You may object to profiling or request human review of outcomes at any time using the contact methods below.
Octopilot acts as the data controller for personal information you provide directly in the consumer macOS app and on our website (for example, account details, preferences, support communications, and app telemetry consistent with your settings). When Octopilot is deployed for an institution (such as a school or enterprise) and we process data on their behalf, the institution is the data controller and Octopilot acts as a data processor.
As a processor, we will: process personal data only on documented instructions; implement appropriate technical and organizational security measures; assist the controller in responding to data subject requests; notify the controller of personal data incidents; flow down obligations to authorized sub‑processors; and maintain an up‑to‑date list of sub‑processors.
Controller contact for the consumer service: Octopilot Privacy Team — privacy@octopilot.app.
You may contact our Data Protection Officer (DPO) with questions about our privacy practices or to exercise your rights: dpo@octopilot.app. Please include your account email and region so we can route your request appropriately.
You have the right to Access and request a copy of your personal data, Correct and update or correct inaccurate information, Delete and request deletion of your account and associated data, Export and download your documents and data, and Opt-out to disable analytics and non-essential data collection.
Account Data is retained while your account is active. Content Data is stored until you delete it or close your account. Usage Analytics in aggregated form may be retained for up to 2 years. Crash Reports are automatically deleted after 90 days.
Octopilot is designed for educational use and includes clear disclaimers on AI-generated content, reminders about academic integrity policies, tools to help students learn proper citation, and features that encourage original thinking.
For users under 18 or in educational institutions, we comply with applicable student privacy laws, do not use student data for advertising, clearly mark educational content, and allow parents and educators to request data deletion.
Your data may be transferred to and processed in countries other than your own. We ensure adequate protection through standard contractual clauses, adequacy decisions, and appropriate safeguards.
Octopilot is not intended for children under 13. If we discover we have collected information from a child under 13, we will delete it immediately. For users 13-17, we recommend parental guidance and supervision.
We may update this Privacy Policy periodically. We will notify you of significant changes through the App, post the updated policy with a new effective date, and maintain previous versions for reference.
For privacy-related questions or requests:
Email: privacy@octopilot.app
Support: support@octopilot.app
Address: [Your Business Address]
Data at Rest: We use AES-256 encryption for all stored documents, encrypted database fields for sensitive information, secure key management using Apple Keychain, regular encryption key rotation, and hardware security module integration where available.
Data in Transit: All network communications use TLS 1.3, certificate pinning for API endpoints, end-to-end encryption for sensitive operations, perfect forward secrecy implementation, and network traffic analysis prevention.
Authentication Security: We provide multi-factor authentication support, biometric authentication integration, session token encryption and rotation, suspicious activity detection and alerting, and account lockout protection against brute force attacks.
Cloud Security: Firebase security rules implementation, regular security audits and penetration testing, compliance with SOC 2 Type II standards, 24/7 security monitoring and incident response, and automated threat detection and mitigation.
Application Security: Code signing and integrity verification, runtime application self-protection (RASP), memory protection and anti-debugging measures, secure coding practices and regular code reviews, and vulnerability scanning and dependency management.
You have the right to receive clear information about data processing purposes, details about data recipients and transfers, information about automated decision-making, data retention periods and deletion criteria, and contact information for data protection inquiries.
You can request a copy of all personal data we hold about you, information about the source of your data, details about data processing activities, information about data sharing with third parties, and confirmation of whether your data is being processed.
You can correct inaccurate personal information, complete incomplete data records, update outdated information, modify preferences and settings, and request verification of corrected data.
You can request deletion when personal data is no longer necessary for original purposes, you withdraw consent for processing, data has been unlawfully processed, legal obligations require deletion, or you object to processing and no overriding legitimate interests exist.
You can receive your data in a structured, machine-readable format, transfer data directly to another service provider, export documents in multiple formats (PDF, DOCX, TXT), download complete account archives, and migrate to alternative platforms seamlessly.
You can object to processing based on legitimate interests, direct marketing communications, automated decision-making and profiling, research and statistical processing, and processing for historical or archival purposes.
You can request restriction when accuracy of data is contested, processing is unlawful but you prefer restriction over deletion, we no longer need the data but you need it for legal claims, or you have objected to processing pending verification.
Legal Basis for Processing: Explicit consent for optional features, processing necessary for service provision, service improvement and security based on legitimate interest, compliance with applicable laws, and protection of user safety and security.
Data Protection Impact Assessments: Regular DPIA reviews for high-risk processing, privacy by design implementation, data minimization principles, purpose limitation enforcement, and storage limitation compliance.
Cross-Border Data Transfers: Standard Contractual Clauses (SCCs) implementation, adequacy decision reliance where applicable, Binding Corporate Rules (BCRs) for group transfers, regular transfer impact assessments, and data localization options where required.
California Consumer Privacy Act (CCPA): Consumer rights disclosure and implementation, "Do Not Sell" compliance (we don't sell data), opt-out mechanisms for data sharing, non-discrimination policy enforcement, and regular compliance audits and reporting.
Children's Online Privacy Protection Act (COPPA): Age verification mechanisms, parental consent procedures, limited data collection from children, safe harbor compliance measures, and regular policy updates and notifications.
Family Educational Rights and Privacy Act (FERPA): Educational record protection, directory information handling, consent requirements for disclosure, audit trail maintenance, and institutional compliance support.
