OWL Privacy Policy

OWL is built around a simple promise: your files and messages are encrypted on your own device before they ever reach us, and our servers never hold the keys needed to read them. This policy explains, in plain language, exactly what we collect, what we can and cannot see, how long we keep it, and who else is involved.

Effective date: 1 January 2026 · Last updated: 16 June 2026
Operated by NDEVR, LLC ("NDEVR", "we", "us"). Questions: privacy@ndevr.org.

The short version. File contents, the contents of your chat messages, your private encryption key, and any third-party cloud tokens are end-to-end encrypted — we store only ciphertext we cannot decrypt. We can see account details and metadata: usernames, email addresses, file and folder names, sizes, types and timestamps, who has shared what with whom, and server logs including IP addresses. We do not run advertising or analytics trackers, and we do not sell your data.

Contents

  1. Scope
  2. Our zero-knowledge model
  3. Information we collect
  4. What our servers can & cannot see
  5. How we use information
  6. AI assistant (QUAIL)
  7. Third parties & sub-processors
  8. Google user data (Google API Services)
  9. Cookies, browser storage & tracking
  10. Password recovery & key escrow
  11. Data retention
  12. Security
  13. Your rights & choices
  14. Children
  15. International transfers
  16. Changes to this policy
  17. Contact

1. Scope

This policy covers the OWL File-Server service at ndevr.org and the OWL clients that connect to it — the NDEVR desktop and mobile apps, the OWL web client (file library, chat, account and admin pages), and the OWL command-line tools. It also covers the NDEVR product catalog, licensing/activation, and billing features that run on the same server.

It does not cover third-party services you choose to connect (for example your Dropbox, Microsoft OneDrive or Google Drive account, or a payment processor), which are governed by their own privacy policies.

2. Our zero-knowledge model

OWL is end-to-end encrypted and zero-knowledge for your content. In practice that means:

  • Your password never leaves your device. When you sign in, your client derives a credential from your username and password locally and sends only that derived value; we never receive or store your actual password. We keep only a salted bcrypt hash of the derived credential.
  • Your private key is encrypted with your password. Each account has an elliptic-curve (NIST P-256) key pair. The private key is wrapped with a key derived from your password before it is stored with us, so we hold it only in a form we cannot open.
  • Your files are sealed before upload. File contents are compressed and encrypted with AES-256 on your device. We receive and store only the ciphertext. Per-file keys are themselves wrapped to your (and your collaborators') public keys using ECIES, so only the intended people can unwrap them.
  • Your messages are end-to-end encrypted. OWL chat content is AES-256 encrypted under a per-conversation key that is wrapped to each member's public key. We store only the ciphertext and the wrapped keys, neither of which we can decrypt.

The cryptography is standard and identical across our desktop, web and command-line clients (P-256, AES-256, ECIES, SHA-256, bcrypt). Data is also protected in transit by TLS/HTTPS.

Important nuance — metadata is not encrypted. Encryption protects your file contents and message bodies. It does not hide metadata such as file and folder names, sizes, types, timestamps, folder structure, who you share with, or who is in a conversation. We can see that metadata, and so can a server administrator with database access. Don't put secrets in file names.

3. Information we collect

Account information

  • Username and email address (required); an optional phone number; an optional profile avatar image; and a flag for whether you have chosen to make your profile information public.
  • Account timestamps (when the account was created), email-verification and approval status.
  • The IP address recorded at registration.

Authentication & key material

  • A salted bcrypt hash of the credential derived from your password (never the password itself).
  • Your public key (stored in the clear, used to encrypt data to you) and your password-encrypted private key (which we cannot decrypt).
  • If, and only if, you opt in to password recovery: a copy of your private key encrypted under a server-held escrow key — see §10.
  • Web session tokens are stored only as SHA-256 hashes; verification and reset tokens are likewise stored hashed.

Your files and their metadata

  • Encrypted file contents (ciphertext only) and prior versions.
  • File/folder metadata we can read: name, MIME type, size, created/modified/accessed timestamps, folder hierarchy, and a small preview thumbnail.
  • File access logs: read/write events with user (if any) and IP address.

