Privacy Policy

This Privacy Policy explains how OneGC Inc. ("we," "us") handles personal information when you visit our websites, use our products and services, or otherwise interact with us. By using our services, you agree to the practices described here. If you do not agree, do not use our services. This policy works alongside our Terms of Service.

This policy applies to information we collect through our marketing site, our product, and any other channel where we collect data directly from you. It does not apply to third-party sites or services we do not control.

1. Who we are

OneGC Inc. is a Delaware corporation with its principal place of business in San Francisco, CA. Questions about this policy or your data can be sent to [email protected].

2. Customer data and end-user data

If you use our product as part of an organization's account (for example, your employer's), the organization controls the personal information stored in the product. This policy describes information we collect and control directly: information you give us when you create an account, visit our marketing site, fill out forms, or otherwise interact with us. Personal information your organization stores in the product is governed by our agreement with the organization, and requests about that information should be directed to your organization in the first instance.

Legal document content. Our product is designed to process sensitive legal documents, including but not limited to corporate formation documents, financing agreements, employment agreements, and other business contracts. This content may contain personal information about your founders, employees, investors, and counterparties. We treat this content as confidential customer data. It is not used to train AI models, is not shared with third parties except as described in this policy and our Data Processing Agreement, and is subject to the retention and deletion practices described in Section 15.

3. What we collect

We collect the following categories of personal information, using the categories defined under California law:

Identifiers. Name, email address, account credentials, IP address.
Customer records. Billing address, payment information processed by our payment provider.
Internet activity. How you interact with our site and product, including pages viewed, features used, and approximate location derived from IP address.
Inferences. Information we derive from the above to understand how customers use our services.

We do not knowingly collect sensitive personal information as defined by California law. If we begin to, we will update this policy.

4. How we collect it

We collect personal information three ways:

Directly from you. When you create an account, fill out a form, contact support, or otherwise interact with us.
Automatically. When you visit our site or use our product, we automatically collect technical information through cookies and similar technologies.
From third parties. Our payment processor, analytics providers, and similar service providers send us information related to your use of our services.

5. Anti-bot and CAPTCHA

We use CAPTCHA and similar anti-bot technologies to protect our services from automated abuse such as credential stuffing, scraping, and spam. The provider may evaluate signals like your IP address, browser characteristics, and interaction patterns to determine whether traffic is automated. We do not have access to the underlying signals; we receive only the assessment result.

6. Why we collect it

We use personal information to:

Provide, maintain, and improve our products and services.
Authenticate accounts and prevent fraud and abuse.
Process payments and bill customers.
Communicate with you about your account, our services, and product updates.
Respond to your inquiries and provide support.
Understand how customers use our services and improve them.
Comply with legal obligations, enforce our terms, and protect our rights.

7. Aggregated and de-identified data

We may create aggregated or de-identified data from personal information by removing identifiers and combining records so that you cannot reasonably be re-identified. Aggregated and de-identified data is not personal information. We may use and disclose it for any lawful purpose, including improving our products and publishing usage statistics. We publicly commit to maintain and use this data only in de-identified form and not to attempt to re-identify it, and we contractually require the same of any recipients.

We share personal information with the following categories of recipients:

Affiliates. Our parent, subsidiaries, and other entities under common control with us, for the purposes described in this policy.
Service providers and sub-processors that operate our infrastructure, payments, analytics, communications, and similar functions. We bind them by written agreements that limit their use of personal information to providing services to us. A current list is available on request at [email protected].
Professional advisors including auditors, lawyers, and accountants.
Government authorities when required by law, subpoena, or other legal process.
In a business transaction such as a merger, acquisition, or sale of assets, in which case the acquirer will be subject to this policy or one materially similar.

If you choose to log into our service using a third-party account (for example, Google, Microsoft, or another single sign-on provider), we receive information from that provider as permitted by your settings with the provider, including your name, email address, and profile identifier. The provider's use of any data you share with it remains governed by the provider's privacy policy, not ours.

We do not share personal information with third parties for their independent marketing purposes.

We do not "sell" personal information for money. We do not "share" personal information for cross-context behavioral advertising as those terms are defined under California law. If our practices change, we will update this policy and provide a "Do Not Sell or Share My Personal Information" mechanism.

10. AI and machine learning

Our product uses third-party AI model providers to process document content and power product features. We currently use Anthropic and Google as AI model providers. We have executed zero data retention (ZDR) agreements with each provider, meaning that content submitted to their APIs is not stored, logged, or used to train their models. These agreements are contractually enforced and apply to all document content you submit through our product.

We do not use your personal information or document content to train AI or machine learning models, whether our own or our providers'. We may use aggregated and de-identified data, which is not personal information, to evaluate and improve our own product features.

If we add or change AI model providers, we will update this section and maintain equivalent zero data retention protections.

