Privacy Policy

Last Updated: May 26, 2026

Effective Date: May 26, 2026

Version: 2.0

What Changed in This Version

This version reflects two scan passes conducted on May 26, 2026. The first (midday) confirmed that the prior tracking stack (Google Analytics, RB2B, Factors.ai, LiveRamp, Tapad) was fully removed and Cookiebot was installed. The second (22:34 UTC) found that Google Tag Manager (GTM) and Google Ads conversion tracking went live between the two runs — material new additions not covered in earlier drafts.

This version discloses: Cloudflare infrastructure cookies, Cookiebot consent management, Google Tag Manager (loads unconditionally for Consent Mode v2 delivery), Google Ads Click Linker (_gcl_ls, consent-gated), Google reCAPTCHA on forms, and cookies set by embedded Vimeo videos (portfolio pages) and GitHub Gists (blog pages).

At a Glance

  • We use Google Tag Manager (GTM) to load and coordinate site technologies. GTM loads unconditionally to deliver Google Consent Mode v2 signals before any tag fires.
  • Google Ads conversion tracking (_gcl_ls) is enabled and is consent-gated — it activates only after you accept Marketing cookies. We do not sell your personal information.
  • We do not share your personal information for cross-context behavioral advertising. We do not use behavioral analytics platforms (Google Analytics / GA4 is not currently configured in GTM).
  • We use a Cookiebot consent management platform — non-essential cookies require your consent before they load.
  • We use Google reCAPTCHA on contact and newsletter forms for spam prevention. reCAPTCHA shares interaction signals with Google.
  • Embedded Vimeo videos (portfolio pages) and embedded GitHub Gists (blog pages) set third-party cookies when you consent to those categories.
  • We honor the Global Privacy Control (GPC) browser signal.
  • You have rights to access, correct, delete, and port your information. Section 11 explains how.

This summary does not replace the full policy below.

1. Who We Are and Scope of This Policy

This policy is issued by Ovyl, LLC, a Delaware limited liability company with its principal office in Nashville, Tennessee ("Ovyl," "we," "us," or "our"). Ovyl is a holistic product design and en gineering studio.

This policy applies to information collected through ovyl.io and its subdomains (the "Website"). It does not apply to:

  • Personal data processed under our client engagement agreements (governed by separate Data Processing Agreements);
  • Personal data of Ovyl employees and job candidates (governed by separate HR notices);
  • Third-party websites we link to but do not operate.

1.1 Data Controller

Ovyl, LLC
1101 Kermit Dr, Suite 715
Nashville, TN 37217
United States
privacy@ovyl.io

Forvisitors in the European Economic Area or the United Kingdom, we arethe data controller under GDPR and UK GDPR. See Section 16 for region-specific information.

1.2 Contact for Privacy Matters

Email: privacy@ovyl.io
Mail: 1101 Kermit Dr, Suite 715, Nashville, TN 37217, United States

2. Information WeCollect

We collect information in two ways: (a) directly from you when you provide it; and (b) automatically in limited ways when you use the Website.

2.1 Information You Provide

When you contact us through a form, email, or phone on the Website, you provide:

Google Ads conversion tracking is configured in GTM. When you accept Marketing cookies, the Google Ads Click Linker (_gcl_ls) activates in your browser's local storage to attribute ad clicks to site conversions.

  • Identifiers — name, work email address, telephone number, employer name, job title
  • Communication content — the contents of your inquiry.

When you subscribe to our newsletter, you provide your email address.

2.2 Information Collected Automatically

When you visit the Website, the following limited information is collected automatically:

  • Server logs — IP address, browser type and version, operating system, referring URL, pages viewed, and time of visit, captured in Webflow and Cloudflare server access logs;
  • Approximate geolocation — city or region derived from IP address by Cloudflare's edge network;
  • reCAPTCHA interaction signals — when you submit a contact or newsletter form, Google reCAPTCHA processes interaction signals (mouse movements, timing, browser fingerprint) to assess whether the submission is human. See Section 4.3.

