Nov 10, 2025
Security
Privacy Policy
At Oksana, privacy isn't a compliance checkbox—it's our architecture.
Our Privacy Philosophy
Most privacy policies are written to protect companies from users. This one is written to protect you from us.
At Oksana, privacy isn't a compliance checkbox—it's our architecture. We built our platform around three principles:
On-Device First: Your content is processed on your device whenever possible
Data Minimization: We collect only what's necessary, nothing more
Your Control: You decide what data you share and can change your mind anytime
This policy explains what data we collect, why we collect it, and what you can do about it—in plain language.
What Data We Collect (And Don't Collect)
Data We Collect
Account Information:
Email address (for authentication and product updates)
Name (optional—you can use a pseudonym)
Password (encrypted, we never see it)
Content You Create:
On-Device Processing: Your brand voice training and content generation happens locally on your Mac/iPhone using Apple's M4 Neural Engine
No Cloud Storage of Content: Your training data, generated content, and brand voice models stay on your device unless you explicitly choose to sync via iCloud
Design System Connections: If you connect Figma or other tools, we store connection credentials (encrypted) but not your actual design files
Usage Analytics:
Page views and navigation patterns (via privacy-first analytics)
Feature usage statistics (aggregated, not identifiable)
Performance metrics (load times, error rates)
Device type and browser (for compatibility)
Technical Data:
IP address (temporarily, for security—not stored long-term)
Browser and device information (for compatibility testing)
Crash reports (if you opt in)
Data We Don't Collect
We explicitly do not collect:
Your actual training content or brand materials
Generated content (stays on your device)
Location data beyond country-level (for legal compliance)
Biometric data
Social media profiles or activity
Browsing history outside our platform
Cross-site tracking data
Advertising identifiers
How We Use Your Data
Account Management
Send you login verification emails
Provide customer support
Process beta program enrollment
Send product updates (you can unsubscribe)
Platform Improvement
Understand which features are used most
Identify and fix bugs
Improve performance and reliability
Plan new features based on usage patterns
Security & Fraud Prevention
Detect and prevent unauthorized access
Identify unusual activity patterns
Maintain platform security
Legal Compliance
Respond to legal requests when required
Enforce our terms of service
Protect our rights and property
Our Technology Stack & Privacy Implications
Framer Hosting
Our website is hosted on Framer. They may collect:
Standard web server logs (IP, browser, pages visited)
Retention: 30 days maximum
Privacy Policy: Framer's Privacy Policy
Plausible Analytics
We use Plausible Analytics for privacy-first website analytics:
No cookies or persistent identifiers
No personal data collection
GDPR compliant by default
No cross-site tracking
EU-owned and operated
Data captured: Page views, referral sources, device types (all anonymized)
Privacy Policy: Plausible Privacy
Grid Analytics (Our Custom System)
Our proprietary Grid API tracks:
Custom events (CTA clicks, scroll depth, feature usage)
Processing: On Cloudflare's edge network
Storage: Aggregated metrics only, no individual user tracking
Retention: 90 days, then permanently deleted
Privacy: No cookies, no persistent IDs, sessions only
Notion CRM (Beta Program)
If you join our beta waitlist, we store in Notion:
Your email address
Signup date and source
Beta program status
Retention: Until you request deletion or 1 year after beta ends
Access: Only 9Bit Studios team members
Privacy Policy: Notion Privacy
Apple Intelligence & M4 Neural Engine
The core of our platform uses Apple's on-device AI:
100% local processing—your content never leaves your device
No cloud uploads for brand voice training or content generation
Apple's privacy guarantees apply
Works offline—no internet required for core features
iCloud (Optional Sync)
If you enable iCloud sync:
Your brand voice models sync via CloudKit Private Database
Apple controls this data, not us—we can't access it
End-to-end encrypted by Apple
You control sync via iOS Settings
Privacy Policy: Apple Privacy
Data Sharing & Third Parties
We Don't Sell Your Data
Never. We're not an advertising company. Our business model is simple: you pay for the product, we build the product.
