Ozor logo
Ozor.ai

Legal

Privacy Policy

Last updated: May 25, 2026 · Effective: May 25, 2026

This Privacy Policy (“Policy”) describes, in general terms, how the team behind Ozor (“Ozor,” “we,” “us,” or “our”) collects, uses, discloses, retains, and otherwise processes information in connection with the Ozor website at ozor.ai, the Ozor application, the Ozor APIs, and any related products, features, content, or services that link to this Policy (collectively, the “Services”). By accessing or using the Services, you acknowledge that you have read and understood this Policy.

This Policy is incorporated by reference into our Terms of Service. Where terms used here are not defined, they have the meaning given to them in the Terms of Service. If you do not agree with this Policy, you should not access or use the Services.

1. At-a-glance summary

The following plain-language summary is provided for convenience only and does not replace the full Policy below. In the event of any conflict, the full Policy controls.

  • We collect the information you give us (account details, prompts, uploads, payment metadata), information generated through your use of the Services (projects, scenes, exports, usage data), and information collected automatically (device, log, and cookie data).
  • We use this information to operate, secure, support, personalize, and improve the Services, to communicate with you, to enforce our terms, to comply with law, and to develop new features (including improvements to our AI systems, as described in Section 5).
  • We do not sell your personal information for money. We do share information with vendors, payment processors, analytics providers, hosting providers, and other service providers acting on our behalf, and we may disclose information for legal, safety, and corporate-transaction reasons.
  • Depending on where you live, you may have rights such as access, correction, deletion, portability, restriction of processing, objection, and the right to opt out of certain uses. See Sections 12 and 13.
  • We retain information for as long as needed to provide the Services, comply with law, resolve disputes, and enforce our agreements. See Section 10.

2. Who we are and how to contact us

Ozor is operated by a team based in Chile. The entity responsible for the Services may be updated from time to time (for example, if we incorporate a new operating company or restructure our business). For the purposes of this Policy, the data controller (under the GDPR and UK GDPR) and the business (under the CCPA/CPRA) is the entity that currently operates Ozor and that you can reach at the contact details below. You can reach us at:

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland and would like to contact our designated representative or our Data Protection Officer (where applicable), please email privacy@ozor.ai with the subject line “EU/UK Representative.”

3. Scope of this Policy

This Policy applies to personal information we process about: visitors to our websites; users of the Ozor application; users of our APIs and integrations; prospective customers; recipients of our communications; and individuals whose information is submitted to us through the Services (for example, faces or voices that appear in uploaded media). It does not apply to:

  • Third-party websites, applications, or services that we do not operate, even if linked from the Services;
  • Information you provide directly to third parties (for example, your payment information on Polar.sh checkout pages); or
  • De-identified, aggregated, or anonymous information that cannot reasonably be linked to you.

4. Information we collect

4.1 Information you provide to us

  • Account information. When you sign in (currently via Google OAuth through Firebase Authentication), we receive your name, email address, profile photo URL, and a unique user identifier from your identity provider. We also store account settings, preferences, language, and the date you created your account.
  • Content you submit. This includes prompts, chat messages, documents, scripts, briefs, brand information (such as colors, fonts, logos, tone), images, audio, video, fonts, and any other materials you upload, paste, drag in, or otherwise provide to the Services (collectively, “User Content”).
  • Generated output. Projects, scenes, code, animations, exports, thumbnails, audio tracks, and other outputs created by the Services in response to your inputs (collectively, “Output”). Output is treated as User Content for the purposes of this Policy.
  • Payment and billing information. When you subscribe to a paid plan, our payment processor Polar.sh (and, where applicable, Stripe) collects your payment-method information directly. We receive limited billing metadata such as your plan, billing cycle, last four digits of your card or other tokenized identifier, billing country, transaction amounts, invoice history, refunds, chargebacks, and subscription status. We do not store full payment-card numbers on our servers.
  • Communications. When you contact us by email, fill out a form, respond to a survey, or otherwise communicate with us, we collect the contents of those communications and any information you choose to provide.
  • Business contacts. If you represent a business and reach out about partnerships, sales, or press, we may collect your name, employer, role, business contact information, and the contents of your inquiry.

