Privacy Policy

Last updated: April 13, 2026

This policy applies globally. Additional rights for residents of the European Union / EEA, California (USA), Brazil, and China are described in dedicated sections below.

1. Introduction

OasisBio ("we", "our", or "us") is operated by Oasis Company (ceaserzhao). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at oasisbio.oasiscompany.org and any related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information you provide directly

  • Email address (used for passwordless authentication)
  • Display name and username
  • Profile information (bio, website, avatar image)
  • Character content you create (OasisBio profiles, DCOS documents, world settings, abilities, references)
  • 3D model files you upload
  • Support communications you send to us

2.2 Information collected automatically

  • Authentication session tokens (stored in cookies — strictly necessary)
  • Server logs: IP address, request timestamps, HTTP method and path — retained for up to 30 days for security and debugging
  • Export history (file name, size, character count)
  • Audit logs of significant actions (publish/unpublish) — retained for 12 months

2.3 Information from OAuth integrations

If you authorize a third-party application via "Continue with Oasis", we record which application was authorized, the granted scopes, and token metadata. We do not share your data with third-party apps beyond what you explicitly authorize on the consent screen.

2.4 Information we do NOT collect

  • Passwords (we use passwordless OTP authentication)
  • Payment information (the Service is currently free)
  • Precise geolocation
  • Device fingerprints or advertising identifiers
  • Behavioral tracking across third-party websites

3. Legal Basis for Processing

We process your personal data on the following legal bases (applicable under GDPR, LGPD, and similar frameworks):

Contract performanceProviding the Service, authentication, storing your content, enabling OAuth
Legitimate interestsSecurity monitoring, fraud prevention, server logs, audit trails
Legal obligationResponding to lawful requests from authorities
ConsentAny processing not covered above (we will ask explicitly)

4. How We Use Your Information

  • To provide, operate, and maintain the Service
  • To authenticate you and manage your account
  • To store and display the content you create
  • To enable the OAuth provider feature ("Continue with Oasis")
  • To respond to your support requests
  • To detect and prevent fraud, abuse, and security incidents
  • To comply with legal obligations

We do not sell your personal data. We do not use your content for advertising. We do not train AI models on your private content.

5. Data Storage and Third-Party Processors

Your data is processed by the following sub-processors. All are bound by data processing agreements and appropriate safeguards for international data transfers:

Database (PostgreSQL), authentication, image storage · USA (AWS)

Transfer safeguard: Standard Contractual Clauses (SCCs)

3D model storage (R2), CDN, Pages hosting · Global CDN

Transfer safeguard: SCCs + Cloudflare DPA

Data may be stored on servers located outside your country of residence. We ensure appropriate safeguards are in place for all international transfers.

6. Cookies and Session Storage

Authentication cookiesStrictly necessary

Maintain your login session (set by Supabase Auth). Cannot be disabled.

Session storageFunctional

Temporary PKCE code verifier during OAuth flows. Cleared when you close the tab.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No cookie consent banner is required because we only use strictly necessary cookies.

7. Public Content

Content you set to "public" (OasisBio profiles, worlds) is accessible to anyone on the internet, including search engines. You can change visibility to "private" at any time from your dashboard. Making content private does not guarantee immediate removal from search engine caches.

8. Your Rights

Regardless of your location, you have the right to:

  • Access — request a copy of the data we hold about you
  • Correction — update inaccurate information via your profile settings
  • Deletion — delete your account and all associated data from your dashboard. Permanent and irreversible.
  • Export — download all your character data as a ZIP file from your dashboard at any time
  • Revoke OAuth access — revoke any third-party app's access from your settings
  • Object — object to processing based on legitimate interests

To exercise rights that cannot be completed through the platform, email oasisbiosupport@oermos.com. We will respond within 30 days.

9. Data Retention

Account and profile dataUntil account deletion
Character content (OasisBios, worlds, DCOS, etc.)Until deleted by user or account deletion
Server logs (IP, request metadata)30 days
Audit logs (publish/unpublish actions)12 months
OAuth tokensUntil expiry or revocation
Backup copiesUp to 30 days after deletion

10. Security

We implement industry-standard security measures: encrypted connections (HTTPS/TLS), bcrypt hashing for OAuth client secrets, JWT-signed access tokens, Row Level Security on all database tables, and PKCE enforcement for all OAuth flows. However, no method of transmission over the internet is 100% secure.

In the event of a data breach that affects your rights and freedoms, we will notify affected users and relevant supervisory authorities within 72 hours of becoming aware, as required by GDPR Article 33.