Third-party integrations — Google Drive. Our product allows you to connect your Google Drive account to import documents directly into our platform. When you authorize this integration, we request access only to files you explicitly select or create through our application (using the drive.file scope). We do not access your broader Google Drive contents.

Data received through the Google Drive integration is used solely to provide the document import feature you requested. We do not use it for advertising, do not allow humans to read it except as needed to provide the service or as required by law, and do not share it with third parties except as described in this policy. We store imported document content only for as long as needed to process and display it within your account, subject to the retention practices in Section 15.

Our use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

You can revoke our access to your Google account at any time through your Google Account permissions. Revoking access does not automatically delete documents already imported into our platform; you may request deletion separately at [email protected].

11. Cookies and similar technologies

We use cookies and similar technologies to operate our site and product, remember your preferences, understand usage, and measure the effectiveness of our communications. You can control cookies through your browser settings. We do not currently respond to "Do Not Track" signals because there is no industry consensus on how to interpret them.

We honor opt-out preference signals recognized under applicable law, including the Global Privacy Control (GPC). When we detect such a signal, we treat it as a request to opt out of the sale or sharing of personal information associated with that browser or device.

12. Marketing communications

You can unsubscribe from marketing emails by using the unsubscribe link in any marketing message or by contacting us at [email protected]. Service emails (about your account, billing, security, or required notices) will continue.

13. Your rights

Depending on where you live, you may have the right to:

Access the personal information we hold about you.
Correct inaccurate personal information.
Delete your personal information, subject to legal exceptions.
Opt out of the sale or sharing of your personal information for cross-context behavioral advertising.
Opt out of certain automated decision-making, where applicable.
Receive a portable copy of your personal information.
Be free from discrimination for exercising these rights.
Send a Global Privacy Control signal through your browser. We honor recognized opt-out preference signals as required by applicable law.

14. How to exercise your rights

To exercise any of these rights, email us at [email protected] or use the form at https://onegc.com/privacy-request.

We will verify your identity before responding. We will respond within forty-five days, with one extension permitted by law if we need more time. We will tell you if we cannot fulfill the request, and why.

You can use an authorized agent. Provide written permission from you and identification for the agent.

15. Retention

We keep personal information for as long as we need it for the purposes described in this policy. The actual period depends on the type of information, the reason we collected it, applicable legal obligations (such as tax and accounting), and your relationship with us. When we no longer need it, we delete or anonymize it.

If you close your account, we delete or anonymize information associated with the account promptly, subject to the exceptions in this section (records kept for legal, accounting, fraud-prevention, or dispute-resolution reasons).

16. Security

We protect personal information using administrative, technical, and physical safeguards reasonable to the type of information and our size. No system is perfectly secure, and we cannot guarantee that information will never be accessed by unauthorized parties. We will notify you of a breach affecting your personal information as required by law.

Our security program is independently validated. We maintain SOC 2 Type II and conduct annual penetration testing.

17. Children

Our services are not directed to children under thirteen, and we do not knowingly collect personal information from children under thirteen. If you believe a child has given us personal information, contact us at [email protected] and we will delete it.

18. State-specific rights

The following sections describe additional or modified rights for residents of specific US states. Where a state law gives you a right not listed here, we honor it whether or not it is described.

California (CCPA / CPRA). All rights in the "Your rights" and "How to exercise your rights" sections apply. You also have the right to limit the use of sensitive personal information if we collect it, and the right to know the specific pieces of personal information we hold about you. You can designate an authorized agent.

In the preceding 12 months (or such shorter period as we have been operating), we have collected the categories of personal information listed in the "What we collect" section. We have disclosed each of those categories for business purposes to the categories of recipients listed in the "Who we share it with" section.

We have not sold or shared any category of personal information for cross-context behavioral advertising.

Other US states. Residents of US states with comprehensive privacy laws (currently including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia, and any others as their laws come into effect) have the rights described in the "Your rights" and "How to exercise your rights" sections, with state-specific differences as required by each state's law.

Nevada. Nevada residents have the right under SB 220 to submit a verified request directing us not to sell their covered personal information to third parties. To submit such a request, contact us at [email protected] with "Nevada Opt-Out" in the subject line.

Appeals. If we deny your privacy request, you may appeal our decision by contacting us at [email protected] with "Appeal" in the subject line. We will respond to your appeal within sixty days. If your appeal is denied, you may contact your state Attorney General's office to lodge a complaint.

19. International users

We process personal information in the United States. Our services are intended for users in the United States. If you access our services from outside the United States, you understand that your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country.

20. Changes to this policy

We may update this policy from time to time. The "Last Updated" date at the top reflects the most recent change. If we make a material change, we will take reasonable steps to notify you.

21. Contact

OneGC Inc.

San Francisco, CA

[email protected]