We Don't Share Your Data Except:
Service Providers (Minimal):
Email service (Fastmail) for transactional emails only
Payment processor (Stripe) for subscriptions—PCI compliant
Infrastructure (Cloudflare) for security and performance
Legal Requirements:
Valid legal process (subpoena, court order)
Prevent fraud or security threats
Protect our legal rights
With Your Explicit Consent:
If you choose to share content publicly (e.g., showcase gallery)
If you integrate third-party tools (Figma, etc.)
Your Privacy Rights
Data Access
Request a copy of all data we have about you
Response time: Within 30 days
Format: JSON export or human-readable report
Data Correction
Update your account information anytime in Settings
Correct any inaccuracies in your profile
Data Deletion
Delete your account anytime in Settings
What happens:
Account data permanently deleted within 30 days
On-device data (brand voice models, content) deleted from your devices when you remove the app
Aggregated analytics (already anonymized) retained for platform metrics
Cannot be undone—make sure to export data first if needed
Data Portability
Export your data in standard formats (JSON, CSV)
Take your brand voice training to another platform (we'll help)
Opt-Out Rights
Unsubscribe from marketing emails (link in every email)
Disable optional analytics in Settings
Turn off iCloud sync in iOS Settings
GDPR Rights (EU Users)
If you're in the EU, you have additional rights:
Right to object to processing
Right to restrict processing
Right to lodge a complaint with your data protection authority
Contact: privacy@9bitstudios.io
CCPA Rights (California Users)
California residents can:
Request categories of data collected
Request deletion of personal information
Opt-out of sale (we don't sell data, so this doesn't apply)
Non-discrimination for exercising rights
Contact: privacy@9bitstudios.io
Data Security
How We Protect Your Data
Encryption:
All data transmitted via HTTPS (TLS 1.3)
Passwords hashed using industry-standard algorithms
iCloud data encrypted by Apple end-to-end
Access Controls:
Minimal team access (only those who need it)
Two-factor authentication required for team accounts
Regular security audits
On-Device Protection:
Your sensitive data (brand voice, content) never leaves your device
Protected by iOS/macOS security architecture
Leverage Apple's Secure Enclave for credentials
Infrastructure:
Hosted on secure, reputable platforms (Framer, Cloudflare)
Regular security patches and updates
DDoS protection and monitoring
Data Breach Protocol
If a breach occurs, we will:
Investigate immediately
Notify affected users within 72 hours
Report to relevant authorities as required
Take steps to prevent future breaches
Provide credit monitoring if appropriate
Children's Privacy
Oksana is not intended for users under 13 years old (or under 16 in the EU). We do not knowingly collect data from children. If we discover we've collected data from a child, we'll delete it immediately.
International Data Transfers
Our Infrastructure:
Primary servers: United States (Cloudflare, Framer)
Analytics: EU (Plausible Analytics)
On-device processing: Your location (no data transfer)
EU Data Transfers: If you're in the EU and your data is transferred to the US:
We rely on Standard Contractual Clauses (SCCs)
On-device processing keeps most data local
You can request EU-only data storage for beta program
Cookies & Tracking
We Don't Use Cookies for Tracking
Seriously. Our analytics (Plausible) works without cookies.
Essential Cookies Only:
Session authentication (so you stay logged in)
Security tokens (CSRF protection)
No tracking, no advertising, no third-party cookies
Do Not Track
We respect "Do Not Track" browser settings even though there's no legal requirement to do so.
Changes to This Policy
When we update this policy:
We'll email you at least 30 days before major changes
We'll post the new policy with an "updated" date
Continued use means you accept the changes
You can always delete your account if you disagree
Version History:
November 2025: Initial policy (current)
Contact & Data Protection Officer
Privacy Questions:
Bit Studios, Portland, Oregon, USA
Response Time: Within 5 business days for inquiries, 30 days for data requests
Data Protection Officer: Penny Platt, Founder
The Bottom Line
Our Promise:
We process your content on your device, not our servers
We collect the minimum data needed to run the service
We never sell your data
We give you control over your information
We explain what we do in clear language
Your Control:
You own your content and brand voice
You can export or delete your data anytime
You can use most features without sharing data
You decide what goes to the cloud (if anything)
Questions? If anything in this policy is unclear, email us. We'd rather answer questions than hide behind legalese.
Last Updated: November 3, 2025
Effective: November 2025
This privacy policy was written to be read, understood, and actually followed. If you find it refreshing compared to typical privacy policies, that's intentional.
