Skip to content

Obra Privacy Policy

Version: 1.5 Last Updated: December 10, 2025 Effective Date: December 10, 2025

1. Introduction

This Privacy Policy describes how Unpossible Creations, Inc. ("we," "us," "our," or "Obra") collects, uses, stores, and protects information when you use the Obra beta software and related services ("Software" or "Service").

This Privacy Policy applies to:

  • The Obra SaaS Service (Firebase-based orchestration)
  • The Obra CLI (installed via pipx install obra)
  • The Obra website (obra.dev)

By using the Software, you agree to this Privacy Policy and our Beta Software Agreement. Your acceptance of the Beta Software Agreement constitutes your explicit consent to the data practices described in this Privacy Policy. The click-through acceptance required during software setup serves as documented consent.

2. Data Controller

Unpossible Creations, Inc.

For privacy inquiries, contact: privacy@obra.dev

3. Information We Collect

Data Collection Summary

The following table summarizes the data we collect. See detailed sections below for complete information.

Data Type What It Includes Stored on Obra Servers Sent to LLM Providers Retention
Account Data Email, Firebase UID, auth tokens Yes No Active + 30 days
Task Inputs Objectives, requirements, all text you provide Yes Yes 90 days after session
AI Outputs All LLM responses: summaries, code, technical content Yes Received from them 90 days after session
Session State Generated prompts, previous results, continuation context Yes Yes (as prompts) 90 days after session
File References Working directory paths, file/directory names Yes Yes (in context) 90 days after session
Quality Metrics Validation scores, confidence levels, decisions Yes No 90 days after session
Error Data Stack traces, error messages, debugging info Yes No 90 days
Observability Events Session events, timestamps, workflow state Yes No 30 days

Note: Data sent to Third-Party LLM Providers is also subject to their retention policies, which we do not control. See Section 5.

3.1 Information You Provide

Account Information (SaaS Service only):

  • Email address (for authentication)
  • Account credentials (managed by Firebase Auth)
  • API key configurations (stored encrypted locally or on our servers)

Feedback and Communications:

  • Bug reports, feature requests, and support inquiries you submit
  • Any other information you voluntarily provide

3.2 Orchestration Data (SaaS Service)

When you use the Obra SaaS Service, we collect and store the following data as part of your orchestration sessions:

Your Inputs:

  • Task descriptions, objectives, and any instructions you provide
  • Requirements, constraints, and validation rules you specify
  • Any other text, context, or content you submit to the orchestration system

AI Model Interactions:

  • All prompts generated and sent to AI models on your behalf
  • All responses and outputs received from AI models, including intermediate iteration results and final outputs
  • Generated continuation prompts used to maintain multi-iteration sessions

Session State:

  • All data necessary to maintain, resume, and replay your orchestration sessions
  • Previous iteration results and feedback used for context continuity
  • Working directory paths and file system references from your environment

Quality and Workflow Metrics:

  • Validation scores, confidence levels, and quality assessments
  • Iteration counts, session status, and orchestration action decisions
  • Issue counts and categorizations from automated quality review

Technical and Diagnostic Data:

  • Timestamps for session creation, activity, and expiration
  • Error messages, stack traces, and exception details
  • Request metadata including client version and session identifiers

IMPORTANT - Content in AI Outputs:

AI-generated outputs stored as part of your session state will frequently contain:

  • Code snippets, algorithms, or implementation details
  • File names, class names, function names, and project structure information
  • Configuration values, environment details, or system paths
  • Technical descriptions that reflect your project's architecture
  • Any other content the AI model generates based on your inputs

While we do not request or require your source code, the nature of AI orchestration means that AI-generated summaries, results, and outputs will include, reproduce, or reference substantive technical content including code. This content is stored as part of your session data and transmitted to Third-Party LLM Providers.

3.3 Technical Information

  • IP addresses (logged for security and abuse prevention)
  • Browser/client type and version
  • Operating system information
  • Request timing and performance metrics

3.4 Usage Analytics (optional, if enabled)

  • Feature usage patterns
  • Performance metrics
  • Error rates and types

3.5 Sensitive Data Considerations

Data We Do NOT Intentionally Request:

The Obra Service does not request or require you to provide:

  • Source code files or repository contents
  • Authentication credentials, API keys, passwords, or secrets
  • Personal data of your end-users or customers
  • Regulated data (health, financial, government ID, etc.)

HOWEVER, You Must Understand:

AI Outputs Will Contain Technical Content: AI models generate outputs that include code snippets, implementation details, configuration examples, and other technical content. These outputs are stored as part of your session. We cannot control or filter what AI models include in their responses.

Your Inputs Become Stored Data: Any information you include in task descriptions, requirements, or instructions is stored in your session. If you include code, credentials, proprietary information, or other sensitive content in your inputs, that content will be stored on our servers and transmitted to Third-Party LLM Providers.

