What we do with your data. What we don't.

1. Who we are

Octopus Labs LLC (“the lab,” “we,” “us”) is an independent research practice operating from the United States. We build and operate the products in the Octopus Labs ecosystem, including Museweaver and BrainWeaver, and we publish research at Octopus Signal Lab.

For privacy-related questions, contact us at privacy@octosignal.org (or via the Contact page).

2. What we collect

We collect only what we need to operate the products and serve you.

Account data:

• Your name and email address (for account creation and contact)
• A password hash (for authentication, never stored in plain text)
• Your patron status and any patronage transaction records

Product data:

• Conversations, projects, rooms, notes, and other content you create within Museweaver or BrainWeaver
• Settings and preferences you configure
• Your API keys (encrypted at rest, never exposed in client or logs)

Technical data:

• IP address and basic device/browser information (for security and abuse prevention)
• Usage telemetry (which pages you visit, errors you encounter) for operational purposes only

Contact submissions:

• Information you submit through the Contact form (name, email, subject, message)

3. What we don't collect

• We don't track you across other sites.
• We don't sell ads.
• We don't use third-party analytics that build profiles of you (no Google Analytics on patron-only pages; basic privacy-respecting analytics may be used on public landing pages).
• We don't train AI models on your conversations or content.
• We don't share or sell your data to third parties.
• We don't read your individual conversations or content as the lab. The AI Members read what you write to them; the lab as an organization does not access patron content.

4. How we use what we collect

We use the data we collect only for:

• Operating the products (running your account, serving your conversations, sending the Members your messages via their providers)
• Communicating with you about the products (transactional emails, important notices, your direct inquiries)
• Improving the products (aggregated usage patterns, never tied to individual patrons)
• Preventing fraud, abuse, and security incidents
• Complying with legal obligations

5. Where your data lives

Primary storage: Supabase (a managed Postgres provider) on US infrastructure.

Sovereignty tiers within Museweaver let you control granularly: Tier-1 (local-only, on your device), Tier-2 (synced to your cloud mirror, the default), Tier-3 (may be referenced anonymously in research observations with your consent).

Self-hosted option (shipping in v1.5): Patrons will be able to run Museweaver on their own infrastructure for full local control.

6. Third-party services we use

To operate the products, we use:

• Supabase - database, auth, storage
• Stripe - patronage payments
• Vercel - hosting
• AI providers (Anthropic, OpenAI, Google, xAI) - when you BYOK, your API calls go to these providers under their terms. We don't intercept or modify those calls beyond routing them.
• Email service (TBD: Resend / Postmark / similar) - transactional emails only

Each of these has its own privacy practices. We choose providers that align with our values, but we can't control their internal processes.

7. Your rights

Regardless of where you live, you can:

• Access what we've stored about you (request through Contact)
• Correct anything that's inaccurate
• Delete your data (account deletion removes all your data within 30 days, except where retained for legal compliance)
• Export your data in standard formats
• Restrict or object to certain processing
• Withdraw consent for anything you've previously consented to

If you're in the EU/UK (GDPR): You also have the right to lodge a complaint with your local data protection authority. Our lawful bases for processing are: contract (operating your account), legitimate interest (security, operations, improvement), and consent (for optional processing like research observations).

If you're in California (CCPA): You have the additional right to know what categories of personal information we've collected, sold, or disclosed. We don't sell personal information.

8. Data retention

• Active account data: Kept while your account is active.
• Deleted account data: Removed within 30 days, except payment records (retained 7 years for tax compliance) and security logs (retained 1 year).
• Contact submissions: Kept for 2 years for support continuity, then deleted.
• Marketing/research consent records: Kept for as long as you've consented, plus a record of withdrawal.

9. Security

We use industry-standard practices: encryption at rest and in transit, encrypted credential storage, regular security review, audit logging on access to patron data. No system is perfectly secure, but we take this seriously. If we ever experience a breach affecting your data, we'll notify you within 72 hours of discovery, as required by law.

10. Children

The products are not intended for anyone under 16. We don't knowingly collect data from minors. If you believe a minor has created an account, contact us and we'll delete it.

11. International transfers

Our infrastructure is primarily in the United States. If you're outside the US, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses (for EU/UK transfers) where required.

12. Changes to this policy

We'll update this page if our practices change. Material changes will be announced via email to active patrons and posted at the top of this page for at least 30 days. The “Last updated” date at the top of the page reflects the most recent revision.

13. Contact

Privacy questions or requests: contact@octosignal.org or octosignal.org/contact