Privacy Policy

This Privacy Policy explains how Openso collects, uses, shares, and protects your personal data when you use our Service.

Effective Date: May 27, 2026·Last Updated: May 27, 2026

Information We Collect

We collect the following categories of personal data:

  • Account identifiers — Email address, display name, profile image URL, and provider user id retrieved from your GitHub OAuth profile when you sign in. (Third-party, with consent)
  • Resume files and parsed text — Resume files you upload in PDF, DOCX, or TXT format, and the structured text extracted from those files. (Provided directly)
  • GitHub repository metadata and file contents — Repository names, branches, commit metadata, and selected file contents from repositories you authorize for chat-with-repo and the GitHub memory graph. (Third-party, with consent)
  • Telegram chat identifiers and messages — The Telegram chat id you connect to Openso and the messages you exchange with the Openso Telegram bot. (Provided directly)
  • Recruiter chatbot transcripts — The conversations recruiters have with your portfolio chatbot, including their questions and the chatbot's responses about you. (Provided directly)
  • AI prompts and outputs — The prompts you send to AI features and the outputs those features generate, including pull-request descriptions, summaries, and chat replies. (Provided directly)
  • Server logs — Standard request logs collected automatically when you interact with Openso, including IP address, user agent, request path, and timestamps. (Automatic)

OAuth Scopes and Why We Need Them

Openso requests only the OAuth scopes necessary to deliver the features you use. You may revoke any granted OAuth scope at any time through the respective provider's account security settings and via the Openso connected-apps page.

GitHub OAuth Scopes

The following GitHub OAuth scopes are requested for repository access, issue access, and pull request creation:

  • read:user

    Feature: Reading the authenticated user's public profile to populate the developer narrative.

    Justification: GitHub does not expose a narrower scope that returns the full public profile required for the recruiter chatbot.

  • user:email

    Feature: Reading the user's verified primary email for account creation.

    Justification: user:email is the minimum scope GitHub provides for verified email retrieval.

  • repo

    Feature: Reading repository metadata and file contents for chat-with-repo and the GitHub memory graph.

    Justification: Public-only scopes (public_repo) cannot index private repos the user explicitly opts in to. Pull-request creation on private repos requires the full repo scope.

  • read:org

    Feature: Listing organizations the user belongs to so they can scope ingestion to an org.

    Justification: Organization membership is not exposed under user-only scopes.

How We Use Your Information

We process your personal data for the purposes listed below. For each purpose, we identify the GDPR Article 6 legal basis. Where we rely on legitimate interests, we describe the specific interest.

  • Authenticating users via GitHub OAuth.

    Legal basis: performance of a contract

  • Operating product features (chat, repo agent, recruiter chatbot).

    Legal basis: performance of a contract

  • Sending product communications (account, security, digest emails).

    Legal basis: legitimate interests

    Legitimate interest: Keeping users informed about activity on their account and the workflows they have configured.

  • Detecting and preventing abuse, spam, and unauthorized access.

    Legal basis: legitimate interests

    Legitimate interest: Protecting the integrity of the Service and the safety of other users.

  • Complying with subpoenas, court orders, and legal requests.

    Legal basis: legal obligation

Sub-Processors

Openso shares personal data with the following sub-processors to deliver the Service. Each entry lists the processing purpose, categories of data shared, primary processing region, and a link to the sub-processor's privacy policy.

  • xAI

    United States

    Hosting AI inference for chat, recruiter chatbot, developer profile synthesis, and structured extraction workloads.

    Data shared: Account identifiers, Prompts and AI outputs

    xAI privacy policy

  • GitHub

    United States

    OAuth authentication; reading repository metadata and file contents.

    Data shared: Account identifiers, Repository metadata and selected file contents

    GitHub privacy policy

  • Insforge

    Provider-managed cloud regions

    Primary application database, authentication session storage, and file storage.

    Data shared: Account identifiers, Encrypted OAuth tokens, Resume files and parsed text

    Insforge privacy policy

  • Daytona

    Provider-managed cloud regions

    Sandboxed execution environments for the Repo Agent.

    Data shared: Repository contents during a sandbox run

    Daytona privacy policy

  • Upstash QStash

    AWS regions selected per project

    Background workflow queue for ingestion, dream-cycle, and digest jobs.

    Data shared: Job payload identifiers, User identifiers referenced by background jobs

    Upstash QStash privacy policy

  • Telegram Bot API

    Telegram's global infrastructure

    Sending and receiving messages with users who connect the Openso Telegram bot.