4.2 Information we (or our providers) may collect automatically

When you use the Services, we and our service providers may automatically collect certain information about your device, connection, and use of the Services. The specific information collected depends on the features you use and the providers involved, and may change over time. It may include, for example:

  • Device and connection data, such as IP address, approximate location derived from IP, browser type and version, operating system, device type, and similar technical attributes.
  • Usage data, such as pages or screens visited, features used, referring or exit URLs, time spent, error events, and similar interaction information.
  • Product-event data, such as high-level events related to projects, scenes, chat messages, asset uploads, exports, plan changes, and credit usage.
  • Cookies and similar technologies. See Section 11 below for a general description of the cookies, local storage, session storage, pixels, and SDKs that may be used in connection with the Services (which today include, for example, providers such as PostHog, Vercel, and Firebase).

4.3 Information from third parties

  • Identity providers. Google (via Firebase Authentication) provides us with the basic profile information you authorize when you sign in.
  • Payment processors. Polar.sh and, where applicable, Stripe provide us with billing metadata, invoice events, fraud signals, and tax-related information.
  • Analytics, attribution, and infrastructure providers. Providers such as PostHog, Vercel, and Google Cloud may supply us with diagnostic, performance, security, or attribution information.
  • Publicly available sources. For limited purposes (such as security investigations, sanctions screening, or business development), we may obtain information from publicly available sources.

4.4 Sensitive information

The Services are not designed to collect special categories of personal data (such as data revealing racial or ethnic origin, religious beliefs, health, sexual orientation, precise geolocation, or government identifiers). Please do not upload or input sensitive information into the Services. If you do, you consent to our processing of that information for the purposes described in this Policy, to the extent permitted by applicable law.

5. How we use information

We use the categories of information described above for the following purposes:

  • Provide and operate the Services, including authenticating you, rendering scenes, running our AI agent, storing your projects and assets, generating exports, and delivering downloads.
  • Personalize your experience, including remembering your preferences, brand kit, recent projects, and onboarding state.
  • Process payments, manage subscriptions, calculate credit usage, issue invoices and receipts, and address billing disputes.
  • Communicate with you about your account, transactions, product updates, security alerts, support requests, and (where permitted) marketing.
  • Maintain, support, debug, and improve the Services, including troubleshooting issues, monitoring performance, fixing bugs, and developing new features.
  • Develop and improve our AI systems, including evaluating model output, measuring quality, building benchmarks, and (where the law allows it) training and fine-tuning models. We describe this in more detail below.
  • Conduct research and analytics, including aggregated and de-identified analysis of how the Services are used.
  • Protect the Services, our users, and the public, including detecting and preventing fraud, abuse, spam, security incidents, harmful content, and violations of our Terms of Service or other policies.
  • Comply with law and legal process, including responding to lawful requests from public authorities and enforcing our rights or those of others.
  • Facilitate corporate transactions, such as financings, acquisitions, reorganizations, and similar events.

5.1 AI model improvement

We may use information about how the Services are used — which may include, for example, prompts, chat messages, generated code and scenes, error events, edit patterns, and any feedback you choose to provide — to evaluate and improve the quality of the Services and of the AI systems used to power them. Where we use User Content for these purposes, we generally try to do so in de-identified or aggregated form, or in accordance with another lawful basis.

If you would prefer that we not use your User Content to improve our AI systems, please email privacy@ozor.ai with the subject line “AI Training Opt-Out,” and we will use commercially reasonable efforts to honor that request. Even if you opt out, we may still use diagnostic, security-related, and aggregated or de-identified usage information to operate, secure, and improve the Services.

5.2 De-identified and aggregated information

We may create de-identified or aggregated information from personal information (for example, statistics about feature usage or model performance). Once information is de-identified or aggregated such that it can no longer reasonably be linked to you or your device, we may use and share it for any lawful purpose and without further notice to you. We maintain de-identified information without attempting to re-identify it, except as permitted by law.

