Privacy Policy
Effective Date: 30 May 2026 Last Updated: 30 May 2026
Plain-Language Summary (non-binding). This summary is provided for convenience only and does not form part of, modify, or limit the binding policy set out below. In short: OwlMeans Software JDG operates owlmeans.com and the OwlMeans Platform, an artificial-intelligence service that transforms your user stories into software applications that you own. This Policy explains the categories of information we collect (including account information, usage information, and the prompts and project data you submit to the Platform), the purposes and legal bases for which we process it, the limited and named set of processors with whom we share it, how we transfer it internationally, and the rights available to you under the General Data Protection Regulation and Polish data-protection law, as well as under the United Kingdom General Data Protection Regulation and United States privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act. We do not sell your personal information, and we do not use your private project data to train general-purpose artificial-intelligence models. Where this summary and the binding text below differ, the binding text governs.
1. Introduction and Scope
1.1. This Privacy Policy (this “Policy”) describes the manner in which OwlMeans Software JDG (full name: Igor Tkachenko OwlMeans Software JDG), a sole proprietorship (jednoosobowa działalność gospodarcza) established under the laws of the Republic of Poland, holding tax identification number (NIP) 6772507251 and statistical number (REGON) 527979906, having its registered address at ul. Ariańska 9/5, 31-505 Kraków, Poland (“OwlMeans”, the “Company”, “we”, “us”, or “our”), collects, uses, discloses, retains, transfers, and otherwise processes information, including Personal Data, in connection with your access to and use of the website located at owlmeans.com and the OwlMeans Platform, together with all related products, features, content, and services (collectively, the “Service”).
1.2. This Policy forms part of, and should be read together with, our Terms and Conditions and our Cookie Policy. Capitalized terms used but not defined in this Policy shall have the meanings ascribed to them in the Terms and Conditions.
1.3. By accessing or using the Service, you acknowledge that you have read and understood this Policy. Where required by Applicable Law, we will obtain your consent to specific processing activities as described herein.
2. Roles of the Parties
2.1. For the purposes of the General Data Protection Regulation (Regulation (EU) 2016/679, the “EU GDPR”), as applied together with the Polish Act of 10 May 2018 on the Protection of Personal Data, and the United Kingdom General Data Protection Regulation (the “UK GDPR”; together with the EU GDPR, the “GDPR”), OwlMeans acts as the Data Controller in respect of the Personal Data processed pursuant to this Policy, save where this Policy expressly states otherwise.
2.2. For the purposes of the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA/CPRA”), OwlMeans acts as a “Business”.
2.3. Where OwlMeans processes Personal Data contained within a Customer’s Project Data on behalf of and under the instructions of the Customer, OwlMeans may act as a Processor (or “Service Provider” under the CCPA/CPRA) in respect of such Personal Data, in which case the relevant provisions of the Terms and Conditions and any applicable data-processing terms shall govern.
3. Definitions
3.1. “Personal Data” or “Personal Information” means any information that relates to an identified or identifiable natural person, or that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, in each case as such terms are defined under Applicable Law.
3.2. “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, transmission, restriction, erasure, or destruction.
3.3. “Processor”, “Sub-Processor”, and “Service Provider” each mean a natural or legal person that processes Personal Data on behalf of, and in accordance with the instructions of, OwlMeans.
3.4. “Project Data” means the prompts, user stories, specifications, configurations, source code, AI Output, and other content and data that you submit to, create within, or generate by means of the Platform, together with the operational metadata associated therewith.
3.5. “Usage Data” means information collected automatically through your use of the Service or generated by the infrastructure of the Service.
4. Categories of Information We Collect
4.1. Information You Provide to Us. We collect Personal Data that you provide directly, including: (a) account information, such as your name and business email address, and, where applicable, your telephone number, company name, and billing address; (b) payment information, which is collected and processed by our payment processor (Stripe), it being understood that we do not collect or store full payment-card numbers; and (c) communications, being the contents of any messages, inquiries, or other communications you direct to our support, sales, or other functions.
