Site: oaf.ai (the “Site”)

Operator/Data Controller: ESUS LLC (“we,” “us,” “our”)

Effective Date: January 4, 2026

Last Updated: January 4, 2026

This Privacy Policy explains how we handle information when you use our Site and related tools, content, and services (collectively, the “Services”).

Plain-English summary (high level):

We build mostly client-side tools and try to collect the least data possible. We host on Cloudflare (performance + security). We use Rybbit analytics with privacy-protective settings (no session replay; no web vitals; no error tracking; no URL parameter tracking; no fingerprinting; and salted user IDs that rotate daily). We do not embed Beehiiv. Newsletter links send you to Beehiiv (third-party). We may embed Youform forms, but we configure them so nothing is collected until you explicitly consent within the form’s first screen (consent gate). We may earn money via affiliate/referral links, which may involve third-party tracking on their sites after you click out.

1) Who We Are

Operator/Data Controller: ESUS LLC

Address: 5203 Juan Tabo Blvd STE 2B, Albuquerque, New Mexico 87111

Email: [email protected]

Privacy Contact: [email protected]

“Data Controller” means we decide why and how personal data is processed when you use our Site.

2) Information We Collect

Data minimization principle:

We design our Services to collect as little personal data as possible. The only personal data we purposefully collect is your email address & other details you provide when you voluntarily submit it through forms or contact us directly. Other data (analytics, security logs) is collected automatically by our infrastructure providers for site operation and security, as described below.

A) Information you provide to us

You may provide information when you:

email us or contact support (name, email, message content),
submit information into tools (depending on the tool),
submit a form (if we use Youform or another form provider),
make a purchase or sign up for a paid service (if offered in the future),
request a privacy rights action (verification details).

Sensitive data warning: Please do not submit sensitive or confidential information (passwords, payment cards, government IDs, medical records, confidential student records, etc.) unless you have authorization and accept the risks.

B) Information collected automatically (technical + security)

When you visit the Site, we and/or our infrastructure providers may process technical data such as:

IP address (and/or an approximation such as region/country),
device/browser type and settings,
pages requested, timestamps, referrer URLs,
security events (rate limiting, bot detection, abuse prevention).

This is typically necessary to deliver the Site securely and reliably.

C) Analytics data (Rybbit)

We use Rybbit to understand aggregate usage (e.g., page views, navigation patterns). We configure analytics to minimize data and tracking, including:

Session Replay: OFF
User ID salting: ON (with a daily rotating key)
Web vitals: OFF
Error tracking: OFF
Track URL parameters: OFF

We do not intend to identify you personally through analytics. Analytics is used to measure and improve the Site.

D) Forms (Youform, when used)

When we embed forms using Youform:

Before you consent:

The first screen is an explicit consent screen. Until you click “Agree” (or similar), no personal data is collected. You can close the form at any time without providing data.

After you consent:

Youform collects anonymous analytics (form view counts, completion counts)
Youform stores whatever information you provide in the form (typically your email address)
Youform uses local storage for form functionality (not for tracking)
No device fingerprinting is performed

Youform acts as our data processor and stores form submissions on our behalf. The email addresses you provide are subject to the retention periods in Section 8.

We do not embed Beehiiv on our Site. If you click “Subscribe,” you will be sent to Beehiiv (a third party). Beehiiv’s privacy policy and practices apply to subscription flow and newsletter emails.

F) Affiliate and Referral Links

Some links on our Site are affiliate or referral links. We may earn a commission if you make a purchase through these links, at no additional cost to you.

Data sharing: We do not share your personal data with affiliate partners. When you click an affiliate link, you leave our Site and the destination site may place cookies or pixels on your device for conversion attribution and analytics. This tracking occurs on the third party’s domain and is governed by their privacy policy, not ours.

We recommend reviewing the privacy policy of any site you visit through our links.

G) Summary: What Personal Data Do We Actually Collect?

