Obvious Privacy Policy

Information We Collect

Personal Information

• Account Information: Name, email address, username, and profile information
• Authentication Data: Login credentials, session tokens, and authentication records
• Usage Data: How you interact with our platform, features used, and activity patterns
• Communication Data: Messages, comments, and collaborative content within the platform
• Payment Information: If you purchase a paid plan, our payment processor (Stripe) collects billing details. We do not store full card numbers.

Content and Project Data

• Workspace Content: Documents, spreadsheets, presentations, images, and other artifacts you create or upload
• Project Data: File metadata, version history, sharing settings, and collaboration records
• Generated Content: AI-assisted content, analysis results, and system-generated insights

Technical Information

• Device Information: Browser type, operating system, device identifiers
• Log Data: IP addresses, access times, error logs, and system performance data
• Analytics Data: Feature usage, performance metrics, and aggregated usage statistics
• Cookies and Tracking Technologies: We use cookies, pixels, and similar technologies for analytics, advertising measurement, and platform functionality. See the Cookies and Tracking Technologies section and our Cookie Policy for details.

Information From Third Parties

Google Integrations. When you connect your Google account, we may access Google Calendar events, Gmail data, and Google Drive files — only to the extent you authorize and only to deliver the integration features you enable.

Single Sign-On. If you authenticate via Google or another SSO provider, we receive basic profile information (name, email, profile photo) from that provider.

Ad Platforms. When you interact with our advertising on Google, LinkedIn, Meta (Facebook/Instagram), Reddit, X (Twitter), or TikTok, those platforms may share conversion event data with us (e.g., that you signed up after seeing an ad). This data is used only to measure ad effectiveness.

CRM and Sales Tools. We use Attio as our CRM to manage customer relationships. Information you provide during signup or in communications with our team may be stored there.

How We Use Your Information

Core Platform Functions

• Provide and maintain the Obvious platform and its features
• Enable real-time collaboration and multi-user editing capabilities
• Process and store your workspace content and project data
• Facilitate AI-assisted content generation and data analysis

Service Enhancement

• Improve platform performance, reliability, and user experience
• Develop new features and capabilities based on usage patterns
• Provide customer support and respond to user inquiries
• Ensure platform security and prevent unauthorized access

Communication

• Send transactional emails related to your account and platform usage
• Notify you of important platform updates or security information
• Respond to your requests, questions, and feedback

Advertising Measurement

• Track whether users who saw our ads on Google, Meta, LinkedIn, Reddit, X, or TikTok subsequently signed up or took other meaningful actions on our site
• We share conversion signals with advertising platforms so they can attribute campaign performance — we do not sell this data to those platforms

Legal Compliance

• Respond to lawful requests from authorities
• Enforce our Terms of Service
• Protect the rights and safety of users and third parties

Legal Basis (GDPR)

For users in the European Economic Area and United Kingdom, we process personal data on the following legal bases: performance of a contract (delivering platform services), legitimate interests (analytics, security, product improvement), consent (advertising cookies, marketing emails), and legal obligation (regulatory compliance). You may withdraw consent at any time without affecting prior processing.

Cookies and Tracking Technologies

We use cookies and similar technologies on obvious.ai and app.obvious.ai. A full list of services, the data they collect, and their purposes is available in our Cookie Policy.

Categories of cookies we use:

Analytics: We use Google Analytics 4 and Fathom Analytics to understand how visitors use our site. Google Analytics uses cookies and collects identifiers to measure traffic and behavior. Fathom is cookieless and collects no personally identifiable information.

Advertising tracking scope: The signup form page itself is not instrumented with advertising tags. Within the logged-in product (app.obvious.ai), advertising-related tracking is intentionally minimized — marketing and advertising tags do not run on general product pages and are limited to the post-signup onboarding confirmation page for conversion measurement only.

You can manage your cookie preferences at any time using the Cookie Preferences link in the footer of our site or by visiting obvious.ai/cookies.

Google API Services Data Usage

Obvious integrates with Google API Services to enhance collaboration and productivity within our platform. This section describes how we access, use, store, share, and protect Google user data in compliance with the Google API Services User Data Policy.

Data Accessed from Google Services

When you connect your Google account to Obvious, we may access the following types of Google user data, depending on the specific integrations you enable:

Google Calendar:

• Calendar events (title, description, date, time, location, attendees)
• Calendar metadata (calendar names, IDs, settings)
• Event creation, modification, and deletion capabilities

Gmail:

• Email messages (subject, body, sender, recipients, timestamps)
• Email metadata (folders, labels, read/unread status)
• Draft creation and management
• Email sending capabilities

Google Drive:

• File metadata (names, types, sizes, modification dates)
• File content for documents, spreadsheets, and presentations
• Folder structure and sharing permissions

How We Use Google User Data

We use Google user data exclusively to provide and enhance the functionality you request within the Obvious platform:

Calendar Integration:

• Display your calendar events within Obvious workspaces
• Create, update, and delete calendar events from within Obvious
• Analyze scheduling patterns to suggest optimal meeting times
• Sync calendar data with project timelines and task management features