Incidental Capture: The following should be assumed to be captured and stored as part of normal service operation:

  • File paths, directory names, and project structure (from working directory references and AI outputs)
  • Code fragments, function names, class names (in AI outputs or error messages)
  • Configuration values and environment details (in error context or AI outputs)
  • Stack traces that may include variable values, file contents, or other runtime data
  • Any content that appears in error messages, logs, or AI model responses

Accidental Sensitive Data: If you accidentally include credentials, secrets, API keys, or other sensitive data in your inputs, or if such data appears in AI outputs or error messages, that data will be stored as part of your session. We do not automatically detect or redact sensitive data.

3.6 No Monitoring or Filtering of Content

We do not monitor, review, scan, filter, or redact the content of your sessions.

Specifically, we do NOT:

  • Scan inputs for credentials, secrets, API keys, or passwords
  • Filter AI outputs for sensitive or proprietary content
  • Detect or remove personal data, health information, or regulated data
  • Review sessions for compliance with any policies or regulations
  • Verify that you have rights to submit the content you provide

All content is stored as-is. If sensitive data enters your session through your inputs or AI outputs, it will be stored without special handling.

This is your responsibility, not ours. You must ensure appropriate content enters your sessions.

3.7 Regulated and Sensitive Data Warning

Do not submit, and configure your tasks to avoid generating:

  • Health or medical information (HIPAA-protected data)
  • Payment card numbers or financial account details (PCI-DSS data)
  • Government identification numbers (SSN, passport numbers, driver's license numbers, etc.)
  • Biometric identifiers
  • Data revealing racial/ethnic origin, political opinions, religious beliefs, trade union membership, or sexual orientation
  • Children's personal information
  • Data subject to attorney-client privilege or other legal protections
  • Data subject to regulatory frameworks (HIPAA, PCI-DSS, FERPA, GLBA, SOX, etc.)

If such data is included in your inputs or appears in AI outputs:

  • It will be stored on Obra servers without special protection
  • It will be transmitted to Third-Party LLM Providers per your configuration
  • We provide no compliance guarantees for any regulatory framework
  • You assume all risk and liability for any resulting non-compliance
  • You release and indemnify Obra against all related claims (per Beta Software Agreement Section 18)

3.8 Automated Processing and Decision-Making

The Service uses automated processing to operate your orchestration sessions:

Automated Calculations:

  • Validation scores assessing whether AI outputs meet your stated objectives
  • Confidence levels indicating certainty of task completion
  • Quality metrics evaluating output characteristics

Automated Decisions:

  • Whether to continue to another iteration or mark session complete
  • Whether to escalate to human review (breakpoint)
  • What continuation prompt to generate for the next iteration

Impact: These automated processes directly control your session progression without human review. Decisions are based on AI model outputs evaluated against programmatic rules.

No Human Review: Automated decisions are not reviewed by Obra staff unless you specifically contact support with concerns.

Your Recourse: You can review all stored metrics and decisions in your session data. If you disagree with an automated decision, you may start a new session with modified inputs.

3.9 Your Responsibility

You are solely responsible for:

  1. Content decisions: Choosing what information to include in task descriptions
  2. Secret exclusion: Never including credentials, API keys, passwords, tokens, or secrets in your inputs
  3. Proprietary content awareness: Understanding that detailed task descriptions may cause AI to generate related technical content
  4. Output review: Reviewing what AI generates before relying on or distributing it
  5. Compliance obligations: Ensuring your use complies with any confidentiality, NDA, employment, or regulatory obligations you have
  6. Safe environments: Using sandboxed, non-production environments as required by the Beta Software Agreement

Assumption of Risk for Sensitive Data:

If, despite these warnings, you include sensitive, confidential, proprietary, or regulated data in your inputs—or if AI outputs contain such data—you acknowledge and agree that:

  • Such data will be stored on Obra servers
  • Such data will be transmitted to Third-Party LLM Providers per your configuration
  • We provide no special protection beyond the standard security measures described herein
  • We have no duty to detect, filter, or protect such data
  • You assume all risk of exposure, unauthorized access, breach, or misuse
  • You release Obra from all liability related to such data
  • You will indemnify Obra against any claims arising from such data (per Beta Software Agreement Section 18)
  • You are solely responsible for any regulatory non-compliance, fines, or penalties

Treat all data sent to Obra as stored, logged, transmitted to third parties, and subject to legal disclosure. Do not use Obra with any data you cannot accept these risks for.

3.10 Future Data Collection

As the Service evolves, we may collect additional categories of data beyond those listed above. We may also collect more detailed information within existing categories. Material changes to data collection will be communicated per Section 13. We recommend reviewing this policy periodically.

