Privacy Policy
How the Open Model Licensing Association ("OMLA," "we," "us," or "our") collects, uses, discloses, retains, and protects personal data, and the rights you have over it.
Version 1.1 โ Effective 2026-06-16. Last updated 2026-07-02 (added the omla_banner_dismissed_v1 banner-dismissal preference to the storage inventory).
Translations are provided for convenience; the English version governs.
In short. OMLA is a model-licensing registry and royalty-measurement service. We collect the minimum personal data needed to run a public registry, verify cryptographic signatures, and compute royalty statements. We do not sell or share your personal information, we do not run advertising trackers, and we never hold, move, or custody money. Some registry data is intentionally public because creators choose to publish it. Questions or requests: privacy@omla-ai.org.
Contents
- Who we are & controller identity
- Scope of this policy
- Data we collect
- Purposes & legal bases (GDPR Art. 13/14)
- Public-by-design registry data
- Disclosure & sub-processors
- International data transfers
- Data retention
- Your rights (GDPR / UK GDPR)
- California privacy rights (CCPA/CPRA)
- Other US state privacy rights
- Cookies & similar technologies
- Children's privacy
- Security
- Automated decision-making
- Changes to this policy
- Contact & complaints
1. Who we are & controller identity
The Open Model Licensing Association ("OMLA") is an open, community-governed initiative organizing as a nonprofit in the State of Washington, USA. OMLA's 501(c)(3) tax-exempt status is pending and has not yet been granted. OMLA operates the website at omla-ai.org and the associated public model registry and royalty-statement service.
For personal data described in this policy, OMLA acts as the data controller (and, under the CCPA/CPRA, as a "business"). OMLA determines the purposes and means of the processing described below.
You can contact us about privacy and data protection at:
- Privacy / data-protection requests: privacy@omla-ai.org
- General enquiries: hello@omla-ai.org
- Legal notices: legal@omla-ai.org
If you are in the European Economic Area (EEA), the United Kingdom, or another jurisdiction that requires the appointment of a local representative or data-protection officer, and you wish to know whether one has been designated for your region, please contact privacy@omla-ai.org. Where a representative or data-protection officer is appointed, their details will be published here.
2. Scope of this policy
This policy applies to personal data we process about:
- visitors to omla-ai.org;
- account holders (model creators and commercial users) who register with OMLA;
- people identified in model registrations, lineage attributions, usage reports, and compliance records; and
- people who contact us or submit complaints.
This policy works alongside our Legal hub (including our Terms of Service and Model License) and our Cookie Notice (see cookies.html and section 12). It does not cover third-party websites or services that may be linked from our site; those are governed by their own privacy policies.
A note on chat: any chatbot or conversational assistant feature is disabled in production. We do not operate a live chatbot that collects or processes your messages. If a chat feature is ever enabled, this policy will be updated first.
3. Data we collect
We collect only what we need to operate the registry and the royalty-statement service. The categories below describe what we collect, and section 4 maps each category to a purpose and legal basis.
3.1 Account & authentication data
- Account email address. Used to create and secure your account and to send service-related messages.
- Authentication metadata. Password material is processed and stored in hashed form by our authentication provider (Supabase); we do not store plaintext passwords. We also process session tokens, sign-in timestamps, email-verification status, and similar authentication metadata.
- Commercial-user profile (where applicable). Organization or contact name, contact email, country, and an API-key identifier (stored hashed) for commercial users who report usage.
3.2 Model registration & public-key data
- Model registrations. Model name and version, a content hash (e.g., SHA-256) of the registered model, declared license terms, declared lineage/derivation references, declared contribution splits, and the complaint contact you provide.
- Public cryptographic keys. The public verification key(s) you register โ Ed25519 and/or ML-DSA (a post-quantum signature scheme) โ and the signatures over your registration. We never ask for, receive, or store your private (secret) keys. Custody of your private keys is solely your responsibility.
3.3 Royalty & usage data
- Usage reports. Quarterly commercial-usage reports submitted by commercial users, including the model(s) used, reported commercial revenue and/or run cost, and reporting period.
- Royalty statements. Computed notices of the amount owed to each payee and the payee's self-provided wallet or payment details. A royalty statement is a computed notice of an amount owed โ not an invoice that OMLA collects, and not a record of any payment OMLA received. OMLA never holds, receives, routes, escrows, converts, refunds, or custodies funds.
3.4 Wallet / payment addresses that creators choose to publish
- Payee wallet or payment details. When a creator registers a model, they may self-provide a wallet address or other payment method so that commercial users can pay them directly. These details are provided by the creator for the express purpose of being published alongside the model so that settlement can occur peer-to-peer. OMLA does not validate that an address belongs to you, does not transact against it, and never settles on your behalf. Treat any wallet address you publish as public information.