4.2. Information Collected Automatically. When you access or use the Service, we and our Processors automatically collect Usage Data, including your Internet Protocol (IP) address, browser type and version, device type and identifiers, operating system, the pages and content you view, referring and exit pages, the dates and times of your access, and other diagnostic data. Such information is collected by means of cookies and similar technologies, as further described in our Cookie Policy.
4.3. Project Data. In the course of your use of the Platform, we process the Project Data you submit or generate, together with operational metadata such as application-programming-interface calls, credit usage, and build and deployment events.
4.4. No Special-Category Data. The Service is not designed or intended for the submission of special categories of Personal Data (as described in Article 9 of the GDPR), such as data concerning health, biometric data, or data revealing racial or ethnic origin, nor for the submission of government identification numbers. You agree not to submit such data to the Platform.
5. How and Why We Process Personal Data; Legal Bases
5.1. We process Personal Data for the purposes, and on the legal bases under the GDPR, set forth in the following table:
| Purpose of Processing | Legal Basis (GDPR Article 6) |
|---|---|
| To provide, operate, maintain, and secure the Service and to administer your Account | Performance of a contract (Art. 6(1)(b)) |
| To generate AI Output from your inputs by transmitting them to our AI Sub-Processor | Performance of a contract (Art. 6(1)(b)) |
| To process payments and administer billing | Performance of a contract (Art. 6(1)(b)); compliance with a legal obligation (Art. 6(1)(c)) |
| To prevent, detect, and investigate fraud, abuse, security incidents, and other unlawful activity | Legitimate interests (Art. 6(1)(f)); compliance with a legal obligation (Art. 6(1)(c)) |
| To analyze and improve the Service and to develop new features | Legitimate interests (Art. 6(1)(f)); consent where required for cookies (Art. 6(1)(a)) |
| To communicate with you regarding the Service, including service and security notices | Performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) |
| To send marketing communications regarding similar services | Consent (Art. 6(1)(a)), or legitimate interests where permitted (Art. 6(1)(f)), in each case subject to your right to opt out |
| To comply with Applicable Law and to respond to lawful requests from public authorities | Compliance with a legal obligation (Art. 6(1)(c)) |
| To effect a merger, acquisition, financing, reorganization, or other business transfer | Legitimate interests (Art. 6(1)(f)) |
5.2. Where we rely upon our legitimate interests as a legal basis, we have undertaken a balancing assessment to ensure that such interests are not overridden by your interests or fundamental rights and freedoms. We will provide further information regarding such assessment upon request.
5.3. Where we rely upon your consent, you have the right to withdraw such consent at any time, without affecting the lawfulness of processing carried out prior to such withdrawal.
6. Artificial-Intelligence Processing
6.1. The Platform generates software by means of large language models. In order to provide this functionality, your inputs (including prompts, user stories, and project context) and related Project Data are transmitted to our artificial-intelligence Sub-Processor, Anthropic, PBC (the Claude application-programming interface), for processing, and the resulting output is returned to you through the Platform. Such transmission is undertaken on a pass-through basis solely to provide the Service you have requested.
6.2. We do not use your private Project Data to train, develop, or improve general-purpose artificial-intelligence models for the benefit of other customers. Anthropic processes such inputs pursuant to its own commercial terms and, in its default configuration applicable to such processing, does not use such inputs to train its models.
6.3. To the extent that we use anonymized or aggregated data derived from use of the Service to improve the Service, such data is processed in a manner that does not reasonably permit your re-identification.
7. Hosting of Generated Projects
7.1. Projects generated by means of the Platform are executed within isolated, Kubernetes-native development environments operated by OwlMeans on its cloud infrastructure, the delivery and security of which are facilitated by Cloudflare, Inc. You retain control of your Project Data and may request its export. Upon termination of a project or Account, the associated environments are decommissioned and the associated data is deleted in accordance with Section 10.
