๐Ÿšง DRAFT: Website under construction

Privacy Policy

How the Open Model Licensing Association ("OMLA," "we," "us," or "our") collects, uses, discloses, retains, and protects personal data, and the rights you have over it.

Version 1.1 โ€” Effective 2026-06-16. Last updated 2026-07-02 (added the omla_banner_dismissed_v1 banner-dismissal preference to the storage inventory).

Translations are provided for convenience; the English version governs.

In short. OMLA is a model-licensing registry and royalty-measurement service. We collect the minimum personal data needed to run a public registry, verify cryptographic signatures, and compute royalty statements. We do not sell or share your personal information, we do not run advertising trackers, and we never hold, move, or custody money. Some registry data is intentionally public because creators choose to publish it. Questions or requests: privacy@omla-ai.org.

Contents

  1. Who we are & controller identity
  2. Scope of this policy
  3. Data we collect
  4. Purposes & legal bases (GDPR Art. 13/14)
  5. Public-by-design registry data
  6. Disclosure & sub-processors
  7. International data transfers
  8. Data retention
  9. Your rights (GDPR / UK GDPR)
  10. California privacy rights (CCPA/CPRA)
  11. Other US state privacy rights
  12. Cookies & similar technologies
  13. Children's privacy
  14. Security
  15. Automated decision-making
  16. Changes to this policy
  17. Contact & complaints

1. Who we are & controller identity

The Open Model Licensing Association ("OMLA") is an open, community-governed initiative organizing as a nonprofit in the State of Washington, USA. OMLA's 501(c)(3) tax-exempt status is pending and has not yet been granted. OMLA operates the website at omla-ai.org and the associated public model registry and royalty-statement service.

For personal data described in this policy, OMLA acts as the data controller (and, under the CCPA/CPRA, as a "business"). OMLA determines the purposes and means of the processing described below.

You can contact us about privacy and data protection at:

If you are in the European Economic Area (EEA), the United Kingdom, or another jurisdiction that requires the appointment of a local representative or data-protection officer, and you wish to know whether one has been designated for your region, please contact privacy@omla-ai.org. Where a representative or data-protection officer is appointed, their details will be published here.

2. Scope of this policy

This policy applies to personal data we process about:

This policy works alongside our Legal hub (including our Terms of Service and Model License) and our Cookie Notice (see cookies.html and section 12). It does not cover third-party websites or services that may be linked from our site; those are governed by their own privacy policies.

A note on chat: any chatbot or conversational assistant feature is disabled in production. We do not operate a live chatbot that collects or processes your messages. If a chat feature is ever enabled, this policy will be updated first.

3. Data we collect

We collect only what we need to operate the registry and the royalty-statement service. The categories below describe what we collect, and section 4 maps each category to a purpose and legal basis.

3.1 Account & authentication data

3.2 Model registration & public-key data

3.3 Royalty & usage data

3.4 Wallet / payment addresses that creators choose to publish

3.5 Complaint & compliance data

3.6 Server logs & technical data

3.7 Special categories & payment-card data

We do not intentionally collect special-category data (such as health, biometric, or precise-geolocation data) and we do not collect payment-card numbers, because OMLA never processes payments. Please do not submit such data to us. If you include it in a complaint or message, we process it only as needed to handle your request.

4. Purposes & legal bases (GDPR Art. 13/14)

For people in the EEA and the UK, the General Data Protection Regulation (GDPR) and UK GDPR require us to tell you why we process your data and the legal basis for doing so. The table below maps each data category to its purpose and basis. Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms.

Data categoryPurposeLegal basis
Account email & authentication metadata (ยง3.1) Create and secure your account; authenticate you; send service-related messages Contract (Art. 6(1)(b)) โ€” to provide the registry service you requested; and legitimate interests (Art. 6(1)(f)) in account security
Commercial-user profile (ยง3.1) Enable usage reporting and the computation of royalty statements Contract (Art. 6(1)(b))
Model registrations, lineage, public keys & signatures (ยง3.2) Maintain a public, verifiable registry; verify signatures; record declared lineage and splits Contract (Art. 6(1)(b)); and legitimate interests (Art. 6(1)(f)) in registry and audit integrity
Usage reports & royalty statements (ยง3.3) Compute and publish the amount owed and the payee's self-provided payment details Contract (Art. 6(1)(b)) โ€” performing the Model License terms
Published wallet / payment details (ยง3.4) Publish a payee's chosen payment method so commercial users can settle directly Consent (Art. 6(1)(a)) โ€” you choose to publish these; and contract (Art. 6(1)(b)) to display them in your registry entry. You can update or remove them.
Complaint & compliance data (ยง3.5) Investigate complaints; operate the compliance state machine; protect the integrity of the registry Legitimate interests (Art. 6(1)(f)) in a trustworthy registry; and, where applicable, legal obligation (Art. 6(1)(c))
Server logs & technical data (ยง3.6) Operate, secure, debug, and protect the site against fraud and abuse Legitimate interests (Art. 6(1)(f)) in security and reliability
Language-preference storage (ยง3.6) Remember your chosen language Legitimate interests / strictly necessary preference function (Art. 6(1)(f))
Any data needed to comply with the law Respond to lawful requests, subpoenas, and tax or regulatory obligations Legal obligation (Art. 6(1)(c))

