Skip to content

Obra Privacy Policy

Version: 1.4 Last Updated: December 4, 2025 Effective Date: December 4, 2025

1. Introduction

This Privacy Policy describes how Unpossible Creations, Inc. ("we," "us," "our," or "Obra") collects, uses, stores, and protects information when you use the Obra beta software and related services ("Software" or "Service").

This Privacy Policy applies to:

  • The Obra SaaS Service (Firebase-based orchestration)
  • The Obra Local Installation (obra-client)
  • The Obra website (obra.dev)

By using the Software, you agree to this Privacy Policy and our Beta Software Agreement. Your acceptance of the Beta Software Agreement constitutes your explicit consent to the data practices described in this Privacy Policy. The click-through acceptance required during software setup serves as documented consent.

2. Data Controller

Unpossible Creations, Inc.

For privacy inquiries, contact: privacy@obra.dev

3. Information We Collect

3.1 Information You Provide

Account Information (SaaS Service only):

  • Email address (for authentication)
  • Account credentials (managed by Firebase Auth)
  • API key configurations (stored encrypted)

Feedback and Communications:

  • Bug reports, feature requests, and support inquiries you submit
  • Any other information you voluntarily provide

3.2 Information Collected Automatically

Orchestration Metadata (SaaS Service):

  • Project names and identifiers
  • Task descriptions and session status
  • Workflow state and iteration counts
  • Timestamps and session durations
  • Error messages and stack traces (for debugging)

Technical Information:

  • IP addresses (logged temporarily for security)
  • Browser/client type and version
  • Operating system information

Usage Analytics (optional, if enabled):

  • Feature usage patterns
  • Performance metrics
  • Error rates and types

3.3 Information We Do NOT Intentionally Collect

We do NOT intentionally collect or store:

  • Source code - The Service is not designed to receive or store your source code on Obra servers
  • Repository contents - File contents are not intentionally transmitted to Obra servers
  • Credentials or secrets - API keys you configure are stored locally or encrypted
  • Personal data from your projects - We do not process your end-users' data

Important: While Obra servers are not designed to receive or store your source code, your configuration of local agents may cause code to be transmitted to Obra servers and/or Third-Party LLM Providers. You are solely responsible for this configuration.

Incidental Data: Error logs, stack traces, file paths, or user-submitted feedback may incidentally contain fragments of source code or other content from your projects. We do not use such incidental data for any purpose other than debugging and support, and such data is subject to the log retention periods described in Section 6.3.

4. How We Use Your Information

We use collected information to:

  1. Provide the Service: Operate and maintain the Obra orchestration platform
  2. Improve the Service: Analyze usage patterns to improve functionality
  3. Debug and Support: Diagnose technical issues and respond to support requests
  4. Security: Detect and prevent fraud, abuse, and security threats
  5. Communications: Send service-related notices and updates
  6. Legal Compliance: Comply with applicable laws and legal obligations
  7. Terms Acceptance Logging: Record and maintain audit trails of your acceptance of the Beta Software Agreement and this Privacy Policy, including:
    • License key identifier (tester_id)
    • Terms version accepted
    • Privacy Policy version accepted
    • Timestamp of acceptance
    • Client version and source (e.g., CLI setup)
    • IP address (for audit purposes)

These acceptance records are maintained for legal compliance and may be retained indefinitely to demonstrate valid consent

We do NOT:

  • Sell your personal information
  • Use your data for advertising
  • Share your data with third parties for their marketing purposes

Regarding AI training: We do not train AI models on your data using models and systems we control. However, Third-Party LLM Providers may use data you send to them for training or other purposes in accordance with their own policies. You are responsible for reviewing provider terms and configuring provider settings (such as data opt-out options) to meet your privacy requirements. See Section 5 for more information.

5. Third-Party LLM Providers

5.1 Data Transmission to LLM Providers

When you use Obra, your prompts and context may be transmitted to Third-Party LLM Providers based on your configuration. These providers include (without limitation) providers of large language models and generative AI services.

Important: Each Third-Party LLM Provider has its own privacy policy and data practices. We strongly encourage you to review their policies:

  • Review each provider's privacy policy before use
  • Configure API keys and usage according to your privacy requirements
  • Understand that data transmitted to providers is subject to their terms

5.2 Our Relationship with LLM Providers

  • We do not control how Third-Party LLM Providers process your data
  • We are not responsible for their data practices
  • Data you transmit to them is governed by their privacy policies
  • We recommend using providers' data privacy options where available

6. Data Storage and Security

6.1 Storage Location

SaaS Service Data:

  • Stored in Firebase/Google Cloud Platform infrastructure
  • Primary data center location: United States
  • Data may be processed in multiple geographic regions

Local Installation Data:

  • Stored locally on your device
  • We do not have direct access to locally stored data (however, error logs or user-submitted feedback may incidentally contain fragments as described in Section 3.3)

6.2 Security Measures

We implement reasonable security measures including:

  • Encryption in transit (TLS/HTTPS)
  • Encryption at rest for sensitive data
  • Access controls and authentication
  • Regular security reviews

Important Disclaimer: This is beta software that has NOT undergone formal security certification. We make no guarantees regarding security. See our Beta Software Agreement for full disclaimers.