The personal data we purposefully collect from you:

Email addresses (when you submit a form or email us)

Data automatically collected by infrastructure:

IP addresses and connection data (via Cloudflare, for security and site delivery)
Page view analytics (via Rybbit, anonymized with daily-rotating identifiers)
Technical data (browser type, device type, timestamps—standard web server data)

We do not:

Use device fingerprinting
Track you across other websites
Collect sensitive personal data (health, financial, etc.)
Sell your data to third parties

3) How We Use Information (Purposes)

We use information to:

operate, secure, and maintain the Services,
provide the tools and content you request,
prevent abuse, spam, and fraud,
understand usage to improve the Site (analytics),
respond to messages and support requests,
enforce our Terms and comply with legal obligations,
manage business operations (records, auditing, dispute handling).

For complete details on permitted and prohibited uses of our Services, account termination, and service availability, please review our Terms of Service.

4) Legal Bases (EEA/UK and similar jurisdictions)

If GDPR/UK GDPR or similar frameworks apply, we rely on one or more of the following legal bases for processing your personal data:

Processing Activity	Legal Basis	Purpose	Justification
Rybbit Analytics	Legitimate Interests	Measure site performance, identify technical issues, improve user experience	Our interest in website optimization outweighs minimal privacy intrusion (no personally identifiable data; daily rotation of salted IDs; no session replay or fingerprinting)
Youform (after consent gate)	Consent	Collect inquiry/contact data you voluntarily provide	Explicit consent via form’s first screen before any data collection
Cloudflare Security	Legitimate Interests	DDoS mitigation, abuse prevention, site reliability, security monitoring	Strong interest in site availability and security; users reasonably expect protection from attacks and abuse
Support emails	Consent & Legitimate Interests	Responding to user inquiries and support requests	You initiate contact; we have legitimate interest in responding
Security/abuse prevention	Legitimate Interests & Legal Obligation	Preventing fraud, spam, bot attacks; maintaining service integrity	Necessary to protect our services and other users; may be required by law

Where consent is required, you may withdraw it at any time (prospectively). To withdraw consent or object to processing based on legitimate interests, contact [email protected].

5) Cookies, Local Storage, and Similar Technologies

We aim to avoid cookies and minimize device identifiers. However:

Security and infrastructure services (including Cloudflare) may set cookies or use similar techniques that are strictly necessary for security, load balancing, or abuse prevention depending on configuration.
Youform (if embedded and after you consent) may use local storage and collect anonymous analytics related to the form.
Third parties (affiliate partners, Beehiiv, external destinations) may set cookies after you leave our Site.

Cookie/consent requirements vary by jurisdiction and by what technology is used. We attempt to design the Site to minimize the need for a cookie banner by:

using privacy-oriented analytics,
linking out to Beehiiv instead of embedding,
gating embedded forms behind explicit consent when used.

We do not promise that a cookie banner is never required in every jurisdiction or for every future feature.

We may share information:

with service providers that help operate the Site (hosting/security, analytics, forms),
if required by law, subpoena, or legal process,
to protect rights, safety, and security (fraud prevention, abuse investigation),
in connection with a business transaction (merger, acquisition, asset sale).

We may disclose information to enforce our Terms of Service, including investigation of potential violations or protection of legal rights.

We do not sell personal information for money in the traditional sense.

7) Third-Party Providers

We use third-party service providers to run parts of the Services. Their policies apply to their services.

Current Service Providers:

Cloudflare (infrastructure provider)

Cloudflare provides comprehensive infrastructure services for our Site, including:

Hosting and content delivery
DDoS protection and security (Web Application Firewall)
Bot detection and abuse prevention
Performance optimization
Analytics and monitoring

Because Cloudflare serves as our infrastructure layer, all visitor traffic passes through Cloudflare. This means Cloudflare processes:

All HTTP/HTTPS requests to our Site
IP addresses and connection data
Request patterns for security analysis
Performance and uptime metrics

Cloudflare acts as both:

A data processor (for services we direct them to perform), and
An independent data controller (for their own security intelligence and threat detection systems)

Review Cloudflare’s Privacy Policy at cloudflare.com/privacypolicy/ for their own data practices.

Rybbit (analytics)

Rybbit processes anonymized analytics data including page views, device type, geographic location (country-level), and referrer information. User IDs are salted with daily rotation. IP addresses are not stored.

Youform (forms, when used)

Youform acts as a data processor when you submit forms on our Site (after explicit consent). They store form submissions on our behalf.