Sharing

  • Who owns each item and who it is shared with; permission levels and expiry dates.
  • Share links: a bcrypt hash of any link password and an encrypted decrypt-password blob; the access token is stored hashed.
  • Contacts you have shared with.

Messages (OWL chat)

  • Encrypted message bodies and headers (ciphertext only) and per-member wrapped conversation keys.
  • Metadata we can read: sender, timestamps, conversation membership and read/unread state.

Billing & payments

  • We use third-party processors (Stripe and/or PayPal). Card entry happens on the processor's own hosted page — full card numbers never touch our servers or your browser's connection to us.
  • We store: the processor's customer ID, a vaulted payment-method token, and masked display fields (card brand, last four digits, expiry month/year).
  • A transaction ledger (amount, currency, status, failure reason if any) and subscription status/renewal information.

Licensing & activation

  • Issued licenses bound to a username/email, the activation request and resulting activation file, and validity dates.
  • For optional hardware-locked licenses, we record which constraints are enabled (e.g. CPU, drive, OS key, MAC address). The underlying hardware identifiers are checked on your device; we do not store the raw values.

Logs & technical data

  • Request logs (IP address, method, path, status, timing) and protocol action logs.
  • Failed-login records (IP, attempted username, reason) for brute-force protection.
  • An administrative audit log of privileged actions, and system health metrics (CPU/memory/disk — no personal data).

Email & marketing preferences

  • Subscription status and per-topic preferences (product updates, marketing, feedback, billing), with hashed confirm/unsubscribe tokens. Transactional emails (verification, password reset, receipts, unread-message digests if you enable them) are sent regardless of marketing preferences.

Connected cloud accounts (optional)

  • If you import from Dropbox, OneDrive or Google Drive, the OAuth access tokens are encrypted on your device to your own public key before being stored. We hold them only as ciphertext we cannot decrypt, and only the files you explicitly select are imported.

4. What our servers can & cannot see

This is the heart of the design. Even with full database access, the server operator:

DataServer can read it?
File contentsNo — ciphertext only
Chat message bodies & headersNo — ciphertext only
Your private keyNo — encrypted with your password
Per-file / per-conversation / folder keysNo — wrapped to public keys
Your passwordNo — never transmitted; bcrypt hash only
Connected cloud (Dropbox/OneDrive/Drive) tokensNo — encrypted to your key
Full payment card numbersNo — held by the payment processor
Username, email, phone, avatarYes
File / folder names, sizes, types, timestamps, structureYes
Who shares what with whom; permissions & expiriesYes
Chat sender, timestamps, conversation membershipYes
IP addresses and request/access logsYes
Billing metadata (masked card, amounts, status)Yes

A single deliberate exception exists for opt-in password recovery, described in §10.

5. How we use information

  • To provide the service: store and sync your encrypted files, deliver encrypted messages, manage sharing, authenticate you, and issue/validate licenses.
  • To bill you for paid products and subscriptions through our payment processors.
  • To secure the service: detect and rate-limit abuse and brute-force attempts, and maintain audit logs.
  • To communicate with you: transactional email (verification, resets, receipts, and unread-message digests if enabled) and, only with your consent, product or marketing updates.
  • To operate and improve reliability using aggregate system metrics and usage counts.

We do not sell your personal information, and we do not use your file contents or message contents for advertising or model training.

6. AI assistant (QUAIL)

OWL offers optional AI-assisted features (the QUAIL chat assistant and AI-assisted modeling). When you use them, the content you submit is relayed by our server to an AI model to generate a response. Depending on the feature and our configuration at the time, that model may be one we host ourselves or one operated by a third-party AI provider; we may change providers as the service evolves.

The content sent to the AI model can include:

  • Your prompts and the text of your request.
  • Screenshots / images of your work. The AI-assisted modeling features capture rendered images of your current scene (or reference images you provide) and send them to the AI model so it can "see" what you are working on. If you do not want an image processed by an AI model, do not use the image-based AI features.
  • We do not send your username, account identity, files, or email address along with the prompt or image.
  • We record per-request usage counts (model name, token counts, status) tied to your account for billing and rate-limiting. We do not retain a copy of your prompts, images, or the AI's responses beyond what is needed to serve the request.
  • No-training guarantee. We do not use, and we require any third-party AI provider we use not to use, your prompts or images to train AI models.
AI features are optional. If you never use them, no prompts or screenshots are sent to any AI model. Because the image-based features transmit pictures of your scene, treat anything visible in your workspace as content that may be processed by an AI model when you use those features.