3.5 Complaint & compliance data
- Complaint submissions. If you file a complaint (for example, alleging incorrect lineage or a missing payment by a third party), we process the name, email, and evidence you submit, and records of how the complaint was handled.
- Compliance state. A model's compliance state in our state machine (REGISTERED โ COMPLIANT / DELINQUENT โ BLACKLISTED) and the events that moved it between states.
3.6 Server logs & technical data
- Server access logs. Our website host and backend providers automatically generate logs that may include IP address, date/time, requested URL, HTTP status, referrer, and user-agent string. These support security, abuse prevention, and reliability.
- Preference storage. A small language-preference cookie or equivalent local storage so the site renders in your chosen language, a first-party localStorage item (
omla_banner_dismissed_v1) that remembers you dismissed the beta notice banner, and authentication/session storage set by our authentication provider when you are signed in. See section 12 and our Cookie Notice. We do not use advertising trackers, third-party analytics for cross-site profiling, or session-replay tools.
3.7 Special categories & payment-card data
We do not intentionally collect special-category data (such as health, biometric, or precise-geolocation data) and we do not collect payment-card numbers, because OMLA never processes payments. Please do not submit such data to us. If you include it in a complaint or message, we process it only as needed to handle your request.
4. Purposes & legal bases (GDPR Art. 13/14)
For people in the EEA and the UK, the General Data Protection Regulation (GDPR) and UK GDPR require us to tell you why we process your data and the legal basis for doing so. The table below maps each data category to its purpose and basis. Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms.
| Data category | Purpose | Legal basis |
|---|---|---|
| Account email & authentication metadata (ยง3.1) | Create and secure your account; authenticate you; send service-related messages | Contract (Art. 6(1)(b)) โ to provide the registry service you requested; and legitimate interests (Art. 6(1)(f)) in account security |
| Commercial-user profile (ยง3.1) | Enable usage reporting and the computation of royalty statements | Contract (Art. 6(1)(b)) |
| Model registrations, lineage, public keys & signatures (ยง3.2) | Maintain a public, verifiable registry; verify signatures; record declared lineage and splits | Contract (Art. 6(1)(b)); and legitimate interests (Art. 6(1)(f)) in registry and audit integrity |
| Usage reports & royalty statements (ยง3.3) | Compute and publish the amount owed and the payee's self-provided payment details | Contract (Art. 6(1)(b)) โ performing the Model License terms |
| Published wallet / payment details (ยง3.4) | Publish a payee's chosen payment method so commercial users can settle directly | Consent (Art. 6(1)(a)) โ you choose to publish these; and contract (Art. 6(1)(b)) to display them in your registry entry. You can update or remove them. |
| Complaint & compliance data (ยง3.5) | Investigate complaints; operate the compliance state machine; protect the integrity of the registry | Legitimate interests (Art. 6(1)(f)) in a trustworthy registry; and, where applicable, legal obligation (Art. 6(1)(c)) |
| Server logs & technical data (ยง3.6) | Operate, secure, debug, and protect the site against fraud and abuse | Legitimate interests (Art. 6(1)(f)) in security and reliability |
| Language-preference storage (ยง3.6) | Remember your chosen language | Legitimate interests / strictly necessary preference function (Art. 6(1)(f)) |
| Any data needed to comply with the law | Respond to lawful requests, subpoenas, and tax or regulatory obligations | Legal obligation (Art. 6(1)(c)) |
Where processing is necessary for a contract, providing the relevant data is a condition of using that part of the service; if you do not provide it, we may be unable to create your account, register your model, or compute statements. Where we rely on consent, you may withdraw it at any time (see section 9) without affecting processing already carried out.
Some data we hold is collected indirectly (GDPR Art. 14) โ for example, where a complaint or a lineage attribution submitted by another person names you. The source of such data is the person who submitted the registration, lineage reference, or complaint.
5. Public-by-design registry data
OMLA operates a public registry. Public fields let anyone verify a model's provenance, signature status, accepted License version, declared lineage, and compliance state. These public fields include model names and versions, content hashes, public keys, accepted License versions, lineage references, and compliance state. Declared contribution splits, wallet/payment identifiers, and License-acceptance account records are access-controlled; verified payee coordinates are disclosed to the responsible payer in a Royalty Statement.
Because the registry is a verifiable, append-style record that supports lineage and audit integrity, some registry and audit data may be retained even after you delete your account (for example, marked inactive rather than deleted) so that downstream attributions and historical statements remain meaningful. Where the law gives you a right to erasure, that right is balanced against these registry- and audit-integrity interests and legal obligations (see sections 8 and 9).
