OpenGoose · Legal
Privacy Policy
How we collect, use, share, and protect your information.
This Privacy Policy explains how GooseMind LLC ("OpenGoose," "we," "us," or "our") collects, uses, discloses, and protects personal information when you use the OpenGoose applications, website, and services (the "Services"). It is part of, and incorporated into, our Terms of Service.
- You control your content. We host and sync it to run the Services, and we do not use it to train AI models.
- AI features work by sending your inputs to third-party AI providers (for example, the providers of Claude, GPT, Gemini, Grok, DeepSeek, Kimi, or Qwen, and an image model for image generation) so they can generate responses. We tell you which providers are involved, and you consent when you use an AI feature.
- We earn from subscriptions — not from your data. We do not sell your personal information or share it for cross-context behavioral advertising.
- You can access, export, or delete your data, including deleting your account from within the app.
Contents
- Scope & who we are
- Information we collect
- How we collect it
- How we use information
- Legal bases (EEA/UK)
- AI processing & model providers
- How we share information
- Memory & public sharing
- Cookies & similar technologies
- International data transfers
- Data retention
- Security
- Your rights & choices
- EEA & UK (GDPR)
- California (CCPA/CPRA)
- China (PIPL)
- Other regions
- Children's privacy
- Automated decision-making
- Data breach notification
- Changes to this Policy
- Contact us
1. Scope & Who We Are
This Policy applies to personal information we process in connection with the Services across all platforms (macOS, iOS, Windows, Linux, Android, and web). The controller responsible for your information (the "business" under U.S. state laws, or "personal information handler" under the PIPL) is GooseMind LLC, San Jose, California, USA. For BYOK usage (Section 6), when you use your own model-provider keys, that provider is an independent controller of the data you send to it. This Policy does not cover third-party services you separately access, which are governed by their own policies.
2. Information We Collect
We collect the following categories of personal information, depending on how you use the Services:
| Category | Examples |
|---|---|
| Account & identity | Email address, display name, authentication credentials (managed by our authentication provider), and, for OAuth sign-in, basic profile data from the provider you choose. |
| User content | The content you create or submit through the Services: chat prompts and conversations, files and images you attach, images generated for you, and any information you ask the assistant to remember ("memory"). |
| Usage & log data | Feature usage, model selections, credit/usage consumption, timestamps, diagnostic and crash logs, and performance metrics. |
| Device & technical | Device type, operating system and version, app version, language and locale, IP address, approximate location inferred from IP (e.g., country/region), and device or other identifiers. |
| Payment & transaction | Subscription plan, purchase history, and billing status. Card details are collected and processed by our payment processor (Stripe) or the Apple App Store / Google Play; we do not store full card numbers. |
| Communications & support | Messages you send us, support requests, and your marketing-communication preferences. |
| Cookies & local storage | Cookies, local storage, and similar technologies used for authentication, preferences, and (where enabled) analytics — see Section 9. |
Sensitive information. You may choose to include sensitive information in your prompts or files. We process such content to provide the Services at your direction, but do not seek it out or use it to infer characteristics about you for our own purposes. Please avoid submitting sensitive information you do not want processed to deliver a feature.
3. How We Collect It
We collect information: (a) directly from you, when you register, use the Services, create Content, subscribe, or contact us; (b) automatically, through your use of the Services (usage, log, device, and cookie data); and (c) from third parties, such as authentication/OAuth providers when you sign in, and payment processors and app stores when you subscribe.
4. How We Use Information
- Provide the Services — create and manage your account, deliver chat, image generation, and memory, and synchronize your conversations and settings across your devices;
- Deliver AI features — transmit your inputs and necessary context to model providers to generate AI Output at your direction (Section 6);
- Process payments — manage subscriptions, billing, usage allowances, and receipts;
- Maintain safety & security — authenticate users, prevent fraud and abuse, enforce our Terms, review reported content, and protect our users and Services;
- Support & communicate — respond to you, send service and transactional messages, and — with your consent where required — send product updates and marketing;
- Improve the Services — understand usage and diagnose problems, using aggregated or de-identified data where feasible. We do not use your User Content or AI Output to train AI models; and
- Comply with law — meet legal obligations and respond to lawful requests, and establish, exercise, or defend legal claims.
5. Legal Bases for Processing (EEA/UK)
If you are in the European Economic Area (EEA) or the United Kingdom, we rely on these legal bases under the GDPR / UK GDPR:
- Performance of a contract — to provide the Services you request, including account, AI features, sync, and billing (Art. 6(1)(b)).
- Legitimate interests — to secure, maintain, and improve the Services, prevent abuse, and communicate with you, where not overridden by your rights (Art. 6(1)(f)).
- Consent — for optional cookies/analytics, marketing, and any processing that requires consent; you may withdraw consent at any time (Art. 6(1)(a)).
- Legal obligation — to comply with applicable law (Art. 6(1)(c)).
