Privacy Policy

Ongoing.AI is a B2B substrate of public business-level ecommerce signals. We don’t sell personal information about anyone, and we’re not a people-search, contact-enrichment, lead-list, or personal-data brokerage service. The substrate describes businesses (apps, brands, installs, rankings, technology fingerprints), not natural persons.

On the user side, we collect the data we need to run your account, charge a subscription, send the emails you opted into, and understand how the Service is used. We use Stripe for payments, Google Analytics for aggregate traffic measurement, and a small set of operational vendors listed below. Email legal@ongoing.ai for any access, correction, or deletion request and we’ll handle it.

The rest of the page is the full version, in case the short one isn’t enough.

The controller of your personal information is Ongoing LLC, a California limited liability company and the operator of Ongoing.AI. You can reach us at legal@ongoing.ai.

This page mostly describes personal information we collect about you as a user of the Service. Before getting to that, it’s worth being explicit about what the underlying substrate is — and what it isn’t.

What the substrate covers. Ongoing.AI is built from publicly available business-level signals: Shopify App Store listings, app developers (as businesses), brand domains, install fingerprints derived from public web pages, category and keyword rankings, review topics and aggregate sentiment, technology fingerprints, and time-series of all of the above. It is intentionally a business-intelligence product, not a people-intelligence product.

What the substrate is not. Ongoing.AI is not a people-search, contact-enrichment, lead-list, or personal-data brokerage service. We do not intentionally extract, index, display, or sell people-level personal information — including names, email addresses, phone numbers, postal addresses, or personal profiles — as part of the substrate or as a product output.

Incidental personal information. Public web pages we crawl may incidentally contain personal information (for example, a founder’s name on an “About” page). We apply reasonable filtering, exclusion, and suppression to keep incidental personal information out of customer-facing records, and we don’t enrich, sell, or build product features around it. If you believe specific personal information has slipped through, email legal@ongoing.ai and we’ll suppress it from customer-facing records and delete it from active systems where required, subject to standard retention windows for backups and raw collection artifacts.

Not a “data broker.” Under California Civil Code §1798.99.80, a “data broker” is a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. Based on how the Service is designed today, Ongoing does not operate as a data broker in that sense: the substrate describes businesses, not consumers, and we do not sell personal information about consumers.

How we crawl. Our crawlers are designed to access publicly available business information. We do not intentionally bypass authentication, paywalls, CAPTCHAs, or other technical access controls. We use rate limits intended to reduce burden on third-party services, and we transform collected information into derived business signals (detections, rankings, time-series, summaries) rather than republishing source material verbatim.

Account information. When you create an account we collect your name, email address, password (hashed, not stored in plain text), and the organization you belong to.

Billing information. When you subscribe, our payment processor Stripe collects your payment details. We receive the metadata we need to operate the subscription — customer ID, plan, status, last four digits, billing country, and tax information — but not your full card number.

Usage data. We log pages viewed, dashboard actions, queries run, API calls, and the timestamps and contexts around them. This is how we keep the Service running, debug issues, calibrate rate limits, and improve the substrate.

Technical data. Standard request metadata — IP address, user agent, device and browser hints, language, and referrer.

Support and outreach. If you email us, fill in the request-access form, or otherwise contact us, we keep the messages and whatever you choose to include in them.

Content you provide. Anything you submit into the Service — organization details, prompts, uploads, configurations — is processed to deliver the result you asked for and stored as part of your workspace.

Public business signals. Separately from the personal information above, the substrate ingests publicly available business-level signals about apps, app developers, brands by domain, installs, rankings, technology fingerprints, and review topics. This is business information, not personal information about you. See the Substrate scope section above for the full picture, including how we handle incidental personal information.

We use the information above to:

• Operate, secure, and improve the Service.
• Authenticate you, run your organization’s subscription, and provide support.
• Bill correctly, prevent fraud, and meet financial and tax obligations.
• Send transactional emails (account, billing, security). Product emails are opt-in and you can unsubscribe at any time.
• Calibrate rate limits, detect abuse, and enforce our Acceptable Use Policy.
• Understand aggregate usage of the Service so we know what to build next.
• Meet legal obligations and respond to lawful requests.