4. How We Use Your Information

We use collected information to:

  1. Provide the Service: Operate and maintain the Obra orchestration platform, including storing session state for resume functionality
  2. Improve the Service: Analyze usage patterns to improve functionality
  3. Debug and Support: Diagnose technical issues and respond to support requests
  4. Security: Detect and prevent fraud, abuse, and security threats
  5. Communications: Send service-related notices and updates
  6. Legal Compliance: Comply with applicable laws and legal obligations
  7. Terms Acceptance Logging: Record and maintain audit trails of your acceptance of the Beta Software Agreement and this Privacy Policy, including:
    • User identifier
    • Terms version accepted
    • Privacy Policy version accepted
    • Timestamp of acceptance
    • Client version and source (e.g., CLI setup)
    • IP address (for audit purposes)

These acceptance records are maintained for legal compliance and may be retained indefinitely to demonstrate valid consent

We do NOT:

  • Sell your personal information
  • Use your data for advertising
  • Share your data with third parties for their marketing purposes

Regarding AI training: We do not train AI models on your data using models and systems we control. However, Third-Party LLM Providers may use data you send to them for training or other purposes in accordance with their own policies. You are responsible for reviewing provider terms and configuring provider settings (such as data opt-out options) to meet your privacy requirements. See Section 5 for more information.

5. Third-Party LLM Providers

5.1 Data Transmission to LLM Providers

When you use Obra, your task descriptions, prompts, context, and session data are transmitted to Third-Party LLM Providers based on your configuration. These providers include (without limitation) providers of large language models and generative AI services.

Data sent to Third-Party LLM Providers includes:

  • Your task descriptions and objectives
  • Generated prompts (which include your requirements and context)
  • Previous iteration results (for context continuity)
  • Working directory paths and file references
  • Any other content necessary for orchestration

Important: Each Third-Party LLM Provider has its own privacy policy and data practices. We strongly encourage you to review their policies:

  • Review each provider's privacy policy before use
  • Configure API keys and usage according to your privacy requirements
  • Understand that data transmitted to providers is subject to their terms
  • Be aware that providers may retain data beyond what Obra retains

5.2 Our Relationship with LLM Providers

  • We do not control how Third-Party LLM Providers process your data
  • We are not responsible for their data practices
  • Data you transmit to them is governed by their privacy policies
  • We recommend using providers' data privacy options where available
  • Provider data retention is independent of Obra's retention policies

6. Data Storage and Security

6.1 Storage Location

SaaS Service Data:

  • Stored in Firebase/Google Cloud Platform infrastructure
  • Primary data center location: United States
  • Data may be processed in multiple geographic regions
  • Data may be replicated across data centers for reliability

Local Installation Data:

  • Stored locally on your device
  • We do not have direct access to locally stored data (however, error logs or user-submitted feedback may incidentally contain fragments as described in Section 3.5)

6.2 Security Measures

We implement reasonable security measures including:

  • Encryption in transit (TLS/HTTPS)
  • Encryption at rest for sensitive data
  • Access controls and authentication
  • Regular security reviews

Important Disclaimer: This is beta software that has NOT undergone formal security certification. We make no guarantees regarding security. See our Beta Software Agreement for full disclaimers.

6.3 Data Retention

Active Sessions and Accounts:

  • Account data retained while account is active
  • Session data (inputs, outputs, state) retained for up to 90 days after session completion
  • Observability events retained for up to 30 days
  • Logs retained for up to 90 days

Backup and Disaster Recovery Retention:

Data stored in Firebase/Google Cloud is subject to automatic backup and replication:

  • Active backups: Data may be replicated across multiple data centers in real-time
  • Point-in-time backups: May retain data for up to 30 days after deletion from primary storage
  • Disaster recovery: May retain data for up to 90 days in recovery systems

Upon deletion request:

  • Primary database records will be deleted within 30 days
  • Backup systems will naturally expire copies within 30-90 additional days
  • We cannot guarantee immediate deletion from all backup and replica systems
  • Aggregated, anonymized statistics derived from your data may persist indefinitely
  • You cannot selectively delete content within sessions—deletion applies to entire sessions

For purposes of this section, "anonymized" means data from which all personal identifiers have been permanently and irreversibly removed such that the data cannot reasonably be linked back to any individual by us or any third party.