6. Legal bases for processing (EEA, UK, and Switzerland)

To the extent the GDPR or UK GDPR applies to our processing of your personal data (for example, because you are located in the EEA, UK, or Switzerland), we generally rely on one or more of the following legal bases, depending on the specific processing activity and the context in which information is collected:

  • Performance of a contract (Article 6(1)(b)) — to provide the Services you have requested, to manage your account, and to process your payments.
  • Legitimate interests (Article 6(1)(f)) — to secure and improve the Services, to prevent fraud and abuse, to develop new features and AI systems, to communicate with you about the Services, and to operate our business. We have assessed that these interests are not overridden by your rights and interests.
  • Compliance with legal obligations (Article 6(1)(c)) — to meet our obligations under tax, accounting, consumer protection, anti-fraud, anti-money-laundering, and other applicable laws.
  • Consent (Article 6(1)(a)) — for certain marketing communications, optional cookies, and other processing that requires your affirmative consent. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Vital interests and public interest (Article 6(1)(d) and (e)) — in limited and exceptional cases, such as to protect against serious threats.

7. How we share information

We share personal information with the following categories of recipients, only as needed for the purposes described in this Policy and subject to appropriate contractual and technical safeguards:

  • Service providers and processors. Vendors that provide infrastructure, authentication, storage, content delivery, analytics, error monitoring, customer support, communications, payment processing, fraud prevention, and similar functions on our behalf. These providers process personal information only under our instructions and pursuant to appropriate data-processing terms.
  • Payment processors. Polar.sh and, where applicable, Stripe process your payment-method information directly and operate as independent controllers for certain payment-related processing.
  • Affiliates. Our current and future parents, subsidiaries, and other companies under common control, for the purposes described in this Policy.
  • Professional advisors. Lawyers, accountants, auditors, consultants, insurers, and similar advisors, where reasonably necessary.
  • Law enforcement and others for legal reasons. Government authorities, regulators, courts, and other parties when we believe in good faith that disclosure is necessary to comply with applicable law, respond to valid legal process (such as a subpoena or court order), enforce our agreements, protect the rights, property, or safety of Ozor, our users, or others, or detect, prevent, or address fraud, security, or technical issues.
  • Business transfers. Counterparties and their advisors in connection with an actual or proposed financing, merger, acquisition, reorganization, sale of assets, bankruptcy, or similar event. If such a transaction occurs, the recipient will be subject to obligations consistent with this Policy in respect of the transferred information.
  • With your direction or consent. When you ask us to share your information with a third party (for example, by sharing or embedding a video, or connecting an integration), or when you otherwise consent to the sharing.

7.1 Examples of subprocessors

By way of example, the principal categories of subprocessors that may be involved in delivering the Services currently include providers such as:

  • Google LLC / Google Cloud — hosting, storage, and infrastructure.
  • Firebase (Google) — authentication and file storage.
  • Vercel Inc. — web hosting, edge delivery, and web analytics.
  • PostHog Inc. — product analytics and event capture.
  • Polar.sh — subscription management and checkout.
  • Stripe, Inc. — payment processing (via Polar.sh or directly, where applicable).
  • Anthropic, OpenAI, and other AI model providers — large language and multimodal model inference used by our AI agent.
  • Email and communications providers — transactional email and customer messaging.

This list is illustrative and not exhaustive. We may add, remove, or replace subprocessors from time to time without separate notice. The list above reflects our general practices as of the “Last updated” date at the top of this Policy, and may not include every provider involved at any given moment.

8. International data transfers

Our team is based in Chile, and personal information may be processed and stored in Chile, in the United States, in the European Union, and in other countries where we, our affiliates, or our subprocessors operate. The data protection laws in those countries may differ from the laws of your country of residence. Where we transfer personal data out of the EEA, UK, or Switzerland to a country that has not been deemed to provide an adequate level of protection, we will use appropriate safeguards recognized under applicable law where required, such as the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful transfer mechanism. You can request more information about the safeguards we use by contacting privacy@ozor.ai.