Guideline: do not place private information in a public registry field. Public registry values should be treated as permanently public even though payee and acceptance evidence fields have separate access controls.
6. Disclosure & sub-processors
We do not sell or share your personal information, and we do not disclose it for advertising. We disclose personal data only in the limited circumstances below.
6.1 Intentionally public registry data
As described in section 5, registry data that creators choose to publish is publicly accessible by design. This is a deliberate feature of an open registry, not an incidental disclosure.
6.2 Service providers (sub-processors)
We use a small number of vetted service providers ("sub-processors") to run the site. They process personal data only on our instructions and under appropriate contractual terms. Our current sub-processors are:
| Sub-processor | Role | Location |
|---|---|---|
| Supabase | PostgreSQL database, authentication, and Edge Functions โ stores account, registry, usage, and statement data and runs the no-custody computation functions | United States |
| DreamHost | Static website hosting and associated server access logs | United States |
| Transactional email | Sending service-related and verification emails (delivered through the providers above) | United States |
We do not use advertising or analytics trackers. Any chatbot/AI assistant is disabled in production, so no conversational AI provider processes your data through this site. If we add or change a sub-processor, we will update this section.
6.3 Legal & protective disclosures
We may disclose personal data where we believe in good faith it is necessary to: comply with a law, regulation, subpoena, court order, or other lawful request; enforce our Terms of Service or Model License; investigate fraud, security, or abuse; or protect the rights, safety, or property of OMLA, our users, or the public.
6.4 Business changes
If OMLA reorganizes, merges with, or transfers its activities to another nonprofit or successor entity, registry and account data may be transferred as part of that change, subject to this policy or a successor policy with equivalent protections.
7. International data transfers
OMLA is based in the United States, and our sub-processors process data in the United States. If you are located in the EEA, the UK, Switzerland, or another region with data-transfer restrictions, your personal data will be transferred to and processed in the United States.
Where required, we rely on appropriate safeguards for these transfers, including the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum (or UK IDTA), and equivalent mechanisms, together with supplementary measures such as encryption in transit. You can request information about the safeguards that apply, or a copy of the relevant clauses (with commercially sensitive terms redacted), by emailing privacy@omla-ai.org.
8. Data retention
We keep personal data only as long as needed for the purposes in section 4, or as required by law. Indicative periods:
- Account & authentication data. For as long as your account is active, plus a limited period afterward to handle wind-down, disputes, and legal obligations.
- Server access logs. Retained for a short operational period in line with our providers' defaults and our security needs, then deleted or aggregated.
- Registry, lineage, signature, statement & audit data. Retained for the integrity of the public registry, lineage attribution, and the hash-chained audit record. This data may be retained (and may be marked inactive rather than erased) after account closure so that downstream attributions and historical royalty statements remain verifiable.
- Complaint & compliance records. Retained for the duration of the matter plus a reasonable period to handle appeals, recurrence, and legal obligations.
When we no longer need personal data, we delete it or irreversibly anonymize it, except where retention is required for registry/audit integrity or by law.
9. Your rights (GDPR / UK GDPR)
If you are in the EEA, the UK, or another jurisdiction with comparable rights, you have the right to:
- Access โ obtain confirmation of whether we process your data and a copy of it;
- Rectification โ correct inaccurate or incomplete data;
- Erasure โ ask us to delete your data ("right to be forgotten"), subject to the registry/audit-integrity and legal limits in sections 5 and 8;
- Restriction โ ask us to limit processing in certain circumstances;
- Data portability โ receive the data you provided in a structured, commonly used, machine-readable format, and ask us to transmit it to another controller where technically feasible;
- Objection โ object to processing based on legitimate interests; and
- Withdraw consent โ where we rely on consent (for example, publishing wallet/payment details), withdraw it at any time, without affecting prior processing.
How to exercise your rights. Email privacy@omla-ai.org with your request. We may need to verify your identity before acting. We aim to respond within one month, and we will tell you if we need an extension (up to a further two months) for complex requests, as the GDPR permits. Exercising your rights is free unless a request is manifestly unfounded or excessive.
Limits. Some data is intentionally public and supports lineage and audit integrity (section 5). We may not be able to fully erase or remove such data where doing so would undermine the integrity of the registry or where we are legally required to keep it; in those cases we will explain what we can and cannot do.
Right to complain to a supervisory authority. You have the right to lodge a complaint with a data-protection supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement, or โ in the UK โ with the Information Commissioner's Office (ICO). We would, however, appreciate the chance to address your concerns first: please contact privacy@omla-ai.org.