Where processing is necessary for a contract, providing the relevant data is a condition of using that part of the service; if you do not provide it, we may be unable to create your account, register your model, or compute statements. Where we rely on consent, you may withdraw it at any time (see section 9) without affecting processing already carried out.

Some data we hold is collected indirectly (GDPR Art. 14) โ€” for example, where a complaint or a lineage attribution submitted by another person names you. The source of such data is the person who submitted the registration, lineage reference, or complaint.

5. Public-by-design registry data

OMLA operates a public registry. Public fields let anyone verify a model's provenance, signature status, accepted License version, declared lineage, and compliance state. These public fields include model names and versions, content hashes, public keys, accepted License versions, lineage references, and compliance state. Declared contribution splits, wallet/payment identifiers, and License-acceptance account records are access-controlled; verified payee coordinates are disclosed to the responsible payer in a Royalty Statement.

Because the registry is a verifiable, append-style record that supports lineage and audit integrity, some registry and audit data may be retained even after you delete your account (for example, marked inactive rather than deleted) so that downstream attributions and historical statements remain meaningful. Where the law gives you a right to erasure, that right is balanced against these registry- and audit-integrity interests and legal obligations (see sections 8 and 9).

Guideline: do not place private information in a public registry field. Public registry values should be treated as permanently public even though payee and acceptance evidence fields have separate access controls.

6. Disclosure & sub-processors

We do not sell or share your personal information, and we do not disclose it for advertising. We disclose personal data only in the limited circumstances below.

6.1 Intentionally public registry data

As described in section 5, registry data that creators choose to publish is publicly accessible by design. This is a deliberate feature of an open registry, not an incidental disclosure.

6.2 Service providers (sub-processors)

We use a small number of vetted service providers ("sub-processors") to run the site. They process personal data only on our instructions and under appropriate contractual terms. Our current sub-processors are:

Sub-processorRoleLocation
Supabase PostgreSQL database, authentication, and Edge Functions โ€” stores account, registry, usage, and statement data and runs the no-custody computation functions United States
DreamHost Static website hosting and associated server access logs United States
Transactional email Sending service-related and verification emails (delivered through the providers above) United States

We do not use advertising or analytics trackers. Any chatbot/AI assistant is disabled in production, so no conversational AI provider processes your data through this site. If we add or change a sub-processor, we will update this section.

6.3 Legal & protective disclosures

We may disclose personal data where we believe in good faith it is necessary to: comply with a law, regulation, subpoena, court order, or other lawful request; enforce our Terms of Service or Model License; investigate fraud, security, or abuse; or protect the rights, safety, or property of OMLA, our users, or the public.

6.4 Business changes

If OMLA reorganizes, merges with, or transfers its activities to another nonprofit or successor entity, registry and account data may be transferred as part of that change, subject to this policy or a successor policy with equivalent protections.

7. International data transfers

OMLA is based in the United States, and our sub-processors process data in the United States. If you are located in the EEA, the UK, Switzerland, or another region with data-transfer restrictions, your personal data will be transferred to and processed in the United States.

Where required, we rely on appropriate safeguards for these transfers, including the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum (or UK IDTA), and equivalent mechanisms, together with supplementary measures such as encryption in transit. You can request information about the safeguards that apply, or a copy of the relevant clauses (with commercially sensitive terms redacted), by emailing privacy@omla-ai.org.

8. Data retention

We keep personal data only as long as needed for the purposes in section 4, or as required by law. Indicative periods:

When we no longer need personal data, we delete it or irreversibly anonymize it, except where retention is required for registry/audit integrity or by law.

9. Your rights (GDPR / UK GDPR)

If you are in the EEA, the UK, or another jurisdiction with comparable rights, you have the right to:

How to exercise your rights. Email privacy@omla-ai.org with your request. We may need to verify your identity before acting. We aim to respond within one month, and we will tell you if we need an extension (up to a further two months) for complex requests, as the GDPR permits. Exercising your rights is free unless a request is manifestly unfounded or excessive.

