Privacy Policy

Effective Date: May 25, 2026

This Privacy Policy explains how Global Data Store LLC ("Company", "we", "us", or "our") collects, uses, and shares information when you use OntoBoom (the "Service"), including its three surfaces: Studio (app.ontoboom.com), Hub (hub.ontoboom.com), and MCP Serving (mcp.ontoboom.com).

1. Information We Collect

Account Information (you provide)

When you create an account, we collect:

• Name and email address
• Password (stored as an Argon2id hash)
• Country and US state, where applicable for sales-tax handling
• Plan and subscription status

Hub Content (you publish)

When you publish to the Hub or interact with published content, we collect and store:

• The ontology manifest (classes, properties, constraints, JSON-LD context, diagram layout)
• Catalog metadata you provide (namespace, slug, version, license, description, README)
• Declared dependencies on other Hub ontologies
• Reviews and star ratings you submit, including the "anonymous" flag
• Your namespace assignment (your @handle)

Usage and Telemetry (we record)

We automatically record:

• Editor sessions and AI Copilot request counts (counts only — not the prompt body)
• Hub pulls and MCP requests: timestamp, version pulled, user-agent string, and a salted SHA-256 hash of the requesting IP (we do not store the raw IP for anonymous traffic)
• Error logs and diagnostic events
• Stripe payment metadata for paying accounts (Stripe handles card data; we receive an identifier and the event)

Support Communications

When you contact support or post to the contact form, we collect the message body and your contact information for the purpose of responding.

2. What We Make Public on the Hub

The Hub is a public registry. The following information is visible to anyone (and indexable by search engines) for any content you set to Public:

• Your namespace handle (e.g., @your-handle) and the ontology slugs, versions, descriptions, and READMEs you publish
• The full ontology manifest payload — classes, relationships, constraints, etc. The publisher is responsible for not embedding personal data or secrets in this payload (see Acceptable Use)
• The number of pulls in the last 30 days (used for the "Popular" feed)
• Reviews and ratings posted to your ontologies, including the reviewer's handle unless the reviewer chose anonymous
• Aggregate rating summary (mean, count, distribution) — emitted as JSON-LD AggregateRating structured data for SEO

Unlisted ontologies are not enumerated in feeds or search but are readable and servable by anyone with the URL. Private ontologies are visible only to the namespace owner.

3. Anonymous Reviews

When you submit a review with the "anonymous" flag, your handle is suppressed from the public-facing review display. The underlying database record retains your user identifier so that:

• You can edit or delete your own review (which is identified by user ID, not handle)
• We can enforce the one-review-per-user-per-ontology rule
• We can investigate abuse if a review violates the Acceptable Use Policy

Anonymous reviews are not pseudonymous to the Company — they are pseudonymous to other users.

4. MCP Serving and Third-Party AI Agents

When a third-party AI agent (Claude Desktop, Cursor, LangChain, etc.) connects to mcp.ontoboom.com and calls a tool against a Public or Unlisted ontology, the published manifest content flows to that agent. The Company does not control what the receiving agent or its operator does with the content. Do not publish anything you would not be comfortable seeing in an arbitrary AI model's training or inference context.

5. How We Use Your Information

We use the information we collect to:

• Provide, maintain, secure, and improve the Service
• Render Hub pages, sitemaps, and JSON-LD structured data
• Serve MCP endpoints and compute manifest-derived tool responses
• Compute aggregate ratings, "Recent" and "Popular" feeds, and search rankings
• Process Stripe subscriptions and AI-credit purchases
• Send transactional emails (verification, password reset, support replies, billing-related notices, and, in the future, advance notice before any MCP-serving usage meter goes live)
• Detect, prevent, and respond to abuse, fraud, and security incidents
• Comply with legal obligations and respond to lawful requests

6. Information Sharing

We do not sell personal information. We share information with:

Service Providers

• Hosting: Google Cloud Platform (Cloud Run, Cloud SQL, Artifact Registry, us-central1) for compute and storage
• DNS & edge: Cloudflare for DNS (DNS-only mode; not proxied)
• Email: SMTP provider for transactional mail
• Payments: Stripe for subscription and one-time charges
• AI providers: OpenAI for the AI Copilot — your prompts are sent to OpenAI in real time and are subject to OpenAI's data-handling policies. We do not retain prompt bodies after the request completes.

Public Surfaces

Hub content you mark Public is, by design, available to anyone, including third-party AI agents and search engines, as described in Sections 2 and 4.

Legal Requirements

We may disclose information if required by law, lawful process, or government request, or to protect the rights, property, or safety of our users, the Service, or others.

7. Cookies and Local Storage

We use a single HttpOnly authentication cookie (access_token, 7-day expiry, scoped to .ontoboom.com) to maintain your login session across the apex, Studio, and Hub. We do not use third-party tracking cookies. The Studio uses local storage to persist editor preferences (theme, layout).

8. Data Retention

We retain account and content data while your account is active. On account deletion:

• Studio projects and unpublished editor content are deleted within 30 days.
• Published Hub versions you have made Public or Unlisted are retained to honor the immutability principle (Terms § 4.3) — they remain available unless you explicitly request override or they are removed under DMCA or Acceptable Use enforcement.
• Reviews you posted remain published with the "Anonymous" label unless you delete them first.
• Yanked versions are retained as records (marked unavailable) so that consumers depending on a specific checksum can detect the yank rather than encounter a 404.
• Aggregate, anonymized usage statistics (pull counts, rating distributions) may be retained indefinitely.
• Stripe payment records are retained as required by tax and accounting law.

9. Data Security

• Passwords are hashed using Argon2id (work factors above industry minimum)
• All client traffic is encrypted in transit via TLS
• JWT auth cookies are HttpOnly and Secure (in production)
• Access to the production database is restricted to authorized engineering personnel; database credentials are stored in Google Cloud Secret Manager or environment variables
• API tokens (the obt_ prefix) are stored hashed; the raw token is shown to the user once on issuance
• We perform regular security review of new features before they ship

No system is 100% secure. We cannot guarantee absolute security. If we discover a breach that materially affects your data, we will notify you without undue delay and in accordance with applicable law.

10. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your account and personal data (subject to the retention rules in Section 8)
• Export your Studio ontologies via the Service's built-in export (Turtle, JSON-LD, RDF/XML, OntoBoom JSON, Cypher)
• Object to certain processing activities
• Withdraw consent where processing relies on consent

To exercise these rights, please contact support. We may verify your identity before acting on a request.

11. International Data Transfers

The Service is hosted in the United States (Google Cloud, us-central1). If you access the Service from outside the US, your information will be transferred to and processed in the US. We rely on Standard Contractual Clauses or equivalent safeguards where required by applicable law.

12. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact support and we will delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated effective date and, where appropriate, communicated by email. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

14. Contact

For privacy questions, data-rights requests, or to report a suspected security issue, please contact support.

• Company: Global Data Store LLC
• Website: globaldatastore.com