OSP.net legal

Privacy Policy

Last updated: June 13, 2026

This Privacy Policy explains how Learning Science, Inc., 7027 West Broward Blvd, Plantation, FL 33317, which operates OSP.net (“OSP.net”, “we”), handles personal data when you use osp.net and the OSP.net service. We are a US-based service. Plain-language summary first: we store your account email, your agent’s configuration, your encrypted credentials, and your agent’s memory; your conversations flow to the model provider you chose with your own key and through the messaging channel you connected; we do not sell your data or use it to train AI models.

1. Data we store

• Account data: your email address (used for magic link sign-in and service notices) and Stripe customer/subscription identifiers. We never see or store your card number — payment data lives with Stripe.
• Tenant configuration: your agent’s name, its subdomain slug, instance status, plan/tier, chosen model provider and model id, and timestamps.
• Credentials (encrypted): the model API key and channel token you enter are stored encrypted at rest in Supabase Vault. They are write-only — never displayed back in the dashboard, never stored in plaintext database columns, and injected into your agent’s container only when it starts.
• Agent memory volume: each instance has a private storage volume holding the agent’s memory, conversation sessions, files, and learned skills. Its contents are whatever you and your agent put there — treat it as your data; we treat it that way too (see Section 4).
• Support messages: if you contact support we keep your name, email, message, and the sending IP address (used for abuse rate-limiting).
• Operational logs: standard service logs and provisioning/billing event records (including Stripe webhook event ids). We work to keep secrets and message content out of logs.

2. Where your data flows (third parties)

The Service is assembled from a small set of infrastructure providers (our subprocessors, listed with the most detail in the DPA) plus services you choose to connect:

• Your model provider (your choice — Anthropic, OpenRouter, Groq, Ollama, etc.): every message your agent processes, plus relevant memory/context, is sent to this provider’s API using your key, under your agreement and privacy terms with them. Check your provider’s data-retention and training policies — they, not we, control that processing.
• Telegram (or other channels you connect): messages to and from your agent travel through the channel’s platform under its own privacy policy, using your bot token.
• Stripe: payments, subscription state, invoices, and (if enabled) tax calculation.
• Supabase: our database, authentication, encrypted secrets vault, and serverless functions (hosted on AWS, us-east-1).
• DigitalOcean: the servers and container registry your agent instance runs on (US data centers).
• Resend: transactional email delivery (magic links, service notices).
• Cloudflare: DNS for osp.net and its subdomains.

We do not sell personal data and we do not share it with advertisers. We may disclose data if required by law, to protect the Service or others, or in a merger/acquisition (with notice).

3. How we use data

To provide and operate the Service (provisioning, running, and supporting your agent); to bill you; to send transactional email (sign-in links, receipts via Stripe, payment-failure and service notices); to prevent abuse and enforce rate limits; to debug and improve the Service; and to comply with law. We do not use the contents of your agent’s memory or conversations to train AI models, and we do not read them except as needed to operate, secure, or support the Service at your request.

4. Isolation and security

• Each customer’s instance runs in its own container on its own private network segment; tenant containers cannot reach each other, and no inbound ports are exposed.
• Database access is enforced with row-level security: your account can only read its own records.
• Credentials are encrypted at rest (Supabase Vault) and injected at container runtime only — never baked into images or written to configuration files on disk in plaintext.
• All traffic to osp.net and your agent’s subdomain is served over HTTPS/TLS.

No system is perfectly secure; if we learn of a breach affecting your personal data we will notify you without undue delay (see DPA §7).

5. Retention and deletion

• While subscribed: your agent’s memory volume persists for the life of the instance — including across our software upgrades (that persistence is the product).
• After cancellation: your instance is suspended at period end, not deleted; the volume is retained so you can resubscribe and resume. If you want it gone sooner, ask support for deletion.
• Trials: expired trial instances are reclaimed and their data may be deleted shortly after expiry.
• Account closure: on a closure request we delete your tenant configuration, Vault-stored credentials, and memory volume within 30 days, except records we must keep for legal, billing, or security purposes (e.g. invoices in Stripe, abuse rate-limit ledgers).
• Backups: volume snapshots taken for upgrade safety and disaster recovery age out on a rolling basis after the live copy is deleted.

6. Your rights and choices

You can read and change your tenant configuration in the dashboard, replace your credentials at any time (or revoke them directly at your provider), cancel via the billing portal, and request access to, export of, or deletion of your data via support. Depending on where you live (e.g. California, the EEA/UK) you may have statutory rights to access, correct, delete, or port personal data, and to object to or restrict certain processing — we honor verified requests regardless of residence. We do not discriminate against you for exercising privacy rights.

7. International transfers

We operate from the United States and our subprocessors store data in US regions. If you use the Service from outside the US, your data is transferred to and processed in the US. For customers requiring EU/UK transfer terms, the DPA addresses Standard Contractual Clauses (pending counsel review).

8. Children

The Service is not directed to children and may not be used by anyone under 18. We do not knowingly collect data from children.

9. Changes and contact

We will post updates here and, for material changes, notify you by email or dashboard notice. Questions or requests: osp.net/support or Learning Science, Inc., 7027 West Broward Blvd, Plantation, FL 33317.