11. Children's Privacy

The Service is not directed to children under 13 (or under 16 in the EU/EEA, per GDPR Article 8). We do not knowingly collect personal information from children below these ages. If you believe a child has provided us with personal information, contact us immediately and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date. For significant changes, we will provide additional notice (e.g., a notice on the platform). Continued use of the Service after changes constitutes acceptance of the updated policy.

Regional Supplements

The following sections provide additional information for users in specific jurisdictions. They supplement — and do not replace — the general policy above.

EU / EEA

GDPR — General Data Protection Regulation

Data Controller

Oasis Company (ceaserzhao) is the data controller for personal data processed through the Service. Contact: oasisbiosupport@oermos.com

Additional Rights under GDPR

  • Right to data portability (Art. 20) — export your data in a structured, machine-readable format via the dashboard export feature
  • Right to restriction of processing (Art. 18) — request that we restrict processing of your data in certain circumstances
  • Right to erasure ("right to be forgotten") (Art. 17) — delete your account from the dashboard, or contact us for specific erasure requests
  • Right not to be subject to automated decision-making (Art. 22) — we do not make automated decisions with legal or significant effects
  • Right to lodge a complaint — you may lodge a complaint with your local supervisory authority (e.g., your national Data Protection Authority)

International Data Transfers

Your data may be transferred to and processed in the United States and other countries outside the EEA. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for these transfers.

Data Processing Agreement (DPA)

If you are an OAuth developer processing EU user data through "Continue with Oasis", a Data Processing Agreement is available at /dpa. Under GDPR, you are an independent data controller for the data you receive.

Age of Consent

In the EU/EEA, the minimum age to use the Service is 16, unless your country sets a lower age (minimum 13) under GDPR Article 8.

California, USA

CCPA / CPRA — California Consumer Privacy Act

Your California Rights

  • Right to Know — request disclosure of the categories and specific pieces of personal information we have collected about you
  • Right to Delete — request deletion of your personal information (subject to certain exceptions)
  • Right to Correct — request correction of inaccurate personal information
  • Right to Opt-Out of Sale or Sharing — we do not sell or share your personal information for cross-context behavioral advertising. No opt-out is required.
  • Right to Limit Use of Sensitive Personal Information — we do not use sensitive personal information beyond what is necessary to provide the Service
  • Right to Non-Discrimination — we will not discriminate against you for exercising your CCPA rights

Categories of Personal Information Collected

In the past 12 months, we have collected:

  • Identifiers (email address, username, user ID)
  • Internet or other electronic network activity (server logs, session tokens)
  • User-generated content (character profiles, documents, images)

Do Not Sell or Share My Personal Information

We do not sell or share your personal information. If this changes, we will update this policy and provide an opt-out mechanism.

Submitting a Request

To exercise your California rights, email oasisbiosupport@oermos.com with subject line "CCPA Request". We will respond within 45 days. We may need to verify your identity before processing your request.

Brazil

LGPD — Lei Geral de Proteção de Dados

Controller

Oasis Company (ceaserzhao) acts as the data controller (controlador) for personal data processed through the Service.

Legal Bases (Hipóteses Legais)

  • Contract performance (Art. 7, V) — providing the Service
  • Legitimate interests (Art. 7, IX) — security, fraud prevention, audit logs
  • Legal obligation (Art. 7, II) — compliance with applicable law

Your Rights under LGPD (Art. 18)

  • Confirmation of the existence of processing
  • Access to your data
  • Correction of incomplete, inaccurate, or outdated data
  • Anonymization, blocking, or deletion of unnecessary data
  • Data portability
  • Deletion of data processed with your consent
  • Information about third parties with whom data is shared
  • Right to revoke consent

International Transfers

Data is transferred to the USA (Supabase/Cloudflare). These transfers are made under contractual safeguards consistent with LGPD Article 33.

Contact

To exercise your LGPD rights, email oasisbiosupport@oermos.com with subject line "LGPD Request".

China

PIPL — Personal Information Protection Law (个人信息保护法)

Notice to Users in China

OasisBio is operated outside of China. By using the Service, your personal information will be transferred to and processed in the United States and other countries. This transfer is necessary to provide the Service.

Purpose and Scope of Processing

We collect and process your personal information solely for the purposes described in this Privacy Policy. We do not process personal information beyond what is necessary for those purposes.

Your Rights

  • Right to know and decide how your personal information is processed
  • Right to access and copy your personal information
  • Right to correct inaccurate personal information
  • Right to delete your personal information
  • Right to withdraw consent

Contact

To exercise your rights, email oasisbiosupport@oermos.com. We will respond within 15 working days.

Contact

For any privacy-related questions, requests, or complaints, contact Oasis Company at:

oasisbiosupport@oermos.com

We aim to respond to all requests within 30 days (or within the timeframe required by applicable law).