← Trust Center

Trust Center · Privacy Policy

Privacy Policy

How OpenSource Technologies collects, uses, stores, and shares information across our website, our delivered software, and our client engagements. Specifics determined per engagement.

Last reviewed: TBD · Pending legal review · OpenSource Technologies, Inc., a Pennsylvania corporation

Draft notice. This document is a structural draft pending legal review. The framework, sections, and OST's general approach are accurate. Specifics (jurisdictions, regulators, exact data-handling language, legal definitions, governing law) are determined per engagement and reviewed by counsel before any production deployment. Use the contact form for engagement-specific compliance questions.

In this document

Section 01

Information we collect

OST collects information across two contexts: information collected through this website (ost.agency), and information OST handles inside the software we build and operate for clients.

Website information

When you visit ost.agency, we may collect:

  • Information you provide directly: Name, email, company, role, and message text when you contact us, request a discovery call, or submit an RFP.
  • Information collected automatically: Pages visited, time on page, browser and device characteristics, referring URL, and approximate location (derived from IP).
  • Cookie information: See our Cookie Policy for the categories of cookies in use.

Engagement information

When OST builds or operates software on your behalf, we may handle information your platform processes (customer data, usage data, transactional data, content data). The specific scope of that handling is determined by your contract and the data-processing agreement (DPA) in place.

Specific information categories, purposes, and scope are determined per engagement. The DPA governing your engagement is the authoritative document.

Section 02

How we use information

OST uses information for the purposes you would expect a custom software firm to use it:

  • Responding to inquiries: Replying to discovery-call requests, RFP submissions, and contact form messages.
  • Operating our website: Analytics, performance monitoring, fraud and abuse prevention.
  • Engagement delivery: Building, deploying, and operating the software we deliver to clients, in accordance with the engagement contract.
  • Compliance: Meeting legal, regulatory, and audit obligations applicable to our business and our engagements.
  • Communication: Sending engagement updates, security notices, and contractually required notifications.

OST does not use client engagement data to train general-purpose AI models, sell to third parties, or for advertising. See our AI Policy for detail on how we handle data inside AI features.

Section 03

How we share information

OST shares information narrowly and only as needed to deliver engagements or comply with law:

  • Subprocessors: Cloud hosting (e.g., AWS), email delivery, monitoring, and other infrastructure providers we rely on. See our Sub-processors list.
  • Client-directed sharing: When your engagement contract directs OST to integrate with or share data through specific third-party platforms.
  • Legal compliance: When required by law, regulation, court order, or government request, with reasonable challenge of overbroad requests.
  • Business transfer: In the event of a merger, acquisition, or asset sale, as described in the contract terms.

OST does not sell personal information. OST does not share personal information for advertising purposes.

Section 04

How we store and secure information

OST applies layered security across infrastructure, application, and operational dimensions. See our Security page for the full posture.

Key practices:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256) for stored data
  • Role-based access control with audit logging
  • Data residency configurable per engagement (US, EU, other regions on request)
  • Retention periods determined by contract and legal obligation, with secure deletion at end-of-retention
  • Incident response procedures with notification per contractual and legal requirements

Section 05

Your rights

Your rights depend on your jurisdiction and the relationship you have with OST.

Under California law (CCPA / CPRA)

California residents have the right to:

  • Know what personal information OST collects, uses, and shares
  • Delete personal information OST holds about you
  • Correct inaccurate personal information
  • Opt out of "sales" and "sharing" (OST does neither, but the right exists)
  • Limit use of sensitive personal information
  • Non-discrimination for exercising rights

Under European law (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have rights including: access, rectification, erasure, restriction, portability, objection, and the right to withdraw consent. For engagement-handled data, the controller is your contract counterparty; OST acts as processor under our DPA.

Under other state laws

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and other US states with privacy laws have rights similar to those above, scoped per state. OST processes requests according to the law applicable to the requester.

To exercise rights, contact contact form (Privacy or data subject rights request).

Section 06

Children's privacy

OST's website is not directed to children under 13, and OST does not knowingly collect personal information from children under 13 through ost.agency.

For client engagements involving platforms that knowingly serve users under 13 (for example, K-12 education platforms): COPPA (Children's Online Privacy Protection Act) compliance is implemented per engagement, with parental consent flows, data minimization, and the additional protections that COPPA requires. The engagement contract and DPA govern the specifics.

Section 07

International data transfers

OST is headquartered in Pennsylvania, USA, and operates engagements globally. Information may be transferred to, processed in, and stored in the United States and other countries.

For data transfers from the EEA, UK, or Switzerland, OST relies on Standard Contractual Clauses (SCCs) where applicable. Specific transfer mechanisms for your engagement are documented in your DPA.

Section 08

Changes to this policy

OST may update this Privacy Policy. The "Last reviewed" date at the top of this page reflects the most recent revision. Material changes will be communicated through the website or, for active client engagements, directly through your engagement contact.

Older versions of this policy are available on request from the contact form (Privacy or data subject rights request).

Section 09

Contact us

For privacy-related questions, requests, or concerns, use the contact form and select "Privacy or data subject rights request" in the conversation type dropdown.

OpenSource Technologies, Inc. is a Pennsylvania corporation. Mailing address: 650 N Cannon Ave #229, Lansdale, PA 19446, USA.

For supervisory authority complaints in the EEA / UK, you have the right to lodge a complaint with your local data protection authority. OST will work in good faith to resolve concerns directly first.

Questions about this privacy policy?

Reach out to OST's compliance contact for engagement-specific questions or to request the version that will apply to your contract.

Contact compliance team Back to Trust Center
Ask AI