Legal · Overmainlab AI
Welcome to Overmainlab AI ("Overmainlab," "we," "our," or "us"). We are committed to protecting your privacy and handling your personal information with transparency, care, and respect. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website at overmainlab.com, sign up for our waitlist, or otherwise interact with our services (collectively, the "Services").
This Privacy Policy applies to all users of our Services, regardless of location. It is designed to comply with applicable privacy laws and regulations, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the General Data Protection Regulation (GDPR) and UK GDPR, and other applicable US state privacy laws.
Please read this Privacy Policy carefully before using our Services. By accessing or using our Services, you acknowledge that you have read, understood, and agree to the practices described in this policy. If you do not agree with any part of this policy, please do not use our Services.
The short version: We collect minimal data — primarily your email address when you join our waitlist. We do not sell your personal information. Ever. We use reasonable security measures to protect what you share with us. You have meaningful rights over your data.
If you have any questions about this Privacy Policy or how we handle your information, please contact us at privacy@overmainlab.com before using our Services.
We collect several types of information in connection with the Services. The types and amount of information we collect depend on how you interact with us.
We collect information that you voluntarily provide to us when you:
When you visit our website, we and our service providers automatically collect certain technical information about your device and how you interact with our Services. This includes:
We may receive information about you from third parties, including:
We do not intentionally collect sensitive personal information such as government identification numbers, financial account information, health data, biometric data, precise geolocation, racial or ethnic origin, religious beliefs, sexual orientation, or immigration status. Please do not submit such information through our Services.
We use the information we collect for the following purposes, each grounded in a lawful basis where required by applicable law:
For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your personal data under the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Waitlist registration and notifications | Performance of a contract / Consent |
| Responding to inquiries | Legitimate interests / Performance of a contract |
| Website analytics and improvement | Legitimate interests |
| Marketing communications | Consent |
| Security and fraud prevention | Legitimate interests / Legal obligation |
| Compliance with legal obligations | Legal obligation |
| Job applications | Performance of a contract / Legitimate interests |
Where we rely on legitimate interests, we have conducted a balancing test and determined that our interests are not overridden by your privacy rights. You have the right to object to processing based on legitimate interests — see Section 7 for how to exercise this right.
We use cookies and similar tracking technologies to enhance your experience on our website, understand how you use our Services, and personalize content. This section explains what these technologies are and how we use them.
Cookies are small text files stored on your device (computer, smartphone, or tablet) when you visit a website. They allow websites to remember your preferences, understand how you navigate the site, and improve your experience over time. Cookies are widely used and do not typically contain personally identifiable information on their own.
| Category | Purpose | Examples |
|---|---|---|
| Essential / Strictly Necessary | Required for the website to function properly. These cannot be disabled without breaking core functionality. | Session management, security tokens, cookie consent preferences (oml_cookie_consent) |
| Analytics & Performance | Help us understand how visitors interact with our website, which pages are most visited, and where users encounter issues. | Google Analytics (_ga, _gid), page view tracking, scroll depth measurement |
| Functional | Enable enhanced functionality and personalization based on your preferences and interactions. | Language preference, regional settings, UI customization |
| Marketing & Targeting | Used to deliver relevant advertising and track the effectiveness of campaigns. Only active with your explicit consent. | Social media pixels, retargeting cookies |
In addition to cookies, we use browser local storage to save your cookie consent preference (oml_cookie_consent). This allows us to respect your choice across visits without setting an additional cookie.
You can manage your cookie preferences in the following ways:
For more detailed information about the specific cookies we use, please see our Cookie Policy.
We do not sell, rent, or trade your personal information to third parties for their own marketing or commercial purposes. Ever. We are committed to this principle and will not change it without providing you advance notice and, where required by law, obtaining your explicit consent.
We may share your information in the following limited circumstances:
We share personal information with trusted third-party service providers who perform services on our behalf and under our instructions. These companies are contractually obligated to use your information only as directed by us and in accordance with this Privacy Policy. Our service providers include:
If Overmainlab undergoes a merger, acquisition, reorganization, sale of assets, or bankruptcy proceedings, your personal information may be transferred as part of that transaction. We will notify you by email and/or a prominent notice on our website before your personal information is transferred and becomes subject to a different privacy policy. We will use commercially reasonable efforts to ensure that any acquiring party honors commitments made in this Privacy Policy.
We may disclose your personal information when we believe in good faith that disclosure is necessary to:
We may share aggregated, de-identified, or anonymized information that cannot reasonably be used to identify you. For example, we may publish aggregate statistics about how many people joined our waitlist in a given month, or share anonymized usage patterns with research partners. Such data is not personal information and is not subject to this Privacy Policy.
We may share your information for purposes not described in this Privacy Policy with your explicit consent. We will clearly describe the purpose and recipients before requesting such consent, and you will always be able to withdraw your consent.
