Your US State Privacy Rights

If you are a US resident, several state privacy laws give you rights over your personal information. This page explains those rights and how to exercise them with OWL. It supplements — and does not replace — the OWL privacy policy, which remains the full description of what we collect and what we can and cannot see.

Part of NDEVR's compliance & conformity program · Privacy requests: privacy@ndevr.org.

What this means for OWL specifically. OWL is end-to-end encrypted: the contents of your files and messages are sealed on your device and we store only ciphertext we cannot read. We do not sell or share personal information for money or for cross-context targeted advertising, and we run no advertising or analytics trackers. As a result, several state "opt-out" rights below have nothing to opt out of — but we honour them anyway.

1. Your rights

Depending on your state, you may have the right to:

  • Know / access — confirm whether we process your personal information and get a copy of it.
  • Delete — request deletion of personal information we hold about you (subject to legal exceptions and the retention described in the privacy policy).
  • Correct — fix inaccurate personal information (for example, your account email).
  • Portability — receive your personal information in a portable, usable format.
  • Opt out of sale / sharing — we do not sell personal information and do not share it for cross-context targeted advertising, so there is nothing to opt out of; we will confirm this on request.
  • Opt out of targeted advertising — we do not run targeted advertising or trackers.
  • Limit use of sensitive personal information — we do not use sensitive personal information for advertising or profiling; OWL's design means we cannot read your file or message contents at all.
  • Non-discrimination — we will not discriminate against you for exercising any of these rights.

2. How to exercise your rights

Email privacy@ndevr.org (and use in-product account controls where available — you can edit account details and delete files, messages, or your whole account directly). To protect your data, we will take reasonable steps to verify your identity, typically by confirming control of the account email tied to the request; we cannot disclose or delete data based on an unverifiable request.

We aim to respond within the timeframe your state's law requires (generally 45 days, extendable once where permitted). Where your state provides an appeal process for a denied request, we will tell you how to appeal in our response.

Honest limit of zero-knowledge. Because your file and message contents are encrypted with keys we do not hold, we cannot produce their plaintext in an access request and we cannot decrypt them to "correct" them — only you (and those you share with) can. We can act on the account data and metadata we do hold, and on deleting your encrypted content.

3. State-by-state summary

A non-exhaustive summary of the comprehensive US state privacy laws. The rights above apply to residents of these states under their respective laws; effective dates are when the law became enforceable for consumers.

StateLawIn effect
CaliforniaCCPA, as amended by the CPRAJan 2020 (CPRA amendments Jan 2023)
VirginiaConsumer Data Protection Act (VCDPA)Jan 2023
ColoradoColorado Privacy Act (CPA)Jul 2023
ConnecticutData Privacy Act (CTDPA)Jul 2023
UtahConsumer Privacy Act (UCPA)Dec 2023
TexasData Privacy and Security Act (TDPSA)Jul 2024
Oregon, Montana, and othersComprehensive state privacy laws2024–2026 (varies)

Additional states continue to enact comprehensive privacy laws; we apply the rights above to residents of any state with a comparable law, whether or not it is listed here.

4. Authorized agents & minors

  • Authorized agents. You may use an authorized agent to submit a request on your behalf where your state's law allows it; we may ask the agent for proof of authorization and may still verify your identity directly.
  • Minors. OWL is not directed to children, and we do not knowingly collect personal information from children under 13 (see privacy policy §16). We do not sell or share personal information of minors.

5. Scope

This is a disclosure page describing how we honour US state privacy rights; it is not a certification. For the complete description of our data practices, sub-processors, retention, and security, see the privacy policy.