Where you include special-category data in your Content, we process it based on your explicit consent or because you have manifestly made it public through the way you use the Services, as applicable.
6. AI Processing & Third-Party Model Providers
Cloud Service (routed by OpenGoose). When you use an AI model through our Cloud Service, we transmit your inputs and the context needed to fulfill your request (which may include prior messages in the conversation, attached files, or memory you have enabled) to the applicable model provider, receive the AI Output, and return it to you. We select providers and use their services under terms that do not use submitted data to train their models by default, and we do not use your Content to train our own or others' models.
BYOK (your own keys). When you configure your own model-provider credentials, your inputs are sent directly to the provider you selected, under your own account and that provider's terms and privacy policy. In that case, the provider is an independent controller of the data you send, and its handling is governed by your agreement with it, not this Policy.
Model providers. Depending on the model you choose, providers may include Anthropic (Claude), OpenAI (GPT), Google (Gemini), xAI (Grok, and image generation), DeepSeek, Moonshot AI (Kimi), and Alibaba Cloud (Qwen). These providers may process data outside your country (Section 10). We may also reach model providers through a cloud model-hosting platform.
Image generation. When you generate an image, your prompt (and any input image) is sent to the applicable image provider to produce the result, which is stored with your conversation and synced to your devices.
Memory. If you enable memory, information you ask the assistant to remember is stored to personalize future responses and may be sent as context to model providers when relevant. You can review and delete memory where the Services provide those controls.
7. How We Share Information
We share personal information only as described here. We do not sell your personal information, and we do not share it for cross-context behavioral advertising.
- Service providers / sub-processors — vendors that process data on our behalf to run the Services, under contracts limiting their use of the data (see the table below).
- AI model providers — as described in Section 6, to deliver AI features at your direction.
- At your direction — publicly, when you create a share link (Section 8).
- Legal, safety & rights — when we believe disclosure is reasonably necessary to comply with law or lawful requests, enforce our Terms, or protect the rights, safety, or property of our users, the public, or us.
- Business transfers — in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to this Policy or a successor policy.
- With your consent — for any other purpose disclosed to you.
Key sub-processors and service providers:
| Provider | Purpose |
|---|---|
| Supabase | Authentication and managed database (account and application data). |
| Cloudflare (R2 & edge) | Object storage for files and generated images; content delivery and security. |
| Stripe | Payment processing and subscription management (web/desktop). |
| Apple App Store / Google Play | In-app purchases, subscriptions, and billing on mobile. |
| AI model providers | Generating AI Output — Anthropic, OpenAI, Google, xAI, DeepSeek, Moonshot AI, and Alibaba Cloud, depending on the model you select. |
| Cloud hosting / infrastructure | Running the backend servers and processing requests, using reputable cloud infrastructure providers located primarily in the United States. |
8. Memory & Public Sharing
Memory. See Section 6. Memory is optional and can be reviewed and deleted where the Services provide those controls.
Public sharing. When you create a share link, a read-only snapshot of the selected conversation, including attachments and generated images, is copied to public storage and made accessible to anyone with the link, without sign-in, until you revoke it. Do not share content containing personal or confidential information you are not authorized to disclose. After you revoke a link, we disable access and remove the public copy, but content already viewed, cached, indexed, or copied by others may persist beyond our control.
9. Cookies & Similar Technologies
On our website and in web-based parts of the Services, we and our providers use cookies, local storage, and similar technologies for: (a) strictly necessary purposes such as authentication, security, and session management; (b) preferences such as language; and (c) where enabled, analytics to understand usage. You can control non-essential cookies through your browser settings (and our cookie controls where provided); blocking some cookies may affect functionality. Where required, we obtain consent for non-essential cookies.
10. International Data Transfers
We and our providers may process and store personal information in countries other than your own, including the United States and other countries where our infrastructure and model providers operate, which may have different data-protection laws. Where we transfer personal information from the EEA, the UK, or other regions with transfer restrictions, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (and the UK Addendum) or an applicable adequacy decision. You may request information about these safeguards using the contact details in Section 22.
11. Data Retention
We retain personal information for as long as needed to provide the Services and for the purposes in this Policy, and thereafter as necessary to comply with legal obligations, resolve disputes, and enforce our agreements. In general: your account and User Content are retained while your account is active; when you delete Content or your account, we delete or de-identify the associated personal information within 30 days, except for limited data retained in backups (overwritten on a rolling basis and retained no longer than 90 days) or as required by law. Diagnostic and log data are generally retained for up to 12 months.
12. Security
We use technical and organizational measures designed to protect personal information, including encryption in transit (TLS), encryption at rest provided by our infrastructure providers, access controls and least-privilege practices, and authentication managed by our identity provider. No method of transmission or storage is completely secure, and we cannot guarantee absolute security; you are responsible for keeping your credentials and devices secure.