7. Third parties & sub-processors

We share the minimum necessary with the following providers, each only for the stated purpose:

ProviderPurposeWhat they receive
Amazon Web Services (Lightsail)Server hostingAll data, as stored (encrypted content stays encrypted)
Third-party AI provider (when not self-hosted; subject to change)AI assistant responsesPrompt text and any screenshots you submit (no account identity; no training use)
Stripe / PayPalPayment processingName, email, card details you enter on their page
Dropbox / Microsoft / GoogleCloud import you initiateOAuth consent & the files you select

We send transactional and opt-in email (verification, password resets, receipts, and any digests you enable) from our own server; we do not route your email address or message content through a third-party email-delivery provider.

We may disclose information if required by law, to enforce our terms, or to protect the rights, safety and security of our users and service. Because content is end-to-end encrypted, a lawful request can compel only the metadata and ciphertext we actually hold — not the plaintext of your files or messages.

8. Google user data (Google API Services)

OWL offers an optional "Import from Google Drive" feature. You only ever interact with Google through OWL if you choose to connect your Google account and import files; if you never use it, OWL never requests, receives, or stores any Google user data. This section describes specifically how OWL accesses, uses, stores, shares, retains and deletes Google user data, and our use of it complies with the Google API Services User Data Policy, including the Limited Use requirements.

Data accessed

  • Google Drive scope requested: https://www.googleapis.com/auth/drive.file only. This is Google's per-file (non-sensitive) scope: it grants OWL access only to the specific files and folders you explicitly select through the Google Picker. OWL cannot see, list, or access any other file in your Google Drive.
  • What we receive for a selected item: its Drive file ID, name, MIME type, size, and the file's binary content (so it can be imported), plus a short-lived Google OAuth access token (and, if you allow offline access, a refresh token).
  • OWL does not request access to your Google profile, name, email address, contacts, calendar, Gmail, photos, or any other Google data, and does not use Google Sign-In to create or log in to your OWL account.

How we use it

  • The sole purpose is to import the files you select from Google Drive into your own OWL library at your request. The selected file content is downloaded, then encrypted on your device under your OWL key (AES-256), exactly like any other file you add to OWL.
  • We do not use Google user data for advertising, and we do not use it to train, develop, or improve any AI / machine-learning models — neither ours nor any third party's.

How we share it

  • OWL does not sell, rent, or transfer Google user data to any third party. We do not share it with data brokers, advertisers, or AI providers.
  • Imported file content lives in your end-to-end-encrypted OWL library; it is shared with other people only if and when you choose to share that OWL item, on the same zero-knowledge terms as the rest of your OWL data (see §2).
  • The OAuth token exchange happens directly between your browser/app and Google. Where a token must transit our server (token refresh on the legacy flow), it is handled only to complete the import you requested and is not retained in readable form (see below). Our underlying hosting provider (see §7) stores only the encrypted blobs.

How we store & protect it

  • Tokens: any Google OAuth access/refresh token is encrypted on your device to your own OWL public key (ECIES) before it is stored, so we hold it only as ciphertext we cannot decrypt. Tokens are transmitted only over TLS/HTTPS.
  • File content: imported files are encrypted with AES-256 on your device before upload; our servers store only ciphertext. The protections in §12 apply.
  • We never write Google access tokens or selected file content to logs in readable form.

How long we keep it & how to delete it

  • Tokens: the stored (encrypted) Google token persists only until you disconnect Google in OWL or revoke OWL's access from your Google Account permissions page; disconnecting deletes the stored token blob. We do not retain Google tokens beyond what is needed to perform the imports you initiate.
  • Imported files: once imported, a file is a normal OWL item. It stays until you delete it (or close your OWL account), per the retention rules in §11 — it is your copy, decoupled from Google Drive.
  • Revocation: revoking access at Google immediately stops OWL from being able to read anything new from your Drive. To delete already-imported copies, delete those items in OWL. To request deletion of any associated data, contact privacy@ndevr.org.
Limited Use. OWL's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Google user data is used only to provide and improve the file-import feature you request, is never used for advertising, is never sold, is not transferred to others except as needed to provide that feature or as required by law, and is not used to develop, improve, or train generalized AI/ML models.