We use Google Tag Manager to load and manage site technologies. GTM loads on every page before consent is obtained, as required to deliver Google Consent Mode v2 signals to Google before any tag fires. This contacts www.googletagmanager.com on page load and constitutes a transfer of your IP address to Google for script delivery purposes.

We do not use behavioral analytics platforms. Google Analytics 4 (GA4) is not currently configured in the GTM container — no _ga or _ga_* cookies are set. If GA4 is activated in the future, this policy will be updated before activation.

2.3 Information from Embedded Third-Party Content

When you visit pages containing embedded Vimeo videos (portfolio/work pages) or embedded GitHub Gists (blog pages) and consent to the relevant cookie categories, those third parties may collect information about your interaction with the embedded content. See Section 4 for details.

2.4 Categories under California Law

For California residents, categories of personal information collected during the past 12 months:

CCPA Category Examples Collected?
(A) Identifiers IP address, cookie IDs (Cloudflare, Cookiebot), email from forms Yes
(B) Customer records (Cal. Civ. Code §1798.80) Name, email, phone from contact forms Yes — forms only
(C) Protected classification characteristics Not collected No
(D) Commercial information Records of services inquired about Yes — forms only
(E) Biometric information Not collected No
(F) Internet activity Server log data; Vimeo interaction data on portfolio pages (consent-gated) Limited
(G) Geolocation (precise) Not collected. Approximate city/region from IP only. No (precise)
(H) Sensory data Not collected No
(I) Professional information Employer, title from contact forms Yes — forms only
(J) Education information Not collected No
(K) Inferences Not generated — no behavioral analytics platform deployed. Google Ads click attribution via _gcl_ls is consent-gated and processed by Google. Limited (consent-gated)
(L) Sensitive personal information See Section 2.5 See 2.5

2.5 Sensitive Personal Information

We do not collect sensitive personal information through the Website. reCAPTCHA processes browser interaction signals for spam prevention, which may incidentally include device characteristics, but we do not retain or use this data for any purpose other than form security, and it is processed by Google as an independent controller.

3. How We UseInformation

Purpose GDPR Legal Basis
Operate, maintain, and secure the Website Legitimate interests (Art. 6(1)(f))
Respond to inquiries submitted through forms or email Pre-contractual measures (Art. 6(1)(b)) or legitimate interests
Newsletter distribution (email subscribers) Consent (Art. 6(1)(a)) — you may unsubscribe at any time
Prevent spam and abuse on contact and newsletter forms — Google reCAPTCHA Legitimate interests (Art. 6(1)(f)) — security and integrity of our systems
Deliver site technologies via Google Tag Manager (loads unconditionally for Consent Mode v2) Legitimate interests (Art. 6(1)(f)) — required for consent signal delivery before any tag fires
Conversion tracking — Google Ads Click Linker (_gcl_ls) — activated only after Marketing consent Consent (Art. 6(1)(a))
Serve embedded video content — Vimeo (portfolio pages) Legitimate interests / consent (Art. 6(1)(a)/(f)) — consent required for Statistics and Marketing cookies
Display embedded code samples — GitHub Gist (blog pages) Legitimate interests (Art. 6(1)(f)); consent for Statistics cookies
Comply with legal obligations Legal obligation (Art. 6(1)(c))
Establish, exercise, or defend legal claims Legitimate interests (Art. 6(1)(f))

4. Cookies and Tracking Technologies

4.1 What Cookies Are

A cookie is a small data file stored in your browser. We also use related technologies including HTML local storage, IndexedDB, and session storage. We refer to all of these collectively as "cookies" in this policy.

4.2 Consent Management — Cookiebot

We use Cookiebot by Usercentrics as our consent management platform (CMP). On your first visit, Cookiebot presents an Accept All / Reject All / Customize choice. You may change your preferences at any time via the "Cookie Settings" link in the Website footer. Your consent choice is stored in the CookieConsent cookie for 12 months.

Non-essential cookies (Statistics and Marketing categories) are blocked until you give consent. Note: As of this policy date, Cookiebot is configured to block these categories — however, certain Vimeo cookies on portfolio pages require Cookiebot's tag-blocking feature to be enabled site-wide to ensure full enforcement on those subpages. This is an open configuration item (see Pre-Publication Checklist).

