1. Who we are
OpenLeash is operated by Delori AB, a company registered in Sweden. Delori AB is the data controller for the personal data processed through the OpenLeash website, mobile application, and cloud services (collectively, the "Service").
For privacy inquiries, contact us at privacy@openleash.ai.
2. Data we collect
2.1 Account information
When you create an account we collect your email address and, if provided, your display name. If you sign in through a third-party identity provider (e.g., Google, Apple, or Swedish BankID), we receive the profile information that provider shares with us.
2.2 Device and app data
We may collect the following from your device:
- Device identifiers — anonymous IDs used to associate push-notification tokens with your account.
- Push-notification tokens — Firebase Cloud Messaging (FCM) tokens, used solely to deliver notifications you have enabled.
- Crash and performance data — stack traces, device model, OS version, and app version, collected through Sentry to diagnose errors and improve reliability.
2.3 Biometric and identity-verification data
If you use identity-verification features (e.g., Swedish BankID), biometric processing happens entirely on your device or within the identity provider's infrastructure. We receive only the verification result and your national identity number where required by the verification flow. We do not store biometric templates.
2.4 Camera
The app may request camera access to scan QR codes (e.g., for BankID or device pairing). Images captured for scanning are processed locally on your device and are not transmitted to our servers.
2.5 Usage and analytics data
We may collect anonymized usage statistics such as feature usage frequency, session duration, and navigation patterns to improve the Service. This data cannot be used to identify you.
2.6 Authorization and audit data
When the Service evaluates authorization requests on your behalf, we log the decision (allow, deny, require approval, etc.), the resource and action involved, and a timestamp. These audit records are retained for security and compliance purposes.
3. How we use your data
We process your personal data for the following purposes:
- Provide the Service — authenticate your identity, evaluate authorization policies, and deliver notifications.
- Security — detect and prevent fraud, abuse, and unauthorized access through audit logs and cryptographic proof tokens.
- Improve reliability — diagnose crashes and performance issues using error-reporting tools.
- Communicate with you — send transactional messages such as approval requests, security alerts, and account-related notices.
4. Legal basis for processing (GDPR)
Under the EU General Data Protection Regulation (GDPR), we rely on the following legal bases:
- Contract performance (Art. 6(1)(b)) — processing necessary to provide the Service you signed up for.
- Legitimate interest (Art. 6(1)(f)) — security monitoring, fraud prevention, and service improvement, balanced against your rights.
- Consent (Art. 6(1)(a)) — where required, for example for optional analytics or marketing communications. You may withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)) — where we are required to retain data by law.
5. Third-party services
We use the following third-party processors to operate the Service:
| Provider | Purpose | Data shared |
|---|---|---|
| Google Cloud (Firebase Auth, Firestore, Cloud Run) | Authentication, data storage, hosting | Account info, application data |
| Firebase Cloud Messaging (FCM) | Push notifications | Device tokens, notification content |
| Sentry | Error and crash reporting | Crash data, device info, app version |
All processors are bound by data-processing agreements and process data only on our instructions. Google Cloud infrastructure for the Service is located in the EU.
6. International data transfers
We store and process data primarily within the European Economic Area (EEA). Where data is transferred outside the EEA (e.g., Sentry's infrastructure), we ensure adequate safeguards are in place, such as EU Standard Contractual Clauses (SCCs) or an adequacy decision by the European Commission.
7. Data retention
- Account data — retained for as long as your account is active. Deleted within 30 days of account deletion.
- Audit logs — retained for up to 12 months for security and compliance, then permanently deleted.
- Crash reports — retained for up to 90 days.
- Push-notification tokens — deleted when you sign out, uninstall the app, or delete your account.
8. Your rights
Under GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion of your personal data ("right to be forgotten").
- Restriction — request that we limit processing of your data.
- Data portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interest.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
To exercise any of these rights, email privacy@openleash.ai. We will respond within 30 days.
You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or your local supervisory authority.
9. Account deletion
You can delete your account at any time from within the app under Settings → Account → Delete account, or by visiting our account deletion page. You may also request deletion by emailing privacy@openleash.ai.
When you delete your account, we permanently remove your personal data within 30 days. Anonymized audit records that can no longer be linked to you may be retained for security purposes.
10. Children's privacy
The Service is not intended for children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@openleash.ai and we will delete it promptly.
11. Security
We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS), encryption at rest, cryptographic proof tokens (PASETO v4.public), Ed25519 request signing, and role-based access controls.
12. Changes to this policy
We may update this privacy policy from time to time. Material changes will be communicated through the app or by email. The "Last updated" date at the top of this page reflects the most recent revision.
13. Contact
If you have questions about this privacy policy or how we handle your data, contact us at:
Delori ABEmail: privacy@openleash.ai