8. Disclosure of Personal Data; Sub-Processors
8.1. Sub-Processors. We engage the following categories of Sub-Processors, each of which is bound by a written data-processing agreement requiring it to implement appropriate safeguards and to process Personal Data only as necessary to perform its services to us:
| Sub-Processor | Purpose | Category |
|---|---|---|
| Anthropic, PBC (Claude API) | Artificial-intelligence processing of inputs and Project Data to generate AI Output | AI processing |
| Google LLC (Google Analytics) | Measurement and analysis of website and Service usage | Analytics |
| Google LLC (Google Tag Manager) | Management of measurement and analytics tags | Analytics and measurement |
| Functional Software, Inc. (Sentry) | Error monitoring, issue tracking, and diagnostics | Diagnostics |
| Stripe, Inc. | Processing of payments and administration of billing | Payments |
| Cloudflare, Inc. | Content-delivery network, distributed-denial-of-service mitigation, and network security | Infrastructure and security |
8.2. Other Disclosures. We may also disclose Personal Data: (a) to our Affiliates, in which case such Affiliates shall be bound by terms consistent with this Policy; (b) in connection with, or during negotiations of, any merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, in which case we will provide notice before Personal Data becomes subject to a different privacy policy; (c) to comply with Applicable Law, legal process, or a lawful request by a governmental or regulatory authority; and (d) where we believe in good faith that disclosure is necessary to protect our rights or property, to enforce our agreements, to prevent or investigate possible wrongdoing, to protect the personal safety of users or the public, or to protect against legal liability.
8.3. No Sale or Sharing. We do not sell your Personal Information, and we do not share your Personal Information for purposes of cross-context behavioral advertising, in each case as those terms are defined under the CCPA/CPRA. We have not sold or shared Personal Information in the preceding twelve (12) months.
9. International Transfers of Personal Data
9.1. We are established in Poland, within the European Union, and the Personal Data we process is, as a rule, processed within the European Economic Area. However, certain of our Sub-Processors (as identified in Section 8) operate, or process Personal Data, in the United States and in other jurisdictions outside the European Economic Area, the data-protection laws of which may differ from those of your jurisdiction. Accordingly, your Personal Data may be transferred to, stored in, and otherwise processed in such jurisdictions.
9.2. Where we transfer Personal Data out of the European Economic Area, the United Kingdom, or Switzerland to a jurisdiction that has not been the subject of an adequacy decision, we implement appropriate safeguards as required under Applicable Law, including, as applicable: (a) the Standard Contractual Clauses approved by the European Commission (Module Two: Controller to Processor); (b) the International Data Transfer Addendum issued by the United Kingdom Information Commissioner; and (c) the Swiss addendum adapted to the revised Federal Act on Data Protection. You may request a copy of the relevant safeguards by contacting us as set forth in Section 16.
10. Data Retention
10.1. We retain Personal Data only for so long as is necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, or as otherwise permitted or required under Applicable Law.
10.2. Without limiting the generality of the foregoing: (a) account data is retained for the duration of your Account and for a reasonable period thereafter; (b) Project Data is retained until you delete it or close your Account, following which the associated environments are decommissioned and the data is deleted, subject to short-lived backups retained for a period not generally exceeding ninety (90) days; (c) Usage Data and diagnostic data are retained for a shorter period appropriate to security and improvement purposes; and (d) Personal Data subject to a legal hold or to a retention obligation under Applicable Law is retained until the relevant obligation lapses.
11. Information Security
11.1. We implement and maintain commercially reasonable technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, including encryption in transit, access controls, and the use of isolated environments. Notwithstanding the foregoing, no method of transmission over the internet or method of electronic storage is wholly secure, and we cannot and do not guarantee the absolute security of Personal Data.
12. Your Rights Under the GDPR
12.1. If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights, subject to the conditions and exceptions set forth under Applicable Law: (a) the right of access to your Personal Data; (b) the right to rectification of inaccurate or incomplete Personal Data; (c) the right to erasure (“right to be forgotten”); (d) the right to restriction of processing; (e) the right to data portability; (f) the right to object to processing, including processing carried out on the basis of our legitimate interests and processing for direct-marketing purposes; and (g) the right to withdraw consent at any time where processing is based upon consent.