When we detect a Global Privacy Control (GPC) browser signal, we treat it as a "Do Not Sell or Share" preference on record and suppress any marketing cookie categories accordingly.

4.3 Full Cookie Inventory — May 26, 2026

This inventory reflects a Cookiebot scan conducted May 26, 2026. It covers all pages including portfolio and blog subpages.

Strictly Necessary** — *No consent required. These cookies enable core site functions.

Cookie Provider Type Duration Purpose
_cfuvid ovyl.io (Cloudflare) HTTP Session Cloudflare bot management and rate limiting on the Ovyl origin server
cf.turnstile.u challenges.cloudflare.com HTML Persistent Cloudflare Turnstile anti-bot challenge on newsletter signup form
CookieConsent ovyl.io (Cookiebot) HTTP 1 year Stores your cookie consent choices for ovyl.io

Google Tag Manager** — *Loads unconditionally on every page (Legitimate Interests — Consent Mode v2 delivery).

www.googletagmanager.com/gtag/js loads on every page of ovyl.io before any user consent is obtained. This is required to deliver Google Consent Mode v2 signals to Google before any tag fires — the technical mechanism by which Cookiebot can instruct GTM to block or allow Analytics and Advertising tags. Loading the GTM script contacts Google's servers and involves your IP address being processed by Google for script delivery. GTM does not set a cookie or collect personal data beyond this script-delivery transfer. All tags within the GTM container that require consent (Statistics, Marketing) are gated by Cookiebot consent signals.

Google reCAPTCHA** — *Treated as Strictly Necessary / Legitimate Interests for form security.

Google reCAPTCHA (www.google.com/recaptcha, www.gstatic.com/recaptcha) loads on every page of ovyl.io. reCAPTCHA evaluates interaction signals (mouse movements, timing, browser characteristics) to distinguish human users from bots when contact and newsletter forms are submitted. It does not set a cookie visible in document.cookie but may set cookies under the google.com domain and shares interaction signals with Google LLC. Google processes this data as an independent controller under its own privacy policy. We rely on legitimate interests (form security and abuse prevention) as the legal basis for reCAPTCHA processing.

Statistics** — *Requires consent. Blocked until you accept the Statistics category.

Cookie Provider Type Duration Purpose Blocked?
_octo github.com HTTP 1 year GitHub analytics — set when embedded GitHub Gist code samples load on blog pages Requires configuration fix
orionV3#identity vimeo.com IndexedDB Persistent Tracks interaction with embedded Vimeo video content on portfolio pages Requires configuration fix
vuid vimeo.com HTTP 2 years Records which Vimeo videos you have visited across the web Requires configuration fix

Marketing** — *Requires consent. Blocked until you accept the Marketing category.

Cookie Provider Type Duration Purpose Blocked?
_gcl_ls Google LLC (Google Ads) localStorage Persistent (session-scoped schema) Google Ads Click Linker — attributes ad clicks to site conversions; enables conversion measurement across Google Ads campaigns ✅ Blocked until Marketing consent given
LOCAL_STORAGE_ID_PICOX_ID vimeocdn.com HTML Persistent Tracks interaction with embedded Vimeo content for advertising purposes Requires configuration fix
LOCAL_STORAGE_ID_VIMEO_PLAYER vimeocdn.com HTML Persistent Tracks Vimeo player state for advertising purposes Requires configuration fix
picox#events vimeo.com IndexedDB Persistent Records interaction events with embedded Vimeo content Requires configuration fix
PLAYER_PICOX_SAMPLING_SEED vimeocdn.com HTML Persistent Vimeo audience sampling for advertising Requires configuration fix

Third-party embed cookies — appear only on specific subpages

The following cookies are set by embedded third-party content, not by Ovyl directly. They appear on the subpages noted and not on the main homepage.