9. Security

We use reasonable technical, administrative, and organizational measures designed to protect personal information against unauthorized access, disclosure, alteration, and loss. These may include, depending on the context, encryption in transit, encryption at rest for stored files, scoped or signed URLs for asset access, access controls, infrastructure provided by reputable cloud vendors, and periodic review of our practices. No method of transmission over the internet or method of electronic storage is, however, completely secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and for notifying us promptly if you suspect any unauthorized use of your account.

10. Data retention

We generally retain personal information for as long as we reasonably consider it necessary for the purposes described in this Policy, taking into account factors such as the nature and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process it, our legitimate business needs, and applicable legal, tax, accounting, and dispute-resolution requirements. By way of illustration, this may include:

  • Account data: generally retained while your account is active and for a reasonable period afterward.
  • User Content and Output: generally retained until you delete it or close your account, after which we aim to delete or de-identify it within a commercially reasonable period, subject to backups and any applicable legal holds.
  • Billing and transactional records: retained for the periods required or recommended by applicable tax, accounting, and similar laws.
  • Logs, analytics, and security data: retained for as long as we consider useful for operating, securing, and improving the Services.
  • Communications: retained for as long as we consider necessary to provide support and in accordance with our general records practices.

When we no longer need personal information, we will take reasonable steps to delete, anonymize, or securely archive it. Backups and disaster-recovery copies may persist for an additional period before being overwritten in the ordinary course.

11. Cookies and similar technologies

We and our service providers use cookies, local storage, session storage, pixels, software development kits (SDKs), and similar technologies (collectively, “Cookies”) to operate the Services, remember your preferences, authenticate sessions, measure performance, and understand how the Services are used.

The categories of Cookies we use include:

  • Strictly necessary. Required to authenticate you, secure the Services, and remember critical state (for example, session tokens, asset URL caches, onboarding state, and pending prompts).
  • Functional. Used to remember your preferences (such as language, theme, last-used aspect ratio, or saved drafts).
  • Analytics and performance. Used to understand how the Services are used, including via PostHog and Vercel Analytics. These help us identify bugs, prioritize features, and measure performance.
  • Marketing and attribution. Used in limited cases to measure the effectiveness of our marketing and to understand how users arrive at the Services.

You can manage Cookies through your browser settings, including blocking or deleting Cookies. Some browsers offer a “Do Not Track” or Global Privacy Control (“GPC”) signal. Where we are required by law to recognize the GPC signal as a valid opt-out request (such as in California), we will do so. Otherwise, we may not respond to such signals, given the lack of a common standard. Blocking certain Cookies may impact your ability to use the Services.

12. Your rights

Subject to applicable law and certain exceptions, you may have the following rights with respect to your personal information:

  • Access — to obtain confirmation of whether we process your personal information and a copy of that information.
  • Rectification / Correction — to correct inaccurate or incomplete personal information.
  • Deletion / Erasure — to request deletion of your personal information, subject to legal exceptions.
  • Restriction — to limit how we process your personal information in certain circumstances.
  • Objection — to object to certain processing based on legitimate interests, including direct marketing.
  • Portability — to receive certain personal information in a portable, machine-readable format.
  • Withdraw consent — where processing is based on consent, to withdraw that consent at any time.
  • Opt out of certain uses — including, as described in Section 5.1, the use of your User Content to improve our AI systems.
  • Lodge a complaint — with a supervisory authority in your jurisdiction. We would, however, appreciate the chance to address your concerns first.

To exercise these rights, please email privacy@ozor.ai from the email associated with your account, or use the in-product tools where available (you can delete your account from the settings page). We may need to verify your identity before completing your request and may decline requests that are unfounded, repetitive, or as otherwise permitted by law. We will respond within the time period required by applicable law. You may also authorize an agent to make a request on your behalf, subject to verification.

13. U.S. state privacy rights

This section provides additional disclosures for residents of certain U.S. states, including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, and other states with comprehensive privacy laws.

