Privacy Policy
Last updated 18 June 2026
This Privacy Policy explains how Overturo, the trust conductor — a personal data platform that orchestrates trust between people, organizations, and their data — collects, uses, and protects your personal data, and the choices and rights you have. Overturo is built so that your data stays in your home region; this policy describes how we honor that. Please read it alongside our Terms of Service.
1. Who we are
In your region, Overturo is provided and your personal data is controlled by OmVi Labs Inc, which acts as the data controller for your account. We process personal data under US state & sectoral privacy law (incl. CCPA/CPRA) and the applicable laws of Delaware, United States. You can reach us about privacy at [email protected].
2. The data we collect
We collect: account and identity information you provide (such as your name, email, and sign-in credentials); the consent decisions, approvals, and agreements you make, and the records of them; information you exchange with organizations you connect to, at your direction; and limited technical and usage data (such as device and log information) needed to operate and secure the service. We collect only what we need to run Overturo for you.
3. How we use your data
We use your data to provide and operate Overturo: to authenticate you securely, carry out the consent decisions and agreements you make, record them in a tamper-evident trail you can review, keep the service secure and reliable, comply with our legal obligations, and communicate with you about the service. We do not sell your personal data, and we do not use it to build advertising profiles.
4. Our legal bases
Where US state & sectoral privacy law (incl. CCPA/CPRA) applies, we rely on the following legal bases: performance of our contract with you (to provide the service you request); your consent (which you can withdraw at any time, without affecting prior processing); our legitimate interests (such as securing the service and preventing abuse, balanced against your rights); and compliance with legal obligations. Where we rely on consent, you remain in control and can change your mind.
5. Where your data lives
Your personal data is stored and processed in United States — your home region — and is governed by US state & sectoral privacy law (incl. CCPA/CPRA). Data residency is preserved by design: your account and data are not centralized or moved out of your region to make the service work. See our Trust Center for residency details and proof.
6. Cross-region access without cross-region transfer
When you sign in to Overturo while visiting another region, your data does not travel with you. Only a minimized, verifiable token — enough to recognize you — is exchanged; your profile and the rest of your personal data stay in your home region. Where any limited transfer is unavoidable, we rely on appropriate safeguards required by applicable law.
7. When we share data
We share your data only: with the organizations you choose to connect to, and strictly as you direct through your consent decisions and agreements; with service providers who process data on our behalf under contract (listed in our Trust Center); and where required by law or to protect rights, safety, and the integrity of the service. We never sell your personal data.
8. How we protect your data
We protect your data with encryption in transit and at rest, secure sign-in methods such as passkeys and two-factor authentication, and strict access controls. Your consent decisions and agreements are recorded with cryptographic signatures in a tamper-evident audit trail, so they can be verified and cannot be altered after the fact. No system is perfectly secure, but we work continuously to safeguard your data and will notify you of a breach where the law requires.
9. How long we keep it
We keep personal data only as long as needed to provide the service, comply with our legal and regulatory obligations, resolve disputes, and enforce our agreements. Some records — such as consent and agreement history — are retained for evidentiary and compliance purposes. You can export your data at any time, and you can ask us to delete it, subject to obligations that require us to retain certain records.
10. Your rights
Subject to US state & sectoral privacy law (incl. CCPA/CPRA), you have rights over your personal data — which may include the right to access, correct, delete, restrict, or object to processing, to data portability, and to withdraw consent. Overturo is built to make these rights usable: you keep the rights you keep over your data, and can review, export, and revoke from your account. To exercise a right, contact us at [email protected]. You also have the right to lodge a complaint with your local data-protection authority.
11. Cookies and similar technologies
We use essential cookies and similar technologies to keep you signed in, remember your preferences, and keep the service secure. We do not use third-party advertising or cross-site tracking cookies. You can control non-essential cookies through your browser and, where required, through an in-product choice.
12. Automated agents and decisions
Overturo lets you authorize automated agents to act on your behalf within limits you set, and to seek your approval for actions that cross those limits. You stay in control: every authorization is recorded, reviewable, and revocable. We do not make decisions producing legal or similarly significant effects about you by solely automated means without a lawful basis and the safeguards the law requires.
13. Children
Overturo is not directed to children. We do not knowingly collect personal data from children below the age of digital consent in their jurisdiction. Where Overturo is used by an institution to manage consent involving minors, the institution acts as controller for that data and is responsible for the appropriate parental or guardian consent.
14. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will give notice — for example, by email or within the product — before they take effect. We encourage you to review this policy periodically.
15. Contact us
Questions about this policy or your personal data? Contact us at [email protected]. If you are in a region that requires it, you can also contact your local data-protection authority.
Meeting Consent Addendum
This addendum describes data practices specific to the Overturo for Meetings integration with video conferencing platforms (Zoom, Microsoft Teams, Google Meet).
Data We Collect via Meeting Integrations
When a meeting host connects their video conferencing account to Overturo, we collect:
- Account identity: Your email address and display name from the connected platform, used to identify your account in the Overturo dashboard.
- Meeting metadata: Meeting title, scheduled time, meeting ID, and recurring series identifiers. This information is used to create consent flows that reference the correct meeting context.
- Participant consent decisions: When meeting participants interact with a consent flow, we record their consent decisions (accept, decline, or partial consent) for each stated purpose.
- Participant identity (optional): Participants may optionally authenticate during the consent flow. If they do, we associate their email address with their consent record.
Data We Do Not Collect
Overturo does not access, collect, store, or process:
- Meeting audio or video content
- Meeting recordings or transcripts
- Chat messages sent during meetings
- Screen sharing content
- Meeting passwords or host keys
How We Use Meeting Data
- Consent flow creation: Meeting metadata is used to generate consent flows that participants see before or during the meeting.
- Real-time dashboard: Meeting hosts see a live view of which participants have consented and to what purposes.
- Standing mandates: If a participant opts in, their consent decisions may apply to future meetings in the same series, reducing repeated consent prompts.
- Compliance records: Consent decisions are recorded with cryptographic signatures and tamper-evident audit trails for regulatory compliance (GDPR, CCPA, BIPA, EU AI Act).
Data Retention
Consent records are retained for the duration configured by the meeting host's account (default: 7 years, to meet common regulatory retention requirements). Meeting hosts can delete individual consent records at any time. Access tokens are deleted immediately when a user disconnects their video conferencing account.
Disconnecting Your Account
You can disconnect your video conferencing account from Overturo at any time via the Zoom integration settings page or by revoking access from your Zoom account settings. Disconnecting removes all stored access tokens. Existing consent records are retained as independent legal records per your account's retention policy.
Participant Rights
Meeting participants who have interacted with an Overturo consent flow can exercise their data rights (access, rectification, erasure, portability) by contacting the meeting host or by submitting a request to [email protected].