Cookie Provider Type Duration Page Context Purpose
__cf_bm vimeo.com HTTP 1 day Portfolio pages with embedded video Cloudflare bot management on Vimeo's CDN
_cfuvid vimeo.com HTTP Session Portfolio pages with embedded video Cloudflare rate limiting on Vimeo's servers
_gh_sess gist.github.com HTTP Session Blog pages with embedded Gist GitHub session state — set when Gist code samples load
logged_in github.com HTTP 1 year Blog pages with embedded Gist GitHub login state — set when Gist code samples load

4.4 Your Cookie Choices

Cookiebot banner. On first visit and at any time via "Cookie Settings" in the Website footer: Accept All, Reject All, or customize by category. Rejecting Statistics blocks _octo, orionV3#identity, and vuid. Rejecting Marketing blocks all four Vimeo CDN marketing cookies.

Global Privacy Control (GPC). A GPC signal in your browser is honored as a Do Not Sell or Share preference. Marketing cookies are suppressed when GPC is detected.

Browser controls. All major browsers allow you to block or delete cookies and clear local storage / IndexedDB. Note that some Vimeo storage (IndexedDB, HTML localStorage) is not cleared by standard cookie deletion — use your browser's "Clear site data" option for complete removal.

Vimeo opt-out. Vimeo provides a privacy opt-out at vimeo.com/privacy. You may also enable "Do Not Track" in your browser, which Vimeo honors for its own tracking.

GitHub opt-out. GitHub's privacy choices are at github.com/settings/privacy (requires GitHub account) or github.com/contact/privacy.

reCAPTCHA. reCAPTCHA is required for form submission security. If you are concerned about Google processing, the alternative is to contact us directly at privacy@ovyl.io rather than using the website forms.

5. How We Share Information

We disclose information only in the circumstances described below.

5.1 Third-Party Technology Partners

The following third parties receive information through the technologies described in Section 4. Where noted, they act as independent data controllers subject to their own privacy policies.

Partner Data Received Purpose Role Location
Cloudflare, Inc. IP address, request headers, browser characteristics CDN, DDoS protection, bot management (Turnstile) Processor (under DPA) US / Global
Google LLC IP address (script delivery) Google Tag Manager script delivery (loads unconditionally for Consent Mode v2) Independent controller United States
Google LLC Interaction signals, browser characteristics, IP reCAPTCHA spam prevention Independent controller United States
Google LLC Click and conversion data (consent-gated) Google Ads conversion tracking — _gcl_ls activates only after Marketing consent Independent controller United States
Vimeo, Inc. IP address, browser data, video interaction behavior Embedded video delivery and interaction tracking Independent controller United States
GitHub, Inc. IP address, browser data, GitHub login state Embedded Gist code sample delivery Independent controller United States (Ireland CDN)
Cookiebot / Usercentrics A/S Consent choices, IP address (anonymized), browser type Consent management and audit log Processor (under DPA) Denmark / EU
Webflow, Inc. Web traffic, form submissions Website hosting and infrastructure Processor (under DPA) United States
HubSpot, Inc. Contact form submissions CRM and lead management Processor (under DPA) United States / EU

5.2 Legal and Compliance

We may disclose information when required by law, lawful court order, or governmental request; to enforce our terms; or to protect the rights, property, or safety of Ovyl, our clients, or others.

5.3 Business Transactions

In the event of a merger, acquisition, financing, or sale of all or part of our business, information may be transferred to the counterparty subject to confidentiality protections and continued application of equivalent protections.

5.4 With Your Consent

We share information for any other purpose only with your explicit consent.

6. Sale and Sharing Disclosure

We do not sell your personal information for monetary or other valuable consideration. We have not sold personal information of any consumer in the preceding 12 months.

We do not share your personal information for cross-context behavioral advertising as that term is defined in Cal. Civ. Code §1798.140(ah). We do not operate advertising networks or syndicate your data to marketing platforms.

Vimeo embedded content. When you consent to the Marketing cookie category, Vimeo may use the cookies it sets (described in Section 4.3) for its own advertising across the Vimeo network. This is Vimeo's own data collection, not a sale or share by Ovyl. You may prevent this by declining the Marketing category in our Cookiebot banner, or by opting out directly with Vimeo.

