Privacy
ony.ai is open-core and self-hostable. When you self-host, your data lives entirely in your own database and never reaches us. This page describes the hosted service and the software's behavior in plain language.
Version 1, July 2026
The ony.ai software is open source under AGPL-3.0. If you run it yourself, every piece of data described below lives in infrastructure you control and never transits ony.ai. The hosted service runs the same software on our infrastructure; this policy describes both, and calls out any difference.
The system of record is a Postgres database. It holds:
| Organizations and users | Email, name, hashed password (PBKDF2, never plaintext), role, and timezone. |
|---|---|
| Phone number | Used to place calls and send SMS. Masked in logs and in the team view. |
| Linked chat IDs | Telegram or Slack IDs, only to route escalation approvals to you. |
| Authenticator secrets | TOTP secrets, encrypted at rest. |
| Handoffs | The action type, server-derived risk, a short title and summary, options, and your decision. |
| Attached payload | A diff, log, or command an agent attaches. Sensitive, shown only in the authenticated dashboard, and scrubbed by retention. |
| Audit chain | Who decided what, and when. Append-only and tamper-evident. |
Ephemeral coordination state (rate-limit windows, in-flight call state) lives in Redis or in memory and is not a system of record.
Ony talks only to the providers you configure. Nothing else receives your data.
No analytics or telemetry is sent anywhere. The internal metrics endpoint carries closed-enum labels only and contains no personal data.
Every data path is scoped to your organization. Cross-tenant reads are impossible by construction and covered by tests. Roles (admin, member, viewer) gate what a member can do within their own organization.
Questions about this policy or a data request: [email protected]. Security issues: [email protected]. The full technical reference lives in thedata-handling documentation. This is a version 1 policy for a pre-release product and may change as the hosted service opens; we will date any revision here.