Email Integration:

• Access and display email messages within Obvious projects
• Send emails directly from the Obvious platform
• Create and manage email drafts
• Thread email conversations with project context
• Extract actionable items from email content using AI assistance

AI-Powered Features:

• Email summarization and key point extraction
• Calendar event suggestions and scheduling optimization
• Automated task creation from email content
• Meeting notes and action item generation

Important Limitations:

• We only access Google data that you explicitly authorize through OAuth consent screens
• We never access Google data without your explicit permission
• You can revoke access at any time through your Google Account settings

Sharing of Google User Data

When you use AI-powered features on Google user data, we may share limited, contextually relevant portions of that data with our AI service providers (Anthropic, OpenAI, Google Gemini, AWS Bedrock) solely to generate summaries, perform natural language processing, and provide intelligent suggestions. Only the minimum necessary data is shared, AI processors are contractually prohibited from using your data to train their models, and data is processed ephemerally. We do not sell, rent, or share your Google user data with third parties for their own marketing or commercial purposes.

Storage and Protection of Google User Data

• Google user data is stored in our secure AWS infrastructure with encryption at rest
• Calendar and email data are cached temporarily (up to 24 hours) to improve performance
• Long-term storage occurs only for data you explicitly save to Obvious projects
• All access requires authentication and authorization; data transmission uses TLS 1.2+ encryption
• We request only the minimum Google API scopes necessary for functionality

Retention and Deletion of Google User Data

• Cached Data: Automatically deleted after 24–48 hours
• Project-Saved Data: Retained as long as you maintain it in your Obvious projects
• Deleted Projects: Google user data within deleted projects is permanently removed within 30 days
• Account Deletion: All Google user data is deleted within 30 days of account closure

You can delete your Google user data from Obvious at any time by disconnecting the Google integration (Settings → Integrations → Google → Disconnect), deleting specific projects, or requesting full account deletion at compliance@obvious.ai. You can also revoke access through your Google Account Permissions Page.

Compliance with Google API Services User Data Policy

Obvious’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Google user data only to provide or improve user-facing features prominent in the application’s user interface
• We do not transfer Google user data to third parties except as necessary to provide features, comply with law, or as part of a merger (with user notice)
• We do not use Google user data for serving advertisements
• We do not allow humans to read Google user data unless we have your explicit consent, it is necessary for security purposes, required by law, or the data has been aggregated and anonymized

How We Share Your Information

Service Providers. We share personal data with vendors who help us operate the platform and market our services. These providers are contractually bound to use data only as directed by us. See the Third-Party Data Processors section below for the full list.

Business Transfers. If Obvious is acquired, merges with another company, or transfers substantially all of its assets, your information may transfer to the acquiring entity. We will notify you before your data becomes subject to a materially different privacy policy.

Legal Requirements. We may disclose information when required by law, subpoena, or government request, or to protect our legal rights, prevent fraud, or address safety issues.

With Your Consent. We may share your information for other purposes with your explicit permission.

We do not sell personal information to third parties. We do not share personal information with third parties for their own marketing purposes.

Data Processing Architecture

Obvious operates through a distributed architecture that processes data across multiple components:

Internal Processing

• Artifact Management System: Manages documents, workbooks, presentations, and files
• Real-Time Collaboration Engine: Handles concurrent editing and version control
• Data Processing Engine: Performs SQL queries, JavaScript transformations, and Python analysis
• AI Orchestration Layer: Coordinates AI-powered features and content generation

Data Storage

• Platform Database: Stores user accounts, project metadata, and application state
• File Storage & CDN: Hosts user uploads, generated artifacts, and static assets
• Caching Layer: Temporarily stores frequently accessed data for performance optimization

Third-Party Data Processors (Subprocessors)

To provide our services, we work with carefully selected third-party processors. Each processes data only as necessary to deliver specific functionality:

AI and Machine Learning Services

Infrastructure and Hosting Services

• AWS — Serverless compute and scalable object storage
• Render Redis (Valkey) — In-memory data store for caching and real-time features
• Inngest — Event-driven serverless functions
• Google BigQuery — Serverless data warehouse for analytics
• Framer — Website hosting and content delivery for obvious.ai

Additional Services

• E2B — Cloud sandboxes and code execution environments
• Browserless — Headless browser automation
• Firecrawl — Web scraping and content extraction
• Exa — AI-powered search functionality
• PostHog — Product analytics and session replay
• BetterStack — Logging and monitoring
• Resend — Transactional email services
• Braintrust — LLM evaluation, monitoring, and experimentation

Analytics and Advertising Services

CRM, Marketing, and Operations Services

Data Security and Protection

• Encryption in Transit: All data transmission uses TLS/HTTPS encryption
• Encryption at Rest: Sensitive data stored with industry-standard encryption
• Access Controls: Role-based permissions and authentication systems
• Data Isolation: Project data isolated between different user sessions
• Regular Security Audits: Ongoing security assessments and vulnerability testing

We maintain comprehensive incident response procedures to address any potential data breaches or security issues promptly and transparently. Only necessary data is sent to third-party processors, and user data is processed separately and securely for specified, legitimate purposes only.