Notwithstanding the above, you may register a "Do Not Sell or Share" preference at any time by:

  • Selecting Reject All or disabling Marketing in our "Cookie Settings" footer link;
  • Setting the Global Privacy Control (GPC) signal in your browser;
  • Emailing privacy@ovyl.io with subject: "Do Not Sell or Share."

We do not knowingly sell or share personal information of consumers under 16.

7. International Data Transfers

Our Website and primary operations are in the United States. If you visit from the European Economic Area, the United Kingdom, or another jurisdiction with cross-border transfer requirements, your information may be transferred to and processed in the United States.

7.1 Transfer Mechanisms — EU/EEA

For transfers of personal data from the EEA to the United States, we rely on the following mechanisms:

Recipient Transfer Mechanism
Cloudflare, Inc. Standard Contractual Clauses (SCCs) — cloudflare.com/cloudflare-customer-dpa/
Google LLC (reCAPTCHA, Google Tag Manager, Google Ads) SCCs — business.safety.google/gdprcontrollerterms/
Vimeo, Inc. SCCs — vimeo.com/privacy/controller-addendum
GitHub, Inc. SCCs — github.com/site/privacy (GitHub processes EU data in Ireland under SCC framework)
Webflow, Inc. SCCs — webflow.com/legal/dpa
HubSpot, Inc. SCCs + UK Addendum — legal.hubspot.com/dpa
Cookiebot / Usercentrics A/S Processed within EU (Denmark) — no cross-border transfer to US

All transfers are supplemented by TLS 1.2+ encryption in transit.

7.2 Transfer Mechanisms — United Kingdom

For transfers from the United Kingdom, we rely on the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses with the UK Addendum, as published by each partner above.

Vimeo and Cloudflare Turnstile transfer destinations are flagged as "Unknown (not adequate)" in the Cookiebot scan report — this reflects those vendors' CDN routing, which may use edge nodes globally. We rely on SCCs with each vendor to cover transfers through those edge nodes.

7.3 Other Jurisdictions

For visitors from Canada, Brazil, Australia, Japan, South Korea, Singapore, and other jurisdictions with cross-border transfer rules, we rely on the legal mechanisms recognized by applicable law — typically contractual safeguards equivalent to SCCs — with each service provider.

8. Data Retention

Data Type Retention Rationale
Contact / inquiry form submissions Up to 7 years Sales-cycle and statute-of-limitations alignment
Newsletter subscriptions Until unsubscribe + 30 days Operational; 30-day grace period for re-subscribe
Server access logs (IP, referrer, user-agent) 90 days Security investigation and abuse prevention
Cloudflare bot-management data Per Cloudflare policy (typically 30 days) Controlled by Cloudflare
Cookiebot consent logs 3 years Audit trail for demonstrating valid consent
reCAPTCHA interaction signals Per Google policy Controlled by Google as independent controller
Google Ads click / conversion data (_gcl_ls) Per Google Ads policy (typically 540 days) Controlled by Google as independent controller; only collected after Marketing consent
Vimeo interaction data Per Vimeo policy Controlled by Vimeo as independent controller
GitHub Gist interaction data Per GitHub policy Controlled by GitHub as independent controller

9. Information Security

We maintain administrative, technical, and physical safeguards against unauthorized access, alteration, disclosure, or destruction — including TLS 1.2+ encryption in transit, Cloudflare DDoS protection, Cloudflare Turnstile and Google reCAPTCHA on forms, access controls, and regular security reviews.

If we become aware of a breach affecting your information, we will notify you and relevant supervisory authorities as required by applicable law and within required timeframes (72 hours under GDPR; as required under applicable US state breach notification laws).

10. Children's Privacy

The Website is intended for business audiences and is not directed to children under 16. We do not knowingly collect personal information from children under 16. Contact privacy@ovyl.io if you believe a child has provided us with information and we will delete it promptly.

11. Your Privacy Rights

Your rights depend on where you live.