Beehiiv (newsletter subscription and delivery; link-out only)

Beehiiv operates independently. When you click “Subscribe,” you are directed to their site and their privacy policy governs.

Data Processing Agreements

We have executed or agreed to Data Processing Agreements (DPAs) with our service providers that process personal data on our behalf, as required by GDPR Article 28. These agreements ensure our processors implement appropriate technical and organizational security measures and process data only on our documented instructions.

Our current processors and their DPA status:

Cloudflare: Standard Customer DPA applies to all accounts. Available at cloudflare.com/cloudflare-customer-dpa/
Rybbit: DPA incorporated into service agreement. Available at rybbit.com/dpa
Youform: DPA incorporated into Terms of Service. Reference at https://help.youform.com/p/z1GQmhd0076eOZ/Youform-Data-Processing-Agreement-DPA

8) Data Retention

We retain personal data only as long as necessary for the purposes described in this policy. Specific retention periods:

Data Type	Retention Period	Reason
Email addresses (form submissions)	12 months after last interaction	Customer support and communication
Rybbit analytics data	2 Years	Site improvement and performance monitoring
Cloudflare security logs	Per Cloudflare policy (typically 72 hours)	DDoS protection and abuse prevention
Support email correspondence	2 years after resolution	Legal compliance and dispute resolution
Deleted account data	30 days in backup systems, then purged	Recovery period for accidental deletions

After these periods, data is permanently deleted or anonymized. To request early deletion of your data, contact [email protected] with subject “DATA DELETION REQUEST.”

9) Security

Technical safeguards:

We implement industry-standard security measures including:

TLS/HTTPS encryption for all data in transit
Cloudflare’s DDoS protection and Web Application Firewall (WAF)
Access controls limiting who can view collected data
Regular security monitoring through Cloudflare’s threat intelligence

Organizational safeguards:

Data minimization (we only collect what’s needed)
Regular review of data retention and deletion practices
Documented Data Processing Agreements with all processors

Breach notification:

In the event of a data breach affecting personal data:

We will investigate and document the breach immediately
We will notify affected individuals without undue delay (target: within 30 days where possible)
For EEA/UK residents: We will notify the relevant supervisory authority within 72 hours of discovery if the breach poses risk to rights and freedoms
We will document all remediation measures taken

No system is perfectly secure. You use the Services at your own risk.

10) Your Rights and Choices

A) General rights requests

Depending on where you live, you may have rights to:

access, correction, deletion,
restriction or objection to processing,
data portability,
withdraw consent (where processing is based on consent).

To submit a request, email [email protected] with subject: PRIVACY REQUEST and include:

your country/state of residence,
the request type (access/delete/correct/etc.),
relevant details and identifiers (e.g., email used in a form).

We may request verification and may deny or limit requests where permitted by law (e.g., security, fraud prevention, legal obligations). We will respond within 30 days.

Note: Your rights under this Privacy Policy are separate from and in addition to any rights you may have under our Terms of Service. Exercising privacy rights does not affect your service access unless required by law.

If applicable, you may also lodge a complaint with your local supervisory authority.

C) California (CCPA/CPRA)

If applicable, California residents may have rights to know, delete, correct, and opt out of certain “sale” or “sharing” (as defined by law), and to limit use of sensitive personal information (where applicable).

At this time, we do not intend to use personal information for cross-context behavioral advertising on our Site. If we do, we will update this policy and provide required mechanisms.

D) Global Privacy Control (GPC)

If we engage in conduct covered by “sale/sharing” opt-outs, we will make commercially reasonable efforts to honor GPC where required.

11) International Transfers

We and our providers may process information in the United States and other countries. By using the Site, you understand that your data may be transferred internationally.

12) Children’s Privacy

The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child provided information to us, contact [email protected] with subject: CHILD PRIVACY.

13) Changes to This Policy

We may update this Privacy Policy by posting a new version with a new “Last Updated” date. Your continued use of the Site after changes become effective means you accept the updated policy.

Changes to this Privacy Policy do not affect your agreement to our Terms of Service unless explicitly stated. Review our Terms of Service for information about service changes and your remedies.

14) Contact

General: [email protected]

Privacy: [email protected]

Legal: [email protected]

Privacy Policy