10. California privacy rights (CCPA/CPRA)
This section applies to California residents and supplements the rest of this policy. It is our notice at or before the point of collection.
10.1 Categories of personal information collected
In the past 12 months we have collected the following categories of personal information, as defined by the CCPA/CPRA: identifiers (such as email address and account identifiers); internet or other electronic network activity (server logs, including IP address and user-agent); commercial information (usage reports and computed royalty statements); and professional or business information (commercial-user organization and contact details). Published wallet/payment details and public keys are collected as identifiers that you choose to make public.
10.2 Sources, purposes, and recipients
We collect this information directly from you, automatically from your use of the site, and indirectly from others (for example, lineage attributions or complaints that name you). We use it for the business purposes described in sections 3 and 4. We disclose it only as described in section 6 โ to our sub-processors and as legally required.
10.3 We do not sell or share personal information
OMLA does not sell personal information and does not share it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. We have not sold or shared personal information in the preceding 12 months. We do not use or disclose sensitive personal information for purposes that would trigger a right to limit; we collect only what is described above.
10.4 Your California rights
- Right to know the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of recipients;
- Right to delete personal information we have collected, subject to legal and registry/audit-integrity exceptions;
- Right to correct inaccurate personal information;
- Right to opt out of the sale or sharing of personal information โ although, as stated, we do not sell or share;
- Right to limit the use of sensitive personal information โ we do not use sensitive personal information beyond what is permitted without a right to limit; and
- Right to non-discrimination โ we will not deny you service, charge you a different price, or provide a different quality of service because you exercised your rights.
10.5 How to exercise California rights
Submit a request by emailing privacy@omla-ai.org. You may also use the general contact at hello@omla-ai.org to reach us. We will verify your request, typically using your account email. You may use an authorized agent to submit a request on your behalf; we may ask the agent for proof of authorization and may ask you to confirm the agent's authority directly.
11. Other US state privacy rights
Residents of other US states with comprehensive privacy laws โ including Virginia, Colorado, Connecticut, Utah, Texas, and others as they take effect โ may have rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, the sale of personal data, and certain profiling. OMLA does not engage in targeted advertising, sell personal data, or carry out profiling that produces legal or similarly significant effects (see section 15). To exercise any applicable rights, or to appeal a decision on a request, contact privacy@omla-ai.org.
13. Children's privacy
OMLA is not intended for children. We do not knowingly create accounts for, or collect personal data from, children under 16 (in the EEA/UK) or under 13 (in the United States). If you believe a child has provided us with personal data, contact privacy@omla-ai.org and we will delete it promptly, consistent with our registry/audit-integrity and legal obligations.
14. Security
We take reasonable technical and organizational measures to protect personal data, including:
- Encryption in transit (TLS/HTTPS) for traffic to and from the site and our backend;
- Row-Level Security (RLS) on our database so that records are only accessible to authorized parties;
- Hashed credentials โ passwords and API keys are stored hashed, never in plaintext;
- A hash-chained audit record so that registry and compliance events are tamper-evident; and
- Post-quantum-capable signatures (Ed25519 and/or ML-DSA) for model registrations, with private keys held only by you.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a personal-data breach that is likely to affect you, we will notify affected users and, where required, the relevant supervisory authorities, within the timeframes the law requires.
15. Automated decision-making
Our compliance state machine (REGISTERED โ COMPLIANT / DELINQUENT โ BLACKLISTED) applies deterministic, rule-based logic to declared and reported data. It is not profiling, and it does not produce legal or similarly significant effects based on automated assessment of personal characteristics. Compliance outcomes can be challenged through our complaint and appeal process, which includes human review. To request human review or to contest a compliance outcome, contact privacy@omla-ai.org or use the complaint process described in our compliance pages.
16. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the version and effective date at the top of this page and, where appropriate, notify account holders. Your continued use of the site after an update takes effect means you accept the revised policy. Prior versions are available on request.
17. Contact & complaints
For any privacy question, request, or complaint:
- Privacy / data protection: privacy@omla-ai.org
- General: hello@omla-ai.org
- Legal: legal@omla-ai.org
- IP / DMCA: dmca@omla-ai.org
If you are in the EEA or UK, you also have the right to lodge a complaint with your local data-protection supervisory authority (in the UK, the Information Commissioner's Office), as described in section 9. We would welcome the opportunity to resolve your concern first.
Translations of this policy are provided for convenience; the English version governs. Where applicable mandatory local law requires otherwise, that law prevails to the extent of any conflict.