Jurisdiction Rights Governing Law
California Know, access, delete, correct, portability, opt out of sale/sharing, limit use of sensitive PI, non-discrimination CCPA / CPRA
Virginia Access, delete, correct, portability, opt out of sale/targeted advertising/profiling, appeal VCDPA
Colorado Access, delete, correct, portability, opt out of sale/targeted advertising/profiling, appeal CPA
Connecticut Access, delete, correct, portability, opt out of sale/targeted advertising/profiling, appeal CTDPA
Texas Access, delete, correct, portability, opt out of sale/targeted advertising/profiling TDPSA
Tennessee Access, delete, correct, portability, opt out of sale/targeted advertising/profiling TIPPA
Florida Access, delete, correct, portability, opt out of sale/targeted advertising/profiling FDBR
Oregon Access, delete, correct, portability, opt out of sale/targeted advertising/profiling OCPA
Montana, Iowa, Indiana, Delaware, New Jersey, New Hampshire, Minnesota, Maryland, Kentucky, Rhode Island Access, delete, correct, portability, opt out of sale/targeted advertising/profiling State-specific CDPA/equivalent
EU / EEA Access, rectification, erasure, restriction, portability, object, withdraw consent, lodge complaint GDPR Art. 15–22
United Kingdom Same as EU/EEA UK GDPR / DPA 2018
Canada Access, correction, withdrawal of consent PIPEDA; Quebec Law 25
Brazil Confirmation, access, correction, anonymization, portability, deletion, information on sharing, revoke consent LGPD Art. 18
Other jurisdictions Rights granted by your local law — contact us and we will respond consistently with applicable law Various

11.1 California (CCPA/CPRA)

California residents have the right to non-discrimination for exercising any privacy right. We will not deny services, charge different prices, or provide a different level of service because you exercised a right.

Because we do not sell or share personal information for cross-context behavioral advertising (Section 6), the "Do Not Sell or Share" link is not legally mandatory — but we provide an opt-out mechanism voluntarily and honor all requests. Because we do not collect or use sensitive personal information for advertising or profiling, the "Limit the Use of My Sensitive Personal Information" right has no practical application to our current data practices; we include it for completeness.

Authorized agents. California residents may designate an authorized agent. Written proof of authorization is required.

11.2 EU / UK

Right to object (Art. 21 GDPR). You may object to processing based on legitimate interests — including reCAPTCHA processing — by contacting privacy@ovyl.io with subject line "Right to Object." We will assess and respond within one month.

Right to withdraw consent. Withdraw cookie consent at any time via "Cookie Settings." Withdrawal does not affect the lawfulness of prior processing.

UK supervisory authority: Information Commissioner's Office (ICO) — ico.org.uk

EU/EEA supervisory authority: The data protection authority in your member state of residence, place of work, or place of the alleged infringement.

11.3 Brazil (LGPD)

Brazilian data subjects may exercise rights under LGPD Art. 18 by contacting privacy@ovyl.io. We will respond within 15 days as required under LGPD.

11.4 GPC and Do Not Track

We honor the Global Privacy Control (GPC) browser signal as a Do Not Sell or Share preference (Section 4.2). We do not respond to the older Do Not Track (DNT) signal, which is a separate and non-standardized mechanism.

11.5 How to Exercise Your Rights

  • Email: privacy@ovyl.io — subject: "Privacy Request"
  • Mail: 1101 Kermit Dr, Suite 715, Nashville, TN 37217, United States
  • Cookie preferences: "Cookie Settings" link in the Website footer

Response times: 45 days for CCPA (one 45-day extension available); 30 days for most other US state laws; one month for GDPR/UK GDPR (up to two additional months for complex requests); 15 days for LGPD. Identity verification may be required. We do not require account creation.

Appeals. If we deny your request, you may appeal under applicable US state laws by resubmitting to the same contact with subject: "Privacy Appeal."

12. Automated Processing

We do not engage in automated decision-making that produces legal effects or similarly significant effects on you based on data collected through the Website.

Google reCAPTCHA performs automated assessment of form submissions to detect bots. This assessment is made by Google as an independent controller. We receive a pass/fail signal only and do not use it for any purpose beyond allowing or blocking a form submission. If reCAPTCHA incorrectly flags you as a bot, you may contact us directly at privacy@ovyl.io.