    Data shared: Telegram chat identifiers, Message content sent to or from the bot

    Telegram Bot API privacy policy

The Operator may add or change sub-processors. Material changes will be reflected by updating this Privacy Policy and revising the Effective Date.

Data Retention

We retain your data according to the following criteria:

  • Account identifiers — Retained for the lifetime of your account. Deleted when you delete your account.
  • Resume files — Retained until you delete the resume or delete your account.
  • GitHub repository data — Retained while the repository connection is active. Removed when you disconnect the repository or delete your account.
  • Telegram data — Retained while the Telegram bot connection is active. Removed when you disconnect or delete your account.
  • Recruiter chatbot transcripts — Retained for the lifetime of your account.
  • AI prompts and outputs — Retained for the lifetime of your account unless you delete individual conversations.
  • Server logs — Retained for up to 90 days for security and debugging purposes, then automatically purged.

How to Delete Your Data

You can delete your account and all associated data through the in-product account settings page. Alternatively, you may submit a deletion request by emailing support@openso.dev.

When we receive a deletion request via email, we will respond within 30 days and complete the deletion promptly thereafter.

Your Rights Under GDPR

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation:

  • Right of access — You may request a copy of the personal data we hold about you.
  • Right to rectification — You may request correction of inaccurate or incomplete personal data.
  • Right to erasure (right to be forgotten) — You may request deletion of your personal data.
  • Right to restriction of processing — You may request that we limit how we use your data.
  • Right to data portability — You may request your data in a structured, commonly used, machine-readable format.
  • Right to object — You may object to processing based on legitimate interests.
  • Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at support@openso.dev. We will respond within the timeframe required by GDPR Article 12 (generally within one month).

You also have the right to lodge a complaint with your national supervisory authority if you believe your data protection rights have been violated.

International Data Transfers

Your data may be transferred outside your jurisdiction to sub-processors listed above. The Operator relies on standard contractual clauses or equivalent safeguards offered by those sub-processors to ensure an adequate level of data protection for international transfers.

Your Rights Under CCPA and CPRA

If you are a California consumer, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:

  • Right to know — You may request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to delete — You may request deletion of your personal information.
  • Right to correct — You may request correction of inaccurate personal information.
  • Right to opt out of sale or sharing — You may opt out of the sale or sharing of your personal information.
  • Right to limit use of sensitive personal information — You may limit the use and disclosure of sensitive personal information.
  • Right to non-discrimination — You will not be discriminated against for exercising any of these rights.

California consumers may submit verifiable requests via support@openso.dev. We will verify your identity by matching the email address on your request with the email address associated with your Openso account.

Do Not Sell or Share My Personal Information

Openso does not sell or share personal information as those terms are defined under the CCPA and CPRA. Because we do not sell or share your personal information, no opt-out mechanism is required.

Categories of Personal Information Collected (CCPA)

The following table maps each category of personal data we collect to the corresponding CCPA category enumerated in California Civil Code § 1798.140:

Data CategoryCCPA Category (§ 1798.140)
Account identifiers(A) Identifiers
Resume files and parsed text(I) Professional or employment-related information
GitHub repository metadata and file contents(F) Internet or other electronic network activity information
Telegram chat identifiers and messages(A) Identifiers
Recruiter chatbot transcripts(F) Internet or other electronic network activity information
AI prompts and outputs(K) Inferences drawn from other personal information
Server logs(F) Internet or other electronic network activity information

Cookies and Similar Technologies

Openso uses the following categories of cookies:

  • Strictly necessary cookies — Authentication session cookies required to keep you signed in and to protect against cross-site request forgery. These cannot be disabled.

Openso does not use analytics cookies, advertising cookies, or third-party tracking pixels.

Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If we become aware that personal information has been collected from a child under 16 without verifiable parental consent, we will delete that information promptly upon discovery or notification.

If you believe a child under 16 has provided us with personal information, please contact us at support@openso.dev.

Security

We implement technical and organizational measures to protect your personal data, including:

  • Transport encryption (HTTPS) for all data in transit
  • Encrypted storage of OAuth tokens at rest
  • Scoped database access with row-level security policies
  • Use of audited sub-processors with their own security programs

No internet transmission or storage system is fully secure. While we strive to protect your data, we cannot guarantee absolute security. There is always a residual risk that unauthorized parties may intercept data or breach our systems despite our safeguards.

If a personal data breach affecting data subjects occurs, we will notify affected users via email and update this Privacy Policy within the timeframes required by applicable law.

Contact Us

For all privacy matters, data subject rights requests, Limited Use enforcement reports, and legal inquiries, contact us at:

support@openso.dev

The Operator is reachable at this email address for all privacy and legal matters.