Limits. Some data is intentionally public and supports lineage and audit integrity (section 5). We may not be able to fully erase or remove such data where doing so would undermine the integrity of the registry or where we are legally required to keep it; in those cases we will explain what we can and cannot do.

Right to complain to a supervisory authority. You have the right to lodge a complaint with a data-protection supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement, or โ€” in the UK โ€” with the Information Commissioner's Office (ICO). We would, however, appreciate the chance to address your concerns first: please contact privacy@omla-ai.org.

10. California privacy rights (CCPA/CPRA)

This section applies to California residents and supplements the rest of this policy. It is our notice at or before the point of collection.

10.1 Categories of personal information collected

In the past 12 months we have collected the following categories of personal information, as defined by the CCPA/CPRA: identifiers (such as email address and account identifiers); internet or other electronic network activity (server logs, including IP address and user-agent); commercial information (usage reports and computed royalty statements); and professional or business information (commercial-user organization and contact details). Published wallet/payment details and public keys are collected as identifiers that you choose to make public.

10.2 Sources, purposes, and recipients

We collect this information directly from you, automatically from your use of the site, and indirectly from others (for example, lineage attributions or complaints that name you). We use it for the business purposes described in sections 3 and 4. We disclose it only as described in section 6 โ€” to our sub-processors and as legally required.

10.3 We do not sell or share personal information

OMLA does not sell personal information and does not share it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. We have not sold or shared personal information in the preceding 12 months. We do not use or disclose sensitive personal information for purposes that would trigger a right to limit; we collect only what is described above.

10.4 Your California rights

10.5 How to exercise California rights

Submit a request by emailing privacy@omla-ai.org. You may also use the general contact at hello@omla-ai.org to reach us. We will verify your request, typically using your account email. You may use an authorized agent to submit a request on your behalf; we may ask the agent for proof of authorization and may ask you to confirm the agent's authority directly.

11. Other US state privacy rights

Residents of other US states with comprehensive privacy laws โ€” including Virginia, Colorado, Connecticut, Utah, Texas, and others as they take effect โ€” may have rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, the sale of personal data, and certain profiling. OMLA does not engage in targeted advertising, sell personal data, or carry out profiling that produces legal or similarly significant effects (see section 15). To exercise any applicable rights, or to appeal a decision on a request, contact privacy@omla-ai.org.

12. Cookies & similar technologies

OMLA uses a small amount of cookies and local storage that are strictly necessary or that remember your preferences. These include a language-preference cookie (so the site renders in your chosen language), a first-party localStorage item (omla_banner_dismissed_v1) that remembers you dismissed the beta notice banner, and authentication/session storage set by our authentication provider when you sign in. We do not use advertising trackers, cross-site profiling, or session-replay tools.

For full details โ€” including each item, its category (strictly necessary vs. preference), purpose, and expiry โ€” see our Cookie Notice.

13. Children's privacy

OMLA is not intended for children. We do not knowingly create accounts for, or collect personal data from, children under 16 (in the EEA/UK) or under 13 (in the United States). If you believe a child has provided us with personal data, contact privacy@omla-ai.org and we will delete it promptly, consistent with our registry/audit-integrity and legal obligations.

14. Security

We take reasonable technical and organizational measures to protect personal data, including:

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a personal-data breach that is likely to affect you, we will notify affected users and, where required, the relevant supervisory authorities, within the timeframes the law requires.

15. Automated decision-making

Our compliance state machine (REGISTERED โ†’ COMPLIANT / DELINQUENT โ†’ BLACKLISTED) applies deterministic, rule-based logic to declared and reported data. It is not profiling, and it does not produce legal or similarly significant effects based on automated assessment of personal characteristics. Compliance outcomes can be challenged through our complaint and appeal process, which includes human review. To request human review or to contest a compliance outcome, contact privacy@omla-ai.org or use the complaint process described in our compliance pages.

16. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the version and effective date at the top of this page and, where appropriate, notify account holders. Your continued use of the site after an update takes effect means you accept the revised policy. Prior versions are available on request.

17. Contact & complaints

For any privacy question, request, or complaint:

If you are in the EEA or UK, you also have the right to lodge a complaint with your local data-protection supervisory authority (in the UK, the Information Commissioner's Office), as described in section 9. We would welcome the opportunity to resolve your concern first.

Translations of this policy are provided for convenience; the English version governs. Where applicable mandatory local law requires otherwise, that law prevails to the extent of any conflict.