Privacy Notice

Owlog provides construction procurement and delivery tracking software for teams that manage purchase orders, delivery notes, receipts, vendors, projects, and related review workflows.

Owlog is the service name used in this notice. The counsel-review details above identify the current notice email and the legal details that should be finalized before launch or in a customer agreement.

Owlog is designed around organization-scoped access, but the service does not operate as a zero-internal-access system. Access may occur in these contexts:

• Customer workspace owners, administrators, and invited users may access the projects, orders, vendors, documents, assistant history, and settings allowed by their roles.
• Authorized Owlog personnel and service operations may access customer content when needed for support, security, reliability, billing, abuse prevention, legal obligations, or product operation.
• Platform administration is currently supported by environment-backed controls and server-only service-role workflows for storage, background jobs, billing/admin, OCR, attachment, and maintenance operations.
• Subprocessors may process customer content and technical data when their services are used to provide authentication, storage, billing, email, diagnostics, hosting, AI, OCR, embeddings, or related infrastructure.

The information Owlog handles depends on how your organization uses the product. It may include:

• Account, authentication, organization, membership, invite, role, and project-access data.
• Contact-form details such as name, email address, company, team size, and submitted use case.
• Workspace data such as projects, vendors, orders, order items, deliveries, delivery items, final receipts, receipt items, price variances, item matches, and review status.
• Uploaded documents and derived data, including PDFs, images, spreadsheets, Word documents, filenames, storage paths, OCR results, extracted rows, line items, confidence signals, and reconciliation snapshots.
• Assistant and knowledge-base data such as chat sessions, messages, prompts, responses, attachments, knowledge documents, chunks, embeddings, and tool-audit events.
• Billing and operational data such as plan, subscription, checkout, portal, metering, usage, provider-cost, webhook, audit, and activity records.
• Technical data such as cookies, IP-derived rate-limit buckets, request metadata, security reports, logs, diagnostics, and error telemetry.

Owlog uses data to operate, secure, support, and improve the service. Common uses include:

• Providing account access, organization membership, project visibility, role-based permissions, and audit history.
• Uploading, storing, previewing, extracting, reviewing, matching, and reconciling construction documents.
• Powering order ledgers, vendor risk signals, dashboards, exports, assistant answers, and knowledge search.
• Managing billing, subscriptions, usage limits, trials, checkout sessions, invoices, and customer portal access.
• Responding to contact requests, support questions, operational incidents, and product feedback.
• Detecting abuse, enforcing rate limits, investigating errors, maintaining reliability, and protecting the service.

When your team uses OCR, assistant, document-search, extraction, reconciliation, or knowledge-base features, relevant files, text, prompts, generated outputs, and metadata may be processed by AI and infrastructure providers to complete the requested action.

Observed product integrations include OpenAI, Mistral AI, and Voyage AI. This notice does not make model-training, provider-retention, deletion, or international-transfer commitments that require separate legal or provider review.

Different Owlog features store data in different places, and some external processing is temporary or cleanup-dependent.

• Supabase database and storage hold account-linked workspace records, uploaded documents, derived rows, audit/activity data, usage events, and private files.
• OpenAI Files and vector stores may hold uploaded attachments, extracted text, and vector-search artifacts for assistant and file-search workflows.
• Mistral AI may temporarily receive source files for OCR and extraction, with deletion handled through best-effort cleanup paths.
• Voyage AI receives text for embedding generation; resulting embeddings and related chunks can be stored in Owlog workspace infrastructure.

Owlog uses logs and diagnostics to operate, troubleshoot, secure, and improve the service. These records can include sensitive business context even when personal-data capture is limited.

• OCR and upload diagnostics may include filenames, file type, file size, job identifiers, organization identifiers, status, timing, and error context.
• Assistant and tool telemetry may include query hashes, bounded query prefixes, selected tool names, execution status, timing, and related workspace context.
• Sentry may receive errors, traces, diagnostic extras, and replay-on-error telemetry in production to investigate failures.
• Security and reliability telemetry may include CSP reports, request metadata, IP-derived rate-limit identifiers, abuse-prevention signals, and cron or webhook execution results.

Owlog uses third-party providers to run the service. The exact provider list may change as the product evolves. Current codebase integrations include:

• Clerk for authentication and session management.
• Supabase for database, storage, and row-level access control infrastructure.
• Polar for billing, subscriptions, checkout, customer portal, and metered usage events.
• Resend for contact and support email delivery.
• Upstash Redis for rate limiting and short-lived caches.
• Sentry for diagnostics, error reporting, traces, and replay-on-error telemetry.
• OpenAI for assistant, vector search, document attachment, and tool-backed answer workflows.
• Mistral AI and Voyage AI for OCR, extraction, and embedding workflows.
• Vercel or comparable hosting infrastructure for application hosting, cron jobs, routing, and security headers.

Owlog uses cookies and similar browser storage primarily to operate the service, remember preferences, and support security. The current codebase does not show advertising or third-party marketing-cookie flows.

• Authentication and session cookies are used by Clerk and the application to keep signed-in users connected to the right workspace.
• The `owlog_locale` cookie stores language preference for English and Turkish pages.
• The `owlog_provisioned` cookie helps the app avoid repeated membership-resolution work after a user is provisioned.
• Dashboard UI state, security reports, rate-limit checks, and diagnostic telemetry may use cookies, request headers, or technical metadata to keep the product reliable.

Owlog keeps data for as long as needed to provide the service, support customer workflows, meet operational or legal needs, enforce billing and usage limits, and maintain security. Product records may remain until an organization deletes them, the account is closed, or a configured cleanup process applies.

Configured cleanup paths currently include activity-log cleanup after about 1 year, usage-event cleanup after about 6 months, empty chat draft cleanup after about 24 hours, draft sessions with attachments after about 7 days, and soft-deleted chat attachments after about 1 hour. External provider deletion and storage cleanup are handled through best-effort workflows and can depend on provider availability.

The service uses access controls, organization-scoped storage paths, signed URLs, audit logs, security headers, cron bearer checks, export sanitization, rate limiting, and diagnostics configured to reduce unnecessary personal-data capture. Some controls are deployment-dependent: CSP may run in report-only mode unless enforcement is enabled, and rate limits may fail open unless a route explicitly requires enforcement.

Depending on your location, role, the nature of your organization, and the capacity in which Owlog processes the data, you may have privacy rights under laws such as GDPR / UK GDPR, CCPA/CPRA, or KVKK. These rights apply where the relevant law applies; this notice does not state that every regime applies to every user or workspace.

Send requests to hello@owlog.io. Owlog may need to verify your identity, confirm your organization, request enough detail to locate the relevant workspace data, and coordinate with the customer workspace owner or administrator before taking action.

• GDPR / UK GDPR-style rights may include access, correction, deletion, restriction, objection, portability, withdrawal of consent where consent applies, and complaint rights with a supervisory authority.
• CCPA/CPRA-style rights may include knowing categories of personal information collected, requesting access or deletion, correcting inaccurate information, and limiting certain uses or disclosures where applicable.
• KVKK-style rights may include learning whether personal data is processed, requesting information, correction, deletion or destruction where applicable, and learning recipients or purposes of transfer.
• Owlog will frame responses in context, including whether Owlog is acting for a customer organization, whether the request concerns workspace data controlled by that customer, and whether legal exceptions or verification requirements apply.

Send privacy questions or requests to hello@owlog.io. To protect workspace data, Owlog may ask for information needed to verify your identity, confirm your organization, and route the request to the appropriate workspace owner or administrator.