Privacy Policy

Last updated: May 4, 2026

1. Introduction

Osillation is a multi-tenant SaaS product operated by Osillation, a company incorporated in Delaware, USA. This Privacy Policy explains what information we collect when you use Osillation, how we use it, who we share it with, and the rights you have over it.

This policy applies to the Osillation web application at portal.osillation.com, our marketing site, and any APIs or integrations operated by Osillation. It does not cover services run by your organization administrator inside Osillation, or third-party tools you connect to Osillation.

This policy takes effect on May 4, 2026 and replaces any prior version.

2. Information we collect

Account information

When you sign up we collect your email address, your name, a hashed password (or your Google OAuth identity), your organization name, and your role inside the organization. Profile fields like avatar, timezone, and job title are optional.

Usage data

We log product events (pages viewed, features used, buttons clicked), session metadata (browser, OS, approximate location from IP), and error traces. We use PostHog for product analytics and session replay. PostHog masks input fields by default, so the content you type into forms is not captured in replays.

Customer content

Anything you put into Osillation as a user is customer content: projects, tasks, deals, contacts, documents, payslips, notes, file uploads, comments, and similar. Customer content is encrypted at rest in AWS RDS and S3, and encrypted in transit with TLS 1.2 or higher. Customer content is scoped to your organization and is never used to train any AI model.

GitHub data

When you connect a GitHub repository to Osillation, we read repository metadata (name, description, branches, collaborators) and the source code the AI agent needs to complete the job you requested. Code contents are held only for the lifetime of an agent job. We keep job logs (which file paths were read, which commits were produced, exit status) for 90 days for debugging and audit, then delete them.

AI provider data

On the Pro and Enterprise plans you bring your own AI provider key (Anthropic, AWS Bedrock, OpenAI, or GCP Vertex). When the agent runs, prompts and completions pass through Osillation and are sent directly to the provider you configured. We do not retain prompts or completions beyond the audit log entry that records the job ran, which provider was used, and how many tokens were consumed.

3. How we use the information

We use the information above to run the platform: authenticate you, scope data to your organization, deliver agent jobs, send transactional notifications, and bill you accurately.

We use aggregated, de-identified analytics to understand which features are used and where users get stuck, so we can improve the product. We never tie aggregated analytics back to an individual user when sharing them publicly.

We send transactional email by default (security alerts, invitations, billing receipts). Marketing email goes only to people who explicitly opt in.

We do not sell your data, and we do not share it with data brokers or advertising networks.

4. Third-party services we use

• PostHog (United States): product analytics, session replay with input masking, error tracking.
• Amazon Web Services (United States, regions us-west-2 and us-east-1): hosting, database (RDS), object storage (S3), email delivery (SES), and container compute (ECS).
• Stripe (United States): payment processing once paid plans launch. Card numbers go directly to Stripe; we never see them.
• Google: OAuth sign-in. You can revoke our access from your Google account at any time.
• GitHub: source-of-truth for code when you connect repositories to the AI agent.

5. Data retention

• Account data is kept until you delete your account. Deletion is effective within 30 days.
• Organization data is kept until the organization owner deletes the organization. Members can export their data before the owner deletes it.
• Application logs are kept for 90 days, then rotated out of hot storage and discarded.
• Billing and financial records are kept for 7 years to satisfy US tax and accounting regulations.
• Database backups are kept for 30 days. After that, restoring deleted data is no longer possible.

6. Your rights

You can access, correct, export, or delete your personal data at any time from the settings page inside Osillation. You can opt out of marketing email from any marketing message we send.

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have rights under GDPR including portability, erasure, restriction, and the right to object. If you are in California, you have rights under CCPA including the right to know, the right to delete, and the right to opt out of sale (we do not sell data, but the opt out is honored regardless).

To exercise any of these rights, email privacy@osillation.com. We respond within 30 days.

7. Cookies

Osillation uses a small number of cookies:

• An authentication session token. This is necessary to keep you logged in.
• A PostHog analytics ID. This is necessary for product analytics and session replay. You can opt out by enabling Do Not Track in your browser, which Osillation honors.
• A theme preference cookie if you choose a non-default theme.

We do not use third-party advertising cookies, and we do not participate in any cross-site tracking networks.

8. AI agent specifics

When you use the Osillation AI Engineering Agent, the agent reads relevant source code from the GitHub repository you connected, reasons about the change you asked for, and may produce commits and pull requests on your behalf. All commits are clearly attributed as agent-authored.

The agent uses the AI provider you configure under Bring Your Own Key on Pro and Enterprise plans. We do not retain the prompts the agent sends to the provider or the completions the provider returns, beyond the audit log entry that records the job ran.

Every agent run is recorded in the agent_jobs and agent_logs tables inside your organization. You can review which files the agent read, which commits it produced, and what it cost, at any time.

9. Children

Osillation is built for businesses and is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has signed up for Osillation, email us and we will remove the account.

10. Changes to this policy

We will notify you by email and in-app banner at least 30 days before any material change to this policy takes effect. Minor clarifications may be made without notice; the last-updated date at the top of the page will always reflect the current version.

11. Contact

For privacy questions, data subject requests, or to report a suspected breach, email privacy@osillation.com.

Mailing address: Osillation, Delaware, USA. Detailed registered agent address available on request.