13. Third-Party Links and Services

The Website may contain links to third-party websites. This policy does not apply to those third parties. We encourage you to read their privacy notices.

14. Changes to This Policy

We update this policy when our practices change or when required by law. Material changes will be announced with a prominent notice on the Website at least 14 days before taking effect; where required by law, we will obtain renewed consent. The "Last Updated" date at the top reflects the most recent revision.

If we add new technologies — including analytics, advertising, or any non-essential tracking — we will update this policy and our Cookiebot configuration before those technologies are activated.

15. How to Contact Us

General privacy inquiries privacy@ovyl.io
Do Not Sell / Share requests privacy@ovyl.io — subject: "Do Not Sell or Share"
Right to Object privacy@ovyl.io — subject: "Right to Object"
GDPR / UK GDPR requests privacy@ovyl.io — subject: "Data Subject Request"
LGPD requests privacy@ovyl.io — subject: "LGPD Request"
Mailing address 1101 Kermit Dr, Suite 715, Nashville, TN 37217, United States
UK supervisory authority Information Commissioner's Office · ico.org.uk
EU supervisory authority Your local EU member state data protection authority
Brazil supervisory authority Autoridade Nacional de Proteção de Dados (ANPD) · gov.br/anpd

16. Region-Specific Notices

16.1 California Notice at Collection

This policy serves as our "Notice at Collection" under Cal. Civ. Code §1798.100. Categories of personal information collected are in Section 2.4. Purposes are in Section 3. We do not sell or share personal information for cross-context behavioral advertising. Retention periods are in Section 8.

16.2 EU / UK Specific Information

Legal bases for all processing are in Section 3. For non-essential cookies (Statistics and Marketing categories), the legal basis is consent (Art. 6(1)(a) GDPR), obtained through Cookiebot before those cookies load. For reCAPTCHA and Cloudflare, the legal basis is legitimate interests (form security and site integrity). International transfer mechanisms are in Section 7. You have the right to lodge a complaint with your local supervisory authority (Sections 11.2 and 15).

The .io top-level domain is global. Visitors from the EU and UK are fully protected by GDPR and UK GDPR. We do not rely on contractual waivers to exclude or limit your rights under EU or UK data protection law.

16.3 Brazil Specific Information

The processing described in this policy is carried out by Ovyl, LLC as the data controller (controlador) under LGPD. Personal data collected from Brazilian data subjects is transferred to the United States under contractual safeguards (Art. 33, LGPD). Brazilian data subjects may exercise rights under Art. 18 LGPD by contacting privacy@ovyl.io.

16.4 Canada Specific Information

We process personal information of Canadian residents in accordance with PIPEDA and, for Quebec residents, in accordance with Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25). Consent for non-essential cookies is obtained through Cookiebot. You may withdraw consent at any time via "Cookie Settings."

17. Definitions

Term Definition
Personal information / personal data Information that identifies, relates to, or could reasonably be linked to a particular consumer or household (CCPA/CPRA); information relating to an identified or identifiable natural person (GDPR/UK GDPR/LGPD).
Sale Disclosure of personal information to a third party for monetary or other valuable consideration. We do not sell.
Share Disclosure of personal information to a third party for cross-context behavioral advertising (Cal. Civ. Code §1798.140(ah)). We do not share.
Service provider / processor An entity processing personal information on our behalf under a written contract limiting use to specified purposes.
Independent controller A third party that determines its own purposes and means of processing. Google, Vimeo, and GitHub each act as independent controllers for data collected through their technologies on our Website.
Cookie A small data file stored in your browser. Includes localStorage, IndexedDB, sessionStorage, and pixels.
Consent management platform (CMP) A tool that presents cookie consent choices to visitors and enforces those choices by blocking non-essential technologies until consent is obtained. We use Cookiebot by Usercentrics.
Global Privacy Control (GPC) A browser-level signal communicating a consumer's opt-out of sale and sharing. We honor GPC wherever applicable law recognizes it.
Cross-context behavioral advertising Targeted advertising based on personal information from a consumer's activity across businesses or sites other than the one directly interacted with. We do not engage in this.

Questions? Contact privacy@ovyl.io.