Privacy Policy

Politique de confidentialité

Effective · 1 January 2026

What we collect

Across the public marketing properties of the Osage ecosystem we collect the minimum information necessary to deliver the page and to keep the systems running. This is a small set, held briefly, and deliberately not sold.

• Server logs. Standard request logs (IP, user agent, requested path, response code, timestamp), retained 30 days for operational debugging and abuse mitigation, then deleted.
• Cookies. No first-party tracking cookies. No third-party advertising trackers. The only cookies set are session cookies required for signed-in surfaces (osage.id, iam.osage.id) and the standing CSRF token for those surfaces.
• Account data. If you register an Osage ID, we collect the data you provide (display name, email, contact details, jurisdiction tag, two-factor enrolment). This is held in Hanzo IAM and Hanzo KMS under standing controls.
• Form submissions. If you contact us by email or by a form on the Properties, the message and your reply address are held in the relevant inbox for the duration of the conversation plus one year.

What we do not collect

• Browsing behaviour across third-party sites.
• Cross-site tracking identifiers.
• Advertising or marketing-attribution identifiers.
• Biometric data, beyond a hash of a device-bound WebAuthn key if you choose to register one for two-factor.
• Children’s data — the Properties are not directed at children under 13 and we do not knowingly collect data from them.

How we use what we collect

• To deliver the requested page and keep the systems available.
• To respond to your correspondence.
• To prevent abuse (rate-limiting, denial-of-service mitigation).
• To meet legal obligations where they exist.

How we do not use what we collect

• We do not sell, share, or rent your data.
• We do not use your data to train machine-learning models.
• We do not show advertisements, anywhere, ever.

Sharing

Operational data is shared only with the providers required to deliver the service: Cloudflare (CDN, DNS, edge compute); Hanzo PaaS, Hanzo IAM, Hanzo KMS (the operating stack); GitHub Actions (CI/CD for the static sites). All providers are bound by data-processing agreements requiring at least the standards described here.

Retention

• Server logs: 30 days.
• Email correspondence: duration of conversation + 1 year.
• Account data: for as long as the account exists; deleted within 30 days of account closure on request.

Your rights

You may request a copy of the data we hold about you, ask for it to be corrected, or ask for it to be deleted. Requests served within 30 days under the standing data-export and account-closure policy. Residents of California, the European Economic Area, the United Kingdom, and other jurisdictions with specific data-protection statutes retain whatever additional rights those statutes provide.

International transfers

Where data is processed outside the jurisdiction it was collected in (e.g., U.S. processing for non-U.S. residents), we rely on standard contractual clauses and on the appropriate transfer mechanism for the destination jurisdiction.

Children

The Properties are not directed at children under 13. If we learn that data has been collected from a child under 13 without parental consent, we delete it.

Sovereignty & ceremonial protocol

Sacred materials of the Osage Nation or any allied tribal nation disclosed to us are held in confidence in perpetuity, without exception, and are never processed for any purpose other than the original disclosure’s scope.

Contact

Data-protection inquiries and rights requests: [email protected]. Children-related concerns: [email protected].

Changes

Material changes to this policy are announced through /press. The effective date above reflects the most recent change.