6.3 Data Retention

Active Accounts:

  • Account data retained while account is active
  • Orchestration metadata retained for service operation
  • Logs retained for up to 90 days

Account Deletion:

  • Upon request, we will delete your account data within 30 days
  • Some data may be retained for legal compliance
  • Aggregated, anonymized data may be retained indefinitely

For purposes of this section, "anonymized" means data from which all personal identifiers have been permanently and irreversibly removed such that the data cannot reasonably be linked back to any individual by us or any third party.

Beta Termination:

  • At the conclusion of the beta period, ALL user data, logs, session state, and account information may be PERMANENTLY DELETED without prior notice
  • No data will be migrated to any future version of the Software

7. Data Sharing

We may share your information with:

7.1 Service Providers

Third-party services that help us operate the Software:

  • Firebase/Google Cloud Platform (hosting and authentication)
  • Error tracking and monitoring services

A current list of sub-processors is maintained at https://obra.dev/legal/subprocessors (or, until such page is created, comprises: Google Cloud Platform/Firebase for hosting, authentication, and database services).

We may disclose information if required by law or in response to:

  • Valid legal process (subpoenas, court orders)
  • Government requests
  • Protection of our legal rights
  • Emergency situations involving safety

7.3 Business Transfers

In connection with a merger, acquisition, or sale of assets, your information may be transferred. We will endeavor to notify you of any such change where commercially practicable. If you object to the transfer, you may terminate your account and request deletion of your data prior to the transfer effective date.

8. Your Rights and Choices

8.1 Access and Portability

You may request:

  • A copy of the personal data we hold about you
  • Information about how we process your data

8.2 Correction

You may request correction of inaccurate personal data.

8.3 Deletion

You may request deletion of your personal data held by Obra by contacting us at privacy@obra.dev. We will respond within 30 days, or such shorter period as required by applicable law.

Limitations: We may retain certain data for legal compliance, fraud prevention, or legitimate business purposes. Deletion requests apply only to data we hold; data previously transmitted to Third-Party LLM Providers must be addressed directly with those providers under their respective privacy policies.

8.4 Opt-Out

You may:

  • Disable optional analytics (if available)
  • Stop using the Service at any time
  • Request account deletion

8.5 Do Not Track

We do not currently respond to "Do Not Track" browser signals.

9. International Data Transfers

If you are located outside the United States, your data may be transferred to and processed in the United States. By using the Service, you consent to this transfer.

We do not independently maintain standard contractual clauses or participate in formal cross-border data transfer programs. Our infrastructure providers (including Firebase/Google Cloud Platform) maintain their own transfer mechanisms, which we rely upon solely as a customer of those services. To the extent such mechanisms provide a legal basis for transfers, any such basis flows from the provider's frameworks, not from any commitment by us. If you nonetheless choose to provide personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, you acknowledge that such data will be processed in the United States.

10. Children's Privacy

The Software is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

11. Regulatory Compliance Disclaimer

This Software is not designed to meet the requirements of:

  • GDPR (General Data Protection Regulation)
  • HIPAA (Health Insurance Portability and Accountability Act)
  • SOC2
  • PCI-DSS
  • FERPA
  • CCPA (California Consumer Privacy Act)
  • Any other regulatory framework

This Software is not intended for use cases that would subject us or you to these regulatory frameworks. To the maximum extent permitted by applicable law, the applicability of such frameworks to your use of this beta Software is disclaimed. If and to the extent any such laws do apply notwithstanding this disclaimer, we will honor applicable rights as described in Section 8.

12. California Privacy Rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA). However, this Software is not intended for consumer use and is not designed to meet CCPA compliance requirements. Based on the nature of this beta Software for professional technical evaluation, CCPA applicability is disclaimed to the maximum extent permitted by law.

We do not sell personal information as defined under the CCPA.

If and to the extent CCPA does apply to you and to us, you may exercise your California privacy rights by contacting us at privacy@obra.dev, and we will handle your request in accordance with applicable law.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted at https://obra.dev/privacy with an updated "Last Updated" date.

For material changes, we will provide notice via email or prominent notice on the Service at least 14 days before the changes take effect.

Your continued use after changes take effect constitutes acceptance of the updated policy.

14. Contact Us

For privacy-related inquiries or to exercise your rights:

Email: privacy@obra.dev

Alternate Contact: If you are unable to reach us by email, you may send written correspondence to the address registered with the Delaware Secretary of State for Unpossible Creations, Inc.

Data Controller: Unpossible Creations, Inc.

We will respond to inquiries within 30 days, or such shorter period as required by applicable law.

15. Additional Information

15.1 Cookies

The obra.dev website may use cookies for:

  • Session management
  • Authentication
  • Analytics (if enabled)

You can control cookies through your browser settings.

The Service may contain links to third-party websites. We are not responsible for their privacy practices.

Last Updated: December 4, 2025