Skip to content
OnticBeta

Privacy Policy

Effective date: March 19, 2026

Ontic Labs, Inc. (“Ontic,” “we,” “us”) is committed to protecting your privacy. This policy describes what data we collect, why we collect it, and how we handle it across the Ontic platform and Project Scythe subscription-monitoring service. It is designed to comply with standard US privacy frameworks, including CCPA principles regarding data minimization and the consumer Right to Erasure.

What we collect

  • Contact information you provide (name, email, company) via our contact form.
  • Usage analytics (page views, feature usage) via privacy-respecting tooling.
  • Technical logs (IP address, browser type) for security and reliability.
  • Financial access tokens (Plaid) retained while your account is in good standing; instantly purged when you disconnect an institution.
  • Third-party context tokens (Gmail OAuth) retained while the service is active; automatically deleted upon revocation of consent at the Google Account level.
  • Raw transaction data read from Plaid, processed in-memory by the local inference engine. Historical payloads are not retained indefinitely unless mapped to an active subscription profile.
  • Virtual card token identifiers (Plaid or Lithic API UUID only). Raw PAN and CVV data are never stored.

What we don’t collect

  • We do not sell your data to third parties.
  • We do not use your data to train AI models.
  • We do not track you across other websites.
  • We do not store raw Primary Account Numbers (PAN) or CVVs, entirely bypassing standard retention requirements for those fields.

Data retention and disposal

Ontic adheres to a strict data minimization protocol. Data is retained only as long as actively required to deliver our core services.

  • Cascade Deletion: Our primary database is architected with strict foreign key constraints. When a user record is flagged for deletion, an ON DELETE CASCADE operation automatically and permanently purges all linked funding sources, subscriptions, and virtual card records.
  • Cryptographic Erasure: Sensitive fields (such as API access tokens) are encrypted at rest. Destruction of the user’s unique encryption key renders any residual data fragments mathematically unrecoverable.
  • Backups: Deleted user data organically ages out of rolling, encrypted database backups within 30 days.

Consumer rights (Right to Erasure)

Consumers maintain complete sovereign control over their data.

  • Users may initiate a “Delete Account” protocol directly within the application settings at any time.
  • Execution of this protocol triggers an immediate, irreversible deletion of all PII, external access tokens, and generated intelligence profiles from the production database.
  • Ontic will issue an API call to Plaid or Lithic to transition any active virtual cards to a CLOSED state prior to destroying the local record.

Contact

Questions about this policy? Reach us at privacy@onticlabs.ai.

This policy will be updated as our product and practices evolve.