We are exploring end-to-end encryption for certain features in the future. Unless and until a feature is expressly described in-product as end-to-end encrypted, you should not assume it is; we do not currently represent that the Services provide end-to-end encryption.
13. Your Rights & Choices
Subject to your location and applicable law, you may have rights to access, correct, delete, and port your personal information, and to object to or restrict certain processing or withdraw consent. You can exercise many of these directly in the Services:
- Access & export — view and export much of your Content within the app.
- Correct — update your profile and account settings.
- Delete — delete individual Content, or delete your entire account (Settings), which initiates deletion of your personal data.
- Marketing — opt out at any time via the unsubscribe link or your settings; we will still send necessary service messages.
To make a request or ask a question, contact privacy@opengoose.ai. We will respond within the timeframe required by applicable law and may need to verify your identity. You will not be discriminated against for exercising your rights, and you may use an authorized agent where the law allows. If you are unsatisfied, you may have the right to complain to your data-protection authority (see Sections 14–16).
14. EEA & UK (GDPR / UK GDPR)
If you are in the EEA or the UK, you have the rights described in Section 13 (access, rectification, erasure, restriction, portability, objection, and withdrawal of consent), and the right to lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner's Office). Our legal bases are in Section 5 and international transfers in Section 10. For any of these rights, or to reach our data-protection contact, email privacy@opengoose.ai.
15. California (CCPA/CPRA)
This section applies to California residents. In the past 12 months, we collected the categories in Section 2, which map to these CCPA categories: identifiers; customer records; commercial information; internet or other electronic network activity; approximate geolocation; audio/visual or similar information (content you provide); and inferences. We collect it from the sources in Section 3, for the business purposes in Section 4, and disclose it to the categories of recipients in Section 7.
No sale or sharing. We do not "sell" personal information and do not "share" it for cross-context behavioral advertising, as defined under the CPRA. We do not knowingly sell or share the personal information of consumers under 16.
Sensitive personal information. To the extent your Content includes sensitive personal information, we use it only to provide the Services you request and for other purposes permitted without a right to limit; we do not use it to infer characteristics about you.
Your rights. You have the right to know/access, delete, and correct your personal information, and to be free from discrimination for exercising these rights. To exercise them, contact privacy@opengoose.ai or use the in-app tools. We will verify your request; authorized agents may submit requests with proper authorization. Under California's "Shine the Light" law, we do not disclose personal information to third parties for their own direct-marketing purposes.
16. China (PIPL)
If you are in mainland China, we process your personal information in accordance with the Personal Information Protection Law (PIPL), based on your consent and the other bases the PIPL permits (such as necessity to perform a contract to which you are a party). Where we rely on consent you may withdraw it, and for certain processing — including sensitive personal information and cross-border transfers — we obtain your separate consent where required.
Cross-border transfers. Providing the Services, including AI features, requires transferring your personal information outside mainland China to our servers and to model providers. Before such transfers, we will, as required, inform you of the overseas recipient's identity, contact details, processing purposes and methods, and the categories of personal information involved, obtain your separate consent, and put in place a lawful transfer mechanism (such as a security assessment, standard contract, or certification).
You have rights to access, copy, correct, delete, and port your personal information, to withdraw consent, and to request an explanation of our processing rules. Contact privacy@opengoose.ai.
17. Other Regions
Residents of other jurisdictions (for example, other U.S. states, Brazil, Canada, and Australia) may have rights under their local laws, such as to access, correct, delete, or port personal information, or to object to certain processing. We honor applicable rights; contact privacy@opengoose.ai to make a request.
18. Children's Privacy
The Services are not directed to children, and we do not knowingly collect personal information from children under 13 (or under 14 in mainland China), or, where a higher age of digital consent applies, from those below that age without appropriate parental or guardian consent. If you believe a child has provided us personal information without proper consent, contact privacy@opengoose.ai and we will take steps to delete it.
19. Automated Decision-Making
We do not use your personal information to make decisions producing legal or similarly significant effects about you solely by automated means without human involvement. AI Output is a tool you direct and evaluate; we do not use it to make such decisions about you.
20. Data Breach Notification
If we become aware of a personal-data breach likely to affect you, we will notify you and the relevant authorities as required by applicable law, and take steps to mitigate the incident.
21. Changes to This Policy
We may update this Policy from time to time. If we make material changes, we will post the updated Policy with a new "last updated" date and, where appropriate, provide additional notice (such as in-app or email). Your continued use of the Services after changes take effect indicates your acknowledgment of the updated Policy, except where your consent is required by law.
22. Contact Us
For privacy questions or to exercise your rights, contact us at:
GooseMind LLC — Privacy
San Jose, California, USA
Privacy: privacy@opengoose.ai
General & support: support@opengoose.ai
If you are in the EEA or the UK and wish to contact us about your rights or our representative, email privacy@opengoose.ai.