Canada (PIPEDA): Privacy policy transparency requirements, consent management procedures, breach notification protocols, cross-border transfer safeguards, and privacy impact assessment processes.
Australia (Privacy Act): Australian Privacy Principles compliance, notifiable data breach scheme adherence, cross-border disclosure restrictions, and privacy policy accessibility requirements.
+ +For users in the UK, references to GDPR should be read as the UK GDPR and the Data Protection Act 2018. Your rights include access, rectification, erasure, portability, objection, and restriction. You may lodge complaints with the Information Commissioner’s Office (ICO).
+For users in Switzerland, we process personal data in accordance with the Swiss Federal Act on Data Protection (FADP). You have rights to information, correction, deletion, and objection, and may contact the Federal Data Protection and Information Commissioner (FDPIC).
+California residents have the right to know, delete, correct, and opt out of the sale or sharing of personal information, and to limit the use and disclosure of sensitive personal information. We do not sell personal information. We honor opt‑out signals via Global Privacy Control (GPC) and do not use sensitive personal information for purposes other than those permitted by the CPRA.
+For users in Brazil, processing is based on legal grounds defined by the LGPD. You have rights to confirmation, access, correction, anonymization, portability, deletion, and information about shared data. You may contact the ANPD for complaints.
+For users in India, we comply with the Digital Personal Data Protection Act, 2023. You have rights to access, correction, erasure, and grievance redressal. You may approach the Data Protection Board of India for unresolved concerns.
+For users in South Africa, we comply with the Protection of Personal Information Act (POPIA). You have rights to be notified, access, correction, objection, and deletion. You may contact the Information Regulator for complaints.
Initial content is processed locally on your device, then documents are encrypted and synced to Firebase Firestore. Multiple document versions are maintained with automated backups to ensure data preservation, and simultaneous edits are merged intelligently through conflict resolution.
Your writing prompts are analyzed for context, AI services generate relevant suggestions, generated content is filtered for appropriateness, all AI content receives educational disclaimers, and AI interactions are logged for improvement purposes.
URLs are validated and metadata extracted, citation formats are generated automatically, source credibility is assessed when possible, reference lists are maintained and synchronized, and academic databases are queried for verification.
Content similarity checking against academic databases, original work verification and reporting, citation completeness validation, and academic integrity scoring and recommendations are provided.
Account Data: Active accounts are retained while the account remains active, inactive accounts have a 3-year retention after last activity, deleted accounts have a 30-day grace period then permanent deletion, backup systems retain data for 90 days in encrypted backups, and extended retention when legally required.
Content Data: Documents are retained until user deletion or account closure, version history is kept for 1 year, drafts are retained for 6 months, shared content is retained until all sharing permissions are revoked, and no retention of exported content.
Usage Analytics: Individual metrics have a 2-year retention period, aggregated data is kept for 5 years for trend analysis, error logs are retained for 1 year for debugging, performance data is kept for 6 months for optimization, and security logs are retained for 7 years for compliance.
We classify incidents from Level 1 (minor incidents with no data exposure) to Level 5 (catastrophic incidents requiring immediate response). Our response procedures include detection through automated monitoring and manual reporting, impact assessment and classification, immediate threat mitigation measures, root cause analysis and evidence collection, system restoration and security enhancement, and post-incident review and improvement.
Regulatory Notifications: GDPR requires 72-hour notification to supervisory authorities, CCPA requires prompt notification to California Attorney General, compliance with applicable state breach laws, industry-specific notification requirements, and compliance with applicable foreign laws.
User Notifications: High risk incidents require immediate notification to affected users, medium risk within 72 hours, low risk in next regular communication, no risk requires internal documentation only, and ongoing updates during investigation.
Data Minimization: Collection is limited to necessary purposes, regular data audits and cleanup, automated data lifecycle management, purpose-specific data processing, and granular consent mechanisms.
Privacy-Enhancing Technologies: Differential privacy for analytics, homomorphic encryption for computations, zero-knowledge proofs for verification, secure multi-party computation, and privacy-preserving machine learning.
Privacy Governance: Dedicated privacy officer appointment, regular privacy training for staff, privacy impact assessment procedures, vendor privacy evaluation processes, and continuous privacy monitoring.
Policy Integration: Privacy considerations in product development, regular policy reviews and updates, stakeholder consultation processes, privacy metrics and KPI tracking, and continuous improvement programs.
Octopilot complies with Apple App Store Guidelines, macOS Privacy Requirements, GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act), COPPA (Children's Online Privacy Protection Act), and FERPA (Family Educational Rights and Privacy Act) where applicable.
We strive to make this policy and our privacy controls accessible to everyone. We provide plain‑language explanations, support for assistive technologies (including screen readers and high‑contrast modes), and can provide this policy in alternative formats or languages upon request. To request an accommodation or alternative format, contact accessibility@octopilot.app or privacy@octopilot.app.
If you disagree with how we handled a privacy request, you may submit an appeal by replying to our decision email and explaining the reasons for your appeal. We will review and respond within the timeframe required by applicable law. If you remain unsatisfied, you may contact your local supervisory authority (for example, an EU/EEA Data Protection Authority, the UK ICO, the Swiss FDPIC, the California Privacy Protection Agency, Brazil’s ANPD, India’s Data Protection Board, or South Africa’s Information Regulator). We will cooperate with authorities as required.
This Privacy Policy is effective as of the date listed above and supersedes any previous versions. We reserve the right to modify this policy at any time, and will provide appropriate notice of significant changes.