Privacy Policy

Effective Date: March 10, 2026 · Last Updated: March 10, 2026

The short version

OpenFactory is a secure compute platform. We build operating systems and help you manage them. We are not in the business of collecting, mining, or monetizing your data. We collect only what is strictly necessary to run the service, we never sell or share your information for advertising, and you can delete everything at any time. Your builds, your recipes, your data — they belong to you.

OpenFactory Inc. ("OpenFactory," "we," "us," or "our") operates the OpenFactory platform ("Service"), including openfactory.tech and console.openfactory.tech. This policy explains what data we collect, why, and what we do with it.

1. What We Collect & Why

We follow a simple rule: collect the minimum needed to provide the service. Here is exactly what we store and why:

Account Information

Your email address, name, and profile image — so you can log in and we can contact you about your account. If you sign in with Google, we receive only basic profile info (name, email, photo). We don't request access to your contacts, calendar, or anything else.

Build Data

Your build configurations, recipes, selected features, test results, and ISO images — because that's the whole point of the service. We store this so you can access, re-run, and manage your builds. We don't analyze your build choices for marketing or profiling purposes.

Conversation Data

Your conversations with our AI build assistant, including draft recipes generated during the chat. This is stored so you can pick up where you left off and so we can deliver accurate build results. We do not use your conversations to train AI models, and we do not mine them for insights.

Security Logs

IP addresses and browser user-agent strings are logged with each request. This is purely for security — detecting unauthorized access and preventing abuse. We don't use this data for tracking, advertising, or building user profiles.

Analytics

We use Google Analytics on our marketing site (openfactory.tech) to understand which pages people visit and how they find us. This data is anonymized — we can't identify individual users from it.

We also collect anonymous session-level usage data across our sites (pages visited, clicks, scroll depth, and hover interactions on buttons and links) to understand how visitors navigate our product. This data is not tied to any account or personal identity, is not shared with third parties, and is used solely to improve the user experience. No data is stored in your browser — it is sent once when your session ends and is not retained beyond delivery.

Organization Data

If you're part of an organization, we store membership and roles so your team can collaborate. Integration credentials are encrypted and used only to connect services you explicitly configure.

2. What We Don't Do

To be explicit:

We never sell your data. To anyone. Period.
We never share your data with advertisers or data brokers.
We never use your builds, recipes, or conversations to train AI models.
We never profile you for marketing or ad targeting.
We never send unsolicited marketing emails (unless you explicitly opt in).

3. How We Use Your Information

Everything we collect serves one of three purposes:

Running the service: Building your images, storing your recipes, delivering your ISOs.
Keeping it secure: Detecting unauthorized access, preventing abuse, maintaining audit trails.
Communicating with you: Account notifications, build status updates, and security alerts. Nothing promotional unless you ask for it.

4. Who Can See Your Data

As few parties as possible. Here is the complete list of third parties that may process your data:

Anthropic (AI provider) — processes conversation data to power the build assistant. Governed by a data processing agreement. They do not use your data to train their models.
Amazon Web Services — hosts our infrastructure. Your data is encrypted at rest and in transit.
Google Analytics — anonymized marketing site usage only (not the console).

We may also disclose data if required by law or legal process — but we will notify you first unless legally prohibited from doing so.

That's it. No ad networks, no data brokers, no "trusted partners."

5. How Long We Keep Your Data

We keep your data only as long as it's useful to you or required for security:

Data	Kept For	After Deletion
Account info	While your account exists	Deleted within 30 days
Builds & recipes	While your account exists	Deleted within 30 days
ISO images	90 days after build	Already purged
Conversations	While your account exists	Deleted within 30 days
Security logs	90 days	Auto-purged
Audit logs (GxP)	7 years (regulatory)	As required by law

Enterprise customers can negotiate different retention periods. Want us to keep your build history longer? Shorter? Just ask.

6. Your Rights & Controls

Your data is yours. You have the right to:

See it: Request a full export of everything we have on you.
Fix it: Correct any inaccurate information.
Delete it: Request complete deletion of your account and all associated data. We'll do it within 30 days.
Take it with you: Export your builds, recipes, and configurations in standard formats.
Object: Tell us to stop any processing you're not comfortable with.

Email privacy@openfactory.tech and we'll respond within 30 days — usually much sooner.

7. Security

Security is our product, so we take it seriously in our own house too:

All data encrypted in transit (TLS 1.2+) and at rest (AES-256).
Each build runs in a fully isolated environment.
Role-based access controls with least-privilege principles.
Cryptographic verification (SHA-256) of all build artifacts.
Continuous monitoring and automated security alerting.

8. HIPAA & Healthcare

If you're building compute environments for healthcare or other HIPAA-regulated work:

We offer Business Associate Agreements (BAAs) for enterprise customers.
The Service does not require or intentionally collect Protected Health Information (PHI). If PHI ends up in your builds or conversations, a BAA must be in place first.
We maintain technical safeguards (encryption, access controls, audit logging) and administrative safeguards (training, incident response) aligned with HIPAA.

Contact privacy@openfactory.tech to set up a BAA.

9. GxP & Data Integrity

For pharmaceutical, biotech, and medical device customers building validated compute environments:

All build operations generate immutable audit trails (who, what, when).
Build records follow ALCOA+ principles — attributable, legible, contemporaneous, original, and accurate.
Verification hashes ensure no data has been altered after the fact.
Enterprise customers can leverage our audit trail and electronic signature capabilities to support 21 CFR Part 11 compliance.
Audit and verification logs are retained for 7 years.

10. Legal Bases (GDPR)

For users in the EEA and UK — here are the legal bases we rely on:

Contract: We need your account and build data to provide the service you signed up for.
Legitimate interest: Security logs to protect the platform (we keep these minimal and short-lived).
Consent: Analytics cookies and any optional communications — you can withdraw anytime.
Legal obligation: Where required by law (e.g., GxP audit trail retention).

For international transfers from the EEA/UK, we use Standard Contractual Clauses (SCCs) approved by the European Commission.

11. Cookies

We use very few cookies:

Cookie	Why	Required?
Session cookie	Keeps you logged in	Yes
Google Analytics (_ga, _gid)	Anonymized page visit stats (marketing site only)	No

You can disable non-essential cookies in your browser settings. The service works fine without analytics cookies.

12. Children

OpenFactory is not intended for anyone under 16. We don't knowingly collect data from children. If you believe a child has created an account, please let us know at privacy@openfactory.tech and we'll delete it promptly.

13. Changes to This Policy

If we make meaningful changes to this policy, we'll email you at least 30 days before they take effect. We won't bury changes in fine print.

14. Questions?

OpenFactory Inc.

Email: privacy@openfactory.tech

Website: openfactory.tech

If you're in the EEA or UK and aren't satisfied with our response, you can lodge a complaint with your local data protection authority.