Your Rights and Choices

Access and Control

• Data Access: Request copies of your personal information and platform content
• Data Correction: Update or correct inaccurate personal information
• Data Deletion: Request deletion of your account and associated data (including Google user data)
• Data Portability: Export your workspace content and project data

Privacy Settings

• Sharing Controls: Manage who can access your projects and workspaces
• Collaboration Settings: Control real-time editing and commenting permissions
• Notification Preferences: Customize email and platform notifications
• Integration Management: Connect or disconnect third-party services (including Google)
• Cookie Preferences: Manage your cookie preferences at any time using the Cookie Preferences link in the footer of our site or by visiting obvious.ai/cookies

Opt-Out Options

• Analytics: Opt out of non-essential analytics and usage tracking
• AI Features: Disable AI-powered features and content generation
• Marketing Communications: Unsubscribe from promotional emails
• Advertising Tracking: Opt out of advertising measurement cookies via your cookie preferences or by clicking “Do Not Sell or Share My Personal Information” in our website footer

EEA and UK Residents (GDPR)

You have the right to access, rectify, erase, restrict, or port your personal data, and to object to processing based on legitimate interests. To exercise these rights, email compliance@obvious.ai. You also have the right to lodge a complaint with your local supervisory authority.

Data Retention

• Account Information: Retained while your account is active
• Workspace Content: Retained according to your workspace settings and usage
• Activity Logs: Retained for operational purposes and security monitoring (typically 90 days)
• Google User Data: Cached temporarily (24–48 hours) or retained in projects you create
• Marketing and Analytics Data: Retained per each provider’s retention policies, typically 12–26 months

Upon account deletion, personal information and all user data (including Google user data) is deleted within 30 days. Backup data is removed from backup systems within 90 days. Cached Google data is purged within 24 hours of disconnecting the integration.

International Data Transfers

Obvious and our third-party processors may transfer and process data internationally. We ensure appropriate safeguards are in place for international transfers, including:

• Adequacy Decisions: Transfers to countries with adequate data protection laws
• Standard Contractual Clauses: EU-approved contractual protections for data transfers
• Processor Agreements: Binding agreements with all third-party processors

Obvious is based in the United States. If you access our platform from outside the US, your information may be transferred to and processed in the United States. For transfers from the EEA or UK, we rely on Standard Contractual Clauses approved by the European Commission as the transfer mechanism. We require all third-party processors to maintain equivalent safeguards.

Children’s Privacy

Obvious is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will take steps to delete it promptly. Contact compliance@obvious.ai if you believe a child has provided us with personal data.

California Privacy Notice

This section applies to California residents and supplements the information above. It is also our Notice at Collection as required by the California Consumer Privacy Act.

Categories of Personal Information We Collect

At or before the point of collection, we disclose the following:

We do not collect Social Security numbers, financial account numbers, precise geolocation, biometric data, health data, or communications content for our own purposes.

Sources of Personal Information

We collect personal information directly from you, automatically through your use of the platform, and from third-party advertising and analytics platforms as described in the Information We Collect section.

Sharing and “Sale” of Personal Information

We do not “sell” personal information as that term is traditionally understood. We do share certain identifiers (cookie IDs, IP addresses) with advertising platforms (Google, Meta, LinkedIn, Reddit, X, TikTok) to measure ad performance. Under the CCPA’s broad definition, this may constitute a “sale” or “sharing” for cross-context behavioral advertising. You have the right to opt out.

To opt out of the sale or sharing of your personal information for advertising purposes: Click “Do Not Sell or Share My Personal Information” in our website footer, or email compliance@obvious.ai with “CCPA Opt-Out” in the subject line.

Your California Privacy Rights

• Know what personal information we collect, use, disclose, or sell.
• Delete personal information we hold about you (subject to certain exceptions).
• Correct inaccurate personal information.
• Opt out of the sale or sharing of personal information for cross-context behavioral advertising.
• Limit use of sensitive personal information to necessary purposes.
• Non-discrimination — we will not deny services or charge different prices because you exercised your privacy rights.

To exercise your rights: Email compliance@obvious.ai with your request. We will verify your identity and respond within 45 days (extendable by an additional 45 days with notice).

Authorized agents: California residents may designate an authorized agent to submit requests on their behalf by emailing compliance@obvious.ai.

Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, services, or legal requirements. We will notify users of material changes through:

• Email Notifications: Direct notification to your registered email address
• Platform Announcements: In-app notifications and announcements
• Website Updates: Updated policy posted on our website with revision date

Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at compliance@obvious.ai. For specific requests regarding your personal information, Google user data, or to exercise your privacy rights, please contact us directly using the email above.

Mailing address:

Flatfile, Inc. d.b.a. Obvious
8735 Dunwoody Place #5007
Atlanta, GA 30350
USA