Legal
Privacy
Last updated: May 28, 2026.
This is a plain-language summary of how ValidationOS handles data. It is provided to help you understand the product and is not formal legal advice. If you need a legally reviewed privacy policy for your own organization, consult a qualified attorney.
Data you enter
ValidationOS stores the content you create inside your workspace — ideas, problem statements, hypotheses, notes, research summaries, decision memos, MVP scopes, sprint plans, pricing tests, founder briefs, and any other artifacts the app produces from your inputs.
Prospect and contact data
You may add prospect records that include names, roles, company information, public profile URLs, and notes. You may also import contact lists you have collected yourself. You are responsible for having a lawful basis to store and use this information, including compliance with applicable privacy laws (e.g. GDPR, CCPA) in your jurisdiction and your prospects' jurisdictions. ValidationOS treats prospect data as confidential workspace content.
Public website source data
When you trigger a research or prospect-discovery action, the app may fetch publicly available web pages on your behalf. Fetches respect each site's robots.txt. The retrieved text, along with the URL and basic metadata, is stored in your workspace so you can review the evidence behind each generated artifact.
AI processing
Generation, analysis, scoring, and summarization actions send the relevant prompt content to OpenAI's API for processing. That content can include your idea text, research excerpts, prospect notes, and prior generated artifacts. OpenAI processes the request under their own data policies; refer to OpenAI's documentation for retention and usage details. ValidationOS does not train a shared model on your workspace content.
API keys and secrets
OpenAI keys, search-provider keys, and database credentials are configured via server-side environment variables on the host running ValidationOS. They are never exposed to the browser, embedded in client-side bundles, or returned in API responses. If you self-host, keep your .env out of version control.
Account and sessions
Account records store your email address and a salted, scrypt hashed password. Sign-in creates a server-side session row and an opaque, httpOnly session cookie. We do not use third-party analytics or advertising cookies.
Data deletion requests
You can delete individual ideas, prospects, sources, and other records from inside the app. For full account deletion or to request removal of specific data outside the app's UI, contact support@validate-os.com. Deletion requests are honored on a best-effort basis subject to any legal retention obligations.
No sale of personal data
ValidationOS does not sell personal data to third parties and does not share it with advertisers.
Contact
Privacy questions can be sent to support@validate-os.com.