13.1 California (CCPA / CPRA)

In the preceding 12 months, we have collected the following categories of personal information described in the CCPA: identifiers (such as name, email, and IP address); customer records (such as billing details); commercial information (such as plan and transaction history); internet or other electronic network activity information (such as usage and device data); geolocation information (approximate, derived from IP); audio, electronic, visual, or similar information (User Content); professional or employment-related information (limited, for business contacts); and inferences drawn from the foregoing.

We collected this information from the sources described in Section 4 and used and disclosed it for the purposes described in Sections 5 and 7. We disclose categories of personal information to service providers and contractors as described in Section 7.

We do not “sell” personal information in exchange for money. Depending on how the term is interpreted, our use of certain analytics and advertising Cookies may be considered “sharing” for cross-context behavioral advertising under the CPRA. You can opt out of such sharing by emailing privacy@ozor.ai with the subject line “Do Not Sell or Share My Personal Information,” or by enabling a recognized Global Privacy Control signal in your browser.

California residents also have the right to: (i) know what personal information we collect, use, disclose, and (if applicable) sell or share about them; (ii) request deletion of personal information; (iii) request correction of inaccurate personal information; (iv) limit the use of sensitive personal information; and (v) be free from unlawful discrimination for exercising their rights.

13.2 Other states

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, and other states with applicable laws may have rights similar to those described above, including the right to confirm processing of, access, correct, and delete personal data, the right to data portability, and the right to opt out of certain processing such as targeted advertising, the sale of personal data, and certain forms of profiling. We do not use personal data for profiling that produces legal or similarly significant effects about you. You may exercise these rights, including appealing a denial, by contacting privacy@ozor.ai.

14. Children’s privacy

The Services are not directed to children under the age of 13 (or under the age of 16 in the EEA, UK, and certain other jurisdictions), and we do not knowingly collect personal information from children below that age. If you are a parent or guardian and believe that a child has provided us with personal information without your consent, please contact privacy@ozor.ai so that we can take appropriate action, including deleting the information from our systems.

15. Automated decision-making

We do not use your personal information to make decisions that produce legal or similarly significant effects about you solely through automated means without human involvement. The Output of our AI agent is generated automatically based on your inputs, but it is provided to you as creative output for your review and does not constitute an automated decision in the legal sense.

16. Third-party services and links

The Services may include links to, or integrations with, third-party websites, applications, or services that we do not own or control. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third party before providing personal information to them. Our inclusion of third-party links or integrations does not imply endorsement of those third parties.

17. Third-party content uploaded by users

If you upload User Content that contains personal information about other individuals (for example, photos, voices, names, or contact information), you are responsible for ensuring that you have the necessary rights, permissions, and lawful bases under applicable law to upload that content and to allow us to process it as described in this Policy. If an individual whose personal information appears in your User Content contacts us with a privacy request, we may need to contact you to identify the relevant content or to remove it.

18. Marketing communications

Where permitted by law, we may send you marketing communications about new features, tips, offers, and events. You can opt out of marketing emails at any time by clicking the “unsubscribe” link in any marketing email or by emailing privacy@ozor.ai. We may continue to send you non-marketing, transactional, or service-related messages (such as account, billing, security, and support communications) as long as you have an active account.

19. Changes to this Policy

We may update this Policy from time to time to reflect changes to our practices, the Services, applicable law, or for other operational, legal, or regulatory reasons. When we make changes, we will revise the “Last updated” date at the top of this Policy. If the changes are material, we will provide additional notice (such as a banner in the application, an email to the address associated with your account, or another reasonable form of notice). Your continued use of the Services after the effective date of an updated Policy constitutes your acceptance of the updated Policy, to the extent permitted by applicable law.

20. Contact us

If you have questions about this Policy or our privacy practices, or would like to exercise any of your rights, please contact us at:

This Privacy Policy is provided for informational purposes and does not constitute legal advice. You should consult your own legal counsel about how privacy and data protection laws apply to your use of the Services.