Oval Brief

Privacy Policy

Oval Brief

Last Updated: March 1, 2026

Introduction

Oval Brief (“we,” “our,” or “us”) is operated by Hans Luther. This Privacy Policy explains how we collect, use, and protect information when you use the Oval Brief mobile application (the “App”) and the Oval Brief website at ovalbrief.com (the “Site”). References to “Services” mean the App and Site collectively.

We are committed to protecting your privacy. Our Services are designed to minimize data collection while providing you with accessible information about executive branch actions.

Contact Information:

How Content Is Created

Oval Brief displays summaries and analysis of executive orders that are generated using artificial intelligence (Anthropic’s Claude and OpenAI). This AI processing occurs on our servers using publicly available government documents from the Federal Register.

Your personal data is never sent to AI services. When you use the app, you are viewing pre-processed content stored in our database—your searches, browsing activity, and other interactions do not trigger AI processing and are not shared with AI providers.

Information We Collect

Information We Collect Through the App

The App does not require you to create an account, provide your name, email address, or any other personal information. To use the App, we do not collect:

  • Names or contact information
  • Payment or financial information
  • Location data
  • Photos, contacts, or other device content
  • Social media profiles

Device Authentication Data

To protect our service from abuse and ensure fair access, we use Apple App Attest (iOS) and Google Play Integrity (Android) to verify that requests come from legitimate installations of the App. This process collects:

  • A cryptographic device fingerprint (a unique identifier generated by your device’s secure hardware)
  • Attestation verdicts from Apple or Google confirming app integrity

This data is used solely for security purposes and is not linked to your identity.

Local Preferences

The App stores your preferences locally on your device, including:

  • Theme preference (light, dark, or system)
  • Engagement data (such as when you last opened the App)

This information is stored only on your device using encrypted storage and is not transmitted to our servers unless necessary for App functionality.

Session Tokens

When your device is authenticated, we issue a session token stored securely on your device. This token allows you to access the App without repeated authentication checks. Session tokens do not contain personal information.

Analytics Data (Optional)

If you have not opted out of analytics, we collect anonymous usage data to improve the App:

  • Screen views and navigation patterns
  • Feature usage (filter interactions, content expansion)
  • App performance metrics

This data is collected through PostHog and is:

  • Fully anonymous and not linked to your identity
  • Not combined with any personal information
  • Used solely to improve the App experience

You can opt out of analytics at any time in the App’s Settings.

Server Logs

Our servers automatically record limited technical information when you use the App:

  • IP address (used for rate limiting and security)
  • Request timestamps and response times
  • General error information

We retain server logs for a limited period for security and operational purposes. IP addresses are not linked to any personal profile or identity.

Information We Collect Through the Site

You may browse all Site content without providing any personal information.

Information You Provide

If you sign up for beta access or other communications through our Site, we collect:

  • Email address: To send you a confirmation and future access invitations
  • Submission source: Which page or form you signed up from

Information Collected Automatically

When you submit a form on our Site, we automatically collect:

  • Approximate country: Derived from your IP address by Cloudflare’s network infrastructure. We store only the country code, not your IP address, from form submissions.
  • Bot-detection verification: A challenge/response result from Cloudflare Turnstile to prevent spam. This data is not stored after verification.

How We Use Information

We use the information we collect to:

  • Provide the Services: Deliver executive order summaries, search functionality, and related features
  • Communicate with you: Send beta access invitations and service updates to email addresses you have voluntarily provided
  • Ensure Security: Authenticate devices, prevent abuse, and protect against unauthorized access
  • Improve the Services: Understand general usage patterns and fix technical issues
  • Comply with Law: Respond to legal requests and protect our rights

We do not:

  • Sell your information to third parties
  • Use your information for advertising or marketing profiling
  • Track you across other apps or websites
  • Create personal profiles based on your usage

Third-Party Services

Our Services use the following third-party services to operate:

ServicePurposeData Shared
Apple App AttestDevice authentication (iOS)Device attestation data
Google Play IntegrityDevice authentication (Android)Device integrity verdicts
Anthropic ClaudeAI-powered document analysisExecutive order text (public government documents)
OpenAISemantic search capabilitiesDocument summaries (no user data)
CloudflareInfrastructure, caching, and bot protectionRequest metadata, IP addresses
Cloudflare TurnstileBot protection for Site formsChallenge/response tokens (no PII)
NeonDatabase hostingAggregated app data (no user PII)
ExpoApp updatesUpdate metadata
PostHogProduct analyticsAnonymous usage data (screen views, feature interactions, app performance)
ResendTransactional email deliveryEmail addresses for beta confirmations and service communications
SlackInternal team notificationsEmail addresses and signup metadata (for operational awareness)

These services process data according to their own privacy policies. No personal user information is shared with AI services—only publicly available government document text.

Data Retention

  • Beta signup data: Retained until you request deletion or until the beta program concludes, after which emails are either deleted or migrated to an active user account with your consent
  • Device attestation keys: 30 days, then automatically deleted
  • Session tokens: Valid for a limited period, automatically expire
  • Server logs: Retained for operational purposes, then deleted
  • Local device storage: Persists until you uninstall the App or clear app data

Data Security

We implement appropriate technical and organizational measures to protect information, including:

  • Encryption of sensitive data in transit (HTTPS/TLS)
  • Secure storage of session tokens using iOS Keychain and Android Keystore
  • Rate limiting to prevent abuse
  • Regular security assessments

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

Your Rights and Choices

All Users

You may:

  • Delete local data: Uninstall the App or clear app data in your device settings
  • Control notifications: Manage notification preferences in the App settings or your device settings
  • Opt out of attestation: Note that device attestation is required to use the App; opting out will prevent access
  • Opt out of analytics: Disable anonymous usage analytics in the App’s Settings
  • Withdraw from beta: Request removal of your email from our beta list by contacting privacy@ovalbrief.com

European Economic Area (EEA) Residents

Under the General Data Protection Regulation (GDPR), you have additional rights:

  • Access: Request a copy of information we hold about you
  • Rectification: Request correction of inaccurate information
  • Erasure: Request deletion of your information
  • Restriction: Request that we limit how we use your information
  • Portability: Request your information in a portable format
  • Object: Object to processing based on legitimate interests
  • Withdraw Consent: Where processing is based on consent, withdraw at any time

To exercise these rights, contact us at privacy@ovalbrief.com. We will respond within 30 days.

Legal Basis for Processing (EEA)

We process information based on:

  • Consent: Processing your email address for beta access and related communications (you may withdraw at any time by contacting us)
  • Legitimate Interests: Security, fraud prevention, and service operation
  • Contract Performance: Providing the Services’ features and functionality

California Residents

Under the California Consumer Privacy Act (CCPA), you have the right to:

  • Know what personal information we collect
  • Request deletion of your personal information
  • Non-discrimination for exercising your rights

We do not sell personal information. To exercise your rights, contact privacy@ovalbrief.com.

International Data Transfers

Our Services are operated from the United States. If you access the Services from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For EEA residents, we rely on appropriate safeguards for international transfers, including standard contractual clauses where applicable.

Children’s Privacy

Our Services are not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at privacy@ovalbrief.com, and we will delete such information.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy in the App and on the Site
  • Updating the “Last Updated” date above

Your continued use of the Services after changes become effective constitutes acceptance of the revised policy.

Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

Email: privacy@ovalbrief.com

For GDPR-related inquiries, you also have the right to lodge a complaint with your local data protection authority.

Oval Brief is operated by Hans Luther.