We rely on a mix of legal bases under GDPR depending on the purpose — performance of a contract (account and subscription), legitimate interest (security, abuse prevention, product analytics), consent (marketing emails, non-essential cookies where required), and legal obligation (tax, accounting).

We don’t sell personal information. We share it with the small set of vendors needed to run the Service, and only for the purposes described above.

Current operational vendors include:

• Stripe — payment processing and subscription management.
• Vercel — hosting for the marketing site.
• Laravel Cloud — hosting for the application backend and dashboard.
• DigitalOcean — managed database, object storage, and ancillary compute.
• Google Analytics — aggregate traffic measurement on the marketing site.
• Anthropic and OpenAI — model providers used to process specific Service inputs (for example, review and listing enrichment).

No training on your inputs. We do not use content you submit to the Service to train, fine-tune, or evaluate AI models. When we send inputs to model providers such as Anthropic or OpenAI, we use their commercial / API offerings and rely on their standard terms for business data, under which API inputs are not used to train those providers’ own models. If a provider’s applicable terms ever change, we will change provider or change the feature before changing this commitment.

We may also share information when required by law, in response to valid legal process, to protect Ongoing’s rights or safety, or in connection with a corporate transaction (merger, acquisition, asset sale). If that ever happens, we’ll update this page.

We use a small number of cookies and similar technologies:

• Essential. Authentication, session, and security cookies. The Service doesn’t work without them.
• Analytics. Google Analytics (GA4) on the marketing site, used to understand which pages and surfaces are useful. We don’t connect GA identifiers back to your account.

You can clear cookies or block them via your browser. Blocking essential cookies will break sign-in. We don’t use Google Analytics for cross-context behavioral advertising. Where required by law, we honor legally recognized opt-out preference signals for activities that qualify as sale, sharing, or targeted advertising. Ongoing is a US-based B2B service today; if and when we add EU/UK-targeted surfaces or additional non-essential trackers, we’ll add an explicit consent banner before they load.

We keep account and billing data for as long as your account is active and for a reasonable period afterward to comply with tax, accounting, and dispute-resolution obligations.

Logs and usage telemetry are retained on a rolling window measured in months, not years. Aggregate analytics may be kept longer in a form that doesn’t identify individuals.

When you close an account, we delete or anonymize the personal information we’re no longer required to keep, within a reasonable timeframe.

We use industry-standard practices to protect personal information — TLS in transit, encryption at rest for databases and object storage, hashed passwords, access controls, audit logging, and vendor due diligence. No system is perfectly secure; if we ever experience a breach that affects you, we’ll notify you as required by law. See our Security page for more detail.

You have the right to:

• Access the personal information we hold about you.
• Correct anything that’s inaccurate.
• Ask us to delete your personal information (subject to records we’re legally required to keep).
• Object to or restrict certain processing, and to receive an export of your data in a portable format.
• Withdraw consent for anything you previously consented to.
• Opt out of marketing emails at any time using the unsubscribe link or by emailing us.

To exercise any of these, email legal@ongoing.ai. We may need to verify it’s really you before acting.

If you’re in California, the CCPA/CPRA gives you specific rights to know, delete, correct, and limit the use of sensitive personal information, and to opt out of “sale” or “sharing” for cross-context behavioral advertising. We don’t sell personal information and we don’t use it for cross-context behavioral advertising. Based on how the Service is designed today, we also don’t operate as a “data broker” in the sense defined by California Civil Code §1798.99.80: the substrate describes businesses, not consumers, and we don’t sell personal information about consumers with whom we don’t have a direct relationship. Exercise any of these rights at the same email address.

Ongoing operates from the United States and our vendors are based in the US and the EU. If you access the Service from outside the US, your information may be transferred to and processed in the US. Where required (e.g. EEA, UK, Switzerland), we rely on appropriate safeguards such as Standard Contractual Clauses.

Ongoing is a B2B service and isn’t directed to anyone under 16. We don’t knowingly collect personal information from children. If you believe we have, contact us and we’ll delete it.

We may update this Privacy Policy from time to time. The effective date at the top tells you when the current version went into effect. If a change is material we’ll give reasonable notice before it takes effect.

Privacy questions go to legal@ongoing.ai. We aim to reply within a few business days.

Ongoing LLC · legal@ongoing.ai
400 Spectrum Center Dr, Floor 19, Irvine, CA 92618, United States