Legal and Compliance Holds:

Data may be preserved beyond normal retention periods if:

  • Required by law, subpoena, or legal process
  • Relevant to pending or reasonably anticipated litigation
  • Necessary to investigate potential violations of our Terms
  • Required to protect our legal rights or property

Beta Termination:

  • At the conclusion of the beta period, ALL user data, logs, session state, and account information may be PERMANENTLY DELETED without prior notice
  • No data will be migrated to any future version of the Software

7. Data Sharing

We may share your information with:

7.1 Service Providers

Third-party services that help us operate the Software:

  • Firebase/Google Cloud Platform (hosting, authentication, database)
  • Error tracking and monitoring services
  • Third-Party LLM Providers (per your configuration—see Section 5)

A current list of sub-processors is maintained at https://obra.dev/legal/subprocessors (or, until such page is created, comprises: Google Cloud Platform/Firebase for hosting, authentication, and database services).

We may disclose information if required by law or in response to:

  • Valid legal process (subpoenas, court orders)
  • Government requests
  • Protection of our legal rights
  • Emergency situations involving safety

All session data, including your inputs and AI outputs, may be subject to legal disclosure.

7.3 Business Transfers

In connection with a merger, acquisition, or sale of assets, your information may be transferred. We will endeavor to notify you of any such change where commercially practicable. If you object to the transfer, you may terminate your account and request deletion of your data prior to the transfer effective date.

8. Your Rights and Choices

8.1 Access and Portability

You may request:

  • A copy of the personal data we hold about you
  • Information about how we process your data

Note: Session data exports include all stored inputs, outputs, and metadata. We cannot provide selective exports of session content.

8.2 Correction

You may request correction of inaccurate personal data (such as account information). Session content (inputs and AI outputs) cannot be selectively corrected—you would need to request session deletion and create a new session.

8.3 Deletion

You may request deletion of your personal data held by Obra by contacting us at privacy@obra.dev. We will respond within 30 days, or such shorter period as required by applicable law.

Limitations:

  • We may retain certain data for legal compliance, fraud prevention, or legitimate business purposes
  • Deletion applies to entire sessions, not selective content within sessions
  • Backup systems may retain data for up to 90 days after primary deletion
  • Deletion requests apply only to data we hold; data previously transmitted to Third-Party LLM Providers must be addressed directly with those providers under their respective privacy policies
  • Aggregated, anonymized statistics may be retained indefinitely

8.4 Opt-Out

You may:

  • Disable optional analytics (if available)
  • Stop using the Service at any time
  • Request account deletion

8.5 Do Not Track

We do not currently respond to "Do Not Track" browser signals.

9. International Data Transfers

If you are located outside the United States, your data may be transferred to and processed in the United States. By using the Service, you consent to this transfer.

We do not independently maintain standard contractual clauses or participate in formal cross-border data transfer programs. Our infrastructure providers (including Firebase/Google Cloud Platform) maintain their own transfer mechanisms, which we rely upon solely as a customer of those services. To the extent such mechanisms provide a legal basis for transfers, any such basis flows from the provider's frameworks, not from any commitment by us. If you nonetheless choose to provide personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, you acknowledge that such data will be processed in the United States.

10. Children's Privacy

The Software is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

Do not use Obra with projects that involve children's personal data.

11. Regulatory Compliance Disclaimer

This Software is not designed to meet the requirements of:

  • GDPR (General Data Protection Regulation)
  • HIPAA (Health Insurance Portability and Accountability Act)
  • SOC2
  • PCI-DSS
  • FERPA
  • CCPA (California Consumer Privacy Act)
  • Any other regulatory framework

This Software is not intended for use cases that would subject us or you to these regulatory frameworks. To the maximum extent permitted by applicable law, the applicability of such frameworks to your use of this beta Software is disclaimed. If and to the extent any such laws do apply notwithstanding this disclaimer, we will honor applicable rights as described in Section 8.

12. California Privacy Rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA). However, this Software is not intended for consumer use and is not designed to meet CCPA compliance requirements. Based on the nature of this beta Software for professional technical evaluation, CCPA applicability is disclaimed to the maximum extent permitted by law.

We do not sell personal information as defined under the CCPA.

If and to the extent CCPA does apply to you and to us, you may exercise your California privacy rights by contacting us at privacy@obra.dev, and we will handle your request in accordance with applicable law.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted at https://obra.dev/privacy with an updated "Last Updated" date.

For material changes, we will provide notice via email or prominent notice on the Service at least 14 days before the changes take effect.

Your continued use after changes take effect constitutes acceptance of the updated policy.

14. Contact Us

For privacy-related inquiries or to exercise your rights:

Email: privacy@obra.dev

Alternate Contact: If you are unable to reach us by email, you may send written correspondence to the address registered with the Delaware Secretary of State for Unpossible Creations, Inc.

Data Controller: Unpossible Creations, Inc.

We will respond to inquiries within 30 days, or such shorter period as required by applicable law.

15. Additional Information

15.1 Cookies

The obra.dev website may use cookies for:

  • Session management
  • Authentication
  • Analytics (if enabled)

You can control cookies through your browser settings.

The Service may contain links to third-party websites. We are not responsible for their privacy practices.