12.2. You may exercise these rights by contacting us as set forth in Section 16. We may request information reasonably necessary to verify your identity prior to responding. We will respond to your request within the period required under Applicable Law.
12.3. You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of an alleged infringement, if you consider that the processing of your Personal Data infringes the GDPR. As we are established in Poland, our lead supervisory authority is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, “UODO”), ul. Stawki 2, 00-193 Warszawa, Poland.
13. Your Rights Under United States Privacy Laws (CCPA/CPRA and Other States)
13.1. California Residents. If you are a resident of the State of California, you have the following rights under the CCPA/CPRA: (a) the right to know the categories and specific pieces of Personal Information we have collected, the categories of sources, the business or commercial purposes for collection, and the categories of third parties to whom it is disclosed; (b) the right to delete Personal Information, subject to certain exceptions; (c) the right to correct inaccurate Personal Information; (d) the right to opt out of the sale or sharing of Personal Information, it being understood that we do not sell or share Personal Information; (e) the right to limit the use and disclosure of sensitive Personal Information, it being understood that we do not use or disclose sensitive Personal Information for purposes that would give rise to such a right; and (f) the right to be free from discrimination for exercising any of the foregoing rights.
13.2. Categories of Personal Information. Within the preceding twelve (12) months, we have collected the following categories of Personal Information, as defined under the CCPA/CPRA: identifiers; information described in subdivision (e) of California Civil Code Section 1798.80 (customer records); commercial information; and internet or other electronic network activity information. We collect such information from you directly, automatically through your use of the Service, and from our Service Providers, and we use it for the business and commercial purposes described in Section 5.
13.3. Exercising Your Rights. You may exercise your rights by contacting us as set forth in Section 16. We will respond to verifiable consumer requests within the period required under the CCPA/CPRA (generally forty-five (45) days, extendable once by an additional forty-five (45) days where reasonably necessary and upon notice to you). You may use an authorized agent to submit a request on your behalf, provided that such agent furnishes proof of authorization.
13.4. Residents of Other States. Residents of Virginia, Colorado, Connecticut, Utah, and other states that have enacted comprehensive consumer-privacy legislation may have analogous rights, including rights of access, correction, deletion, portability, and opt-out, and may exercise such rights by contacting us as set forth in Section 16.
13.5. “Do Not Track.” The Service does not currently respond to “Do Not Track” signals transmitted by web browsers. You may, however, manage cookies and similar technologies as described in our Cookie Policy.
14. Children’s Privacy
14.1. The Service is not directed to, and is not intended for use by, children under the age of sixteen (16) years, and we do not knowingly collect Personal Data from such children. If you believe that a child has provided us with Personal Data, please contact us as set forth in Section 16, and we will take reasonable steps to delete such information.
15. Third-Party Links
15.1. The Service may contain links to third-party websites, applications, or services that are not operated or controlled by us. This Policy does not apply to such third-party properties, and we are not responsible for their content or privacy practices. We encourage you to review the privacy policies of any third party before providing it with your Personal Data.
16. Changes to This Policy; Contact
16.1. Changes. We may amend this Policy from time to time by posting the amended Policy on the Website and updating the “Last Updated” date set forth above. We will provide notice of any material change by reasonable means, which may include email or a prominent notice within the Service, prior to the change taking effect where required under Applicable Law.
16.2. Contact and Supervisory Authority. Questions, requests, or complaints regarding this Policy or our processing of Personal Data may be directed to: OwlMeans Software JDG, ul. Ariańska 9/5, 31-505 Kraków, Poland; email: support@owlmeans.com. As we are established within the European Union, no representative under Article 27 of the GDPR is required. You may also contact our lead supervisory authority, the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, “UODO”), ul. Stawki 2, 00-193 Warszawa, Poland.
See also: Cookie Policy · Terms & Conditions · Platform Subscription Agreement · Services Terms