9. Cookies, browser storage & tracking

The OWL web client does not use advertising cookies, analytics trackers, tracking pixels, or third-party fonts/CDN trackers. We don't use Google Analytics or similar.

To run, the web client stores data locally in your browser:

  • Session storage (cleared when the tab closes): your session token, your decrypted private/public keys for the session, and basic profile info, so you don't re-enter your password to view your own files.
  • Local storage (persists, only if you choose "Keep me signed in"): the same session/key material, plus small preferences such as your light/dark theme choice and which product tours you've seen.

This data stays in your browser and is never sent to advertising or analytics platforms. Signing out, or clearing your browser storage, removes it. Because your keys can be cached in the browser, use "Keep me signed in" only on devices you trust.

10. Password recovery & key escrow

Normally, losing your password means losing access to your encrypted data — that is the cost of true zero-knowledge. To give you a choice, OWL offers an optional password-recovery feature.

  • If you enable recovery, a copy of your private key is encrypted under a master escrow key that the server operator holds (as an authenticated AES-256-GCM blob), and stored with us. This lets us help you regain access if you forget your password, via an emailed, single-use, time-limited reset code.
  • If you do not enable recovery (the default for maximum privacy), no recoverable copy of your key is stored, and no one — including us — can restore access if you lose your password.
  • The escrow key only enables account/key recovery. On its own it does not grant the ability to read your files or messages, which still require the per-file and per-conversation keys.
  • You can turn recovery on or off at any time in your account settings.

11. Data retention

  • Account data, files and messages: kept until you delete them or close your account. Deleting your account removes your account record and cascades to your sessions, keys, files and conversation membership.
  • Security & request logs: kept for a limited operational period for abuse prevention and troubleshooting, then rotated.
  • Administrative audit logs and billing/transaction records: retained longer where needed for security, accounting and legal/tax obligations.
  • Backups: encrypted content remains encrypted in backups; residual copies are purged on the normal backup cycle after deletion.

We keep each category only as long as needed for the purpose described above (or as required by law); we do not commit to fixed day-count windows for operational logs, which are rotated on a regular cycle.

12. Security

Beyond end-to-end encryption, we apply defense-in-depth: TLS for all connections; bcrypt password hashing; authenticated encryption (AES-256-GCM) for escrowed keys; constant-time comparison and rate-limiting on authentication and password resets; hashed session and reset tokens; and audit logging of privileged actions. No system is perfectly secure, but our architecture is designed so that even a server breach does not expose the plaintext of your files or messages.

13. Your rights & choices

  • Access & portability: you can view and download your files and data through the OWL clients at any time.
  • Correction: update your email, phone, avatar and profile visibility in account settings.
  • Deletion: delete individual files/messages, or close your account to remove your data as described in §11.
  • Marketing: opt out of marketing email at any time via the unsubscribe link or your email preferences; transactional messages will still be sent.
  • Recovery: enable or disable password-recovery escrow at will (§10).
  • Connected apps: disconnect Dropbox/OneDrive/Google Drive to remove the stored (encrypted) tokens.

Depending on where you live, you may have additional rights (for example under the GDPR or CCPA) to access, correct, delete, or restrict processing of your personal data, and to lodge a complaint with a regulator. To exercise any right, contact us at privacy@ndevr.org.

14. Children

OWL is not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, contact us and we will delete it.

15. International transfers

Our servers are operated in the United States. If you access OWL from elsewhere, your information (including the encrypted content and the metadata described above) is processed there. Where required, we rely on appropriate safeguards for cross-border transfers.

16. Changes to this policy

We may update this policy as the service evolves. We will revise the "Last updated" date above and, for material changes, provide a more prominent notice. Continued use after an update means you accept the revised policy.

17. Contact

NDEVR, LLC
21816 SE 280th St, Maple Valley, WA 98038
Email: privacy@ndevr.org

This document describes the design of the OWL service as implemented. It is a starting point and should be reviewed by legal counsel before being published as a binding policy.