We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements. The specific retention period depends on the type of information and why we collected it.
| Data Type | Retention Period | Rationale |
|---|---|---|
| Waitlist email addresses | Until product launch + 24 months, or until you unsubscribe | To notify you when the product launches; to send relevant communications with your consent |
| Contact form submissions | 3 years from last contact | To provide context for ongoing communications and resolve any disputes |
| Website analytics data | Up to 26 months (Google Analytics default) | To understand long-term usage trends and improve the site |
| Server log files | Up to 90 days | For security monitoring and debugging purposes |
| Job application data | Active candidates: until hired/declined; declined candidates: 2 years (with consent) | Legal compliance; future role matching with consent |
| Cookie consent records | Until you clear local storage or withdraw consent | To honor your stated preferences |
When personal information is no longer needed, we will either delete it securely or anonymize it so that it can no longer be linked to you. If you request deletion of your data, we will comply within the timeframes required by applicable law (typically 30–45 days), subject to any legal obligation we may have to retain certain information.
Please note that even if we delete your data from our active systems, residual copies may remain in backups for a period of time consistent with our backup and disaster recovery practices. Such copies will be deleted in the ordinary course of backup rotation.
Depending on where you live, you may have specific legal rights regarding your personal information. We are committed to honoring these rights regardless of your location, to the extent technically feasible.
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
To exercise your California rights, please submit a request to privacy@overmainlab.com with "California Privacy Request" in the subject line. We will verify your identity before processing your request and respond within 45 days (with the possibility of a 45-day extension if necessary).
California residents may also submit a request through an authorized agent. If you use an authorized agent, we may require additional verification to confirm the authorization.
California "Shine the Light" Law: California Civil Code Section 1798.83 permits California residents to request information about how we share personal information with third parties for their direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes without your consent.
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and, where applicable, the UK GDPR:
To exercise any of these rights, contact us at privacy@overmainlab.com. We will respond within 30 days. If we are unable to comply with your request, we will explain why.
If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority. In the EEA, you can find your local supervisory authority at edpb.europa.eu. In the UK, the supervisory authority is the Information Commissioner's Office (ICO).
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other states with comprehensive privacy laws have similar rights to access, correct, delete, and opt out of certain uses of their personal data. We honor these rights regardless of your state. Please contact us at privacy@overmainlab.com to submit a request.
We take the security of your personal information seriously and implement a variety of technical, administrative, and physical safeguards designed to protect it from unauthorized access, use, disclosure, alteration, or destruction.
In the event of a data breach that affects your personal information, we will notify you and relevant authorities as required by applicable law. For GDPR purposes, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach, and we will notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
While we strive to protect your personal information, no security system is impenetrable. We cannot guarantee the absolute security of our systems or the information you transmit to us. You should also take precautions to protect your own devices and accounts, such as using strong and unique passwords and keeping your software updated.
If you believe your personal information has been compromised or if you notice any unauthorized activity, please contact us immediately at privacy@overmainlab.com.
Our Services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child under the age of 13 has provided us with personal information without your consent, please contact us immediately at privacy@overmainlab.com.
Upon receiving such notice, we will take steps to delete the information from our systems as quickly as reasonably possible. We do not knowingly sell the personal information of minors under 16 years of age without affirmative authorization.
If you are between 13 and 17 years of age, we encourage you to review this Privacy Policy with a parent or guardian before using our Services. By using our Services, you represent that you are at least 13 years of age.
In jurisdictions where the age of digital consent is higher than 13 (for example, 16 in many EU member states), we will apply the higher age requirement when processing data of individuals in those jurisdictions. If you are aware that we have collected data from a child without appropriate consent, please notify us at privacy@overmainlab.com.
Overmainlab is based in San Francisco, California, United States. If you are accessing our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.
The United States and other countries may not provide the same level of data protection as your home country. However, we take steps to ensure that your information receives an adequate level of protection wherever it is processed.
For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not recognized as providing an adequate level of data protection, we rely on appropriate safeguards, including:
You may request a copy of the relevant transfer mechanisms by contacting us at privacy@overmainlab.com.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make changes, we will:
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of our Services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.
If you disagree with any changes to this Privacy Policy, you should stop using our Services and may request deletion of your personal information by contacting us at privacy@overmainlab.com.
We will maintain an archive of prior versions of this Privacy Policy and make them available upon request.
If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please do not hesitate to reach out to us. We take privacy inquiries seriously and will respond as promptly as possible.
Overmainlab AI — Privacy Team
Email: privacy@overmainlab.com
Address: Overmainlab AI, San Francisco, CA, United States
Website: overmainlab.com
For general inquiries not related to privacy, you may also reach us through our main contact page.
If you are a resident of the EEA or UK and wish to escalate a complaint that we have not resolved to your satisfaction, you have the right to lodge a complaint with your local supervisory authority. We would, however, appreciate the chance to address your concerns before you approach a supervisory authority — please contact us first and give us the opportunity to resolve your issue.
For GDPR purposes, Overmainlab AI acts as a data controller for the personal information described in this Privacy Policy. We do not currently have a formal EU or UK representative designated under Article 27 of the GDPR, as our current volume of EU/UK data processing does not require one, but we are committed to responding to all inquiries from EU and UK data subjects promptly and fully.
This Privacy Policy was last updated on March 12, 2026 and is effective as of that date.