Privacy Policy
Privacy Policy — OVRLab
Effective date: December 28, 2025
Last updated: December 28, 2025
This Privacy Policy explains how Jubba Cyber Services B.V., doing business as OVRLab (“OVRLab,” “we,” “us”), collects, uses, and shares information when you use our website and applications (together, the “Services”).
Contact: support@ovrlab.io
Business: Jubba Cyber Services B.V. (trade name: OVRLab)
Country: The Netherlands
1) What OVRLab does (important context)
OVRLab provides software that enables peer‑to‑peer communication and decentralized messaging. The Services are designed so that:
Message content is end‑to‑end encrypted (E2EE) between sender and recipient, and
OVRLab does not store message contents on OVRLab‑controlled servers.
Because the Services operate peer‑to‑peer, some technical data (such as IP address) must be exchanged between devices to establish connections.
2) Information we collect and process
2.1 Information from Google Sign‑In
You authenticate using Google. When you sign in, we receive information from Google necessary to provide the Services.
We request the following Google OAuth scopes:
https://www.googleapis.com/auth/userinfo.email (to obtain your Google account email address), and
https://www.googleapis.com/auth/drive.appdata (to store and retrieve app data in your Google Drive App Data folder).
We use your email address as an identifier for your OVRLab session/account within the App.
2.2 Cryptographic keys stored in Google Drive App Data
The App creates and uses cryptographic keys to support secure communication and end‑to‑end encryption.
Storage location: Your keys are stored in your Google Drive App Data (Google Drive “appDataFolder”) via the drive.appdata scope.
No OVRLab server storage: We do not store your private keys on OVRLab‑controlled servers.
No additional encryption by OVRLab: Your keys are not additionally encrypted by OVRLab before being stored in Google Drive App Data.
Your Google account security (e.g., password, device security, and optional 2‑step verification) helps protect access to this data.
2.3 Peer‑to‑peer networking data (required for the service)
To establish peer‑to‑peer connections (including WebRTC connections), devices may process and exchange certain technical data, such as:
IP addresses (your device’s IP address and other peers’ IP addresses),
Public keys (used for end‑to‑end encryption and authentication),
Connection/session metadata (for example, handshake outcomes, timestamps, and connection state).
This data is used to connect peers and deliver encrypted communications.
2.4 Message content and delivery
Message content (including attachments) is end‑to‑end encrypted between the sender and the intended recipient(s).
OVRLab cannot access message content.
OVRLab does not store message content on OVRLab‑controlled servers.
Note: Recipients may store messages on their own devices/accounts. We cannot delete content stored by other users.
2.5 Crash reports and diagnostics (Sentry)
We use Sentry.io for crash reporting and diagnostics to improve stability and troubleshoot problems.
We have configured Sentry with sendDefaultPii disabled and we do not send your email address to Sentry.
Crash reports may include technical information such as: app version, device/OS information, error messages, stack traces, and timestamps.
Depending on how services operate, Sentry and related infrastructure may process network-related technical data (such as IP address) as part of standard operations.
2.6 Website data
If you visit https://www.ovrlab.io
, our website and infrastructure providers may process standard web log information such as:
IP address, browser type, pages requested, timestamps, referrer URL, and error logs.
We do not operate advertising trackers for the purpose of serving targeted ads.
3) How we use information
We use information to:
Provide and maintain the Services (authentication, key storage in your Google Drive App Data, peer connectivity)
Enable secure communications and prevent abuse
Debug, monitor reliability, and improve performance (including via crash reports)
Respond to support requests
Comply with legal obligations
We do not sell personal data and we do not use your data for targeted advertising.
4) How we share information
4.1 With other peers/users (peer‑to‑peer operation)
Because the Services are peer‑to‑peer, your device may share certain technical information (including IP address and public keys) with other peers to establish connections and exchange encrypted messages.
4.2 With service providers
We use the following service providers to operate parts of the Services:
Google
Google Sign‑In (authentication)
Google Drive App Data storage (to store your cryptographic keys in your account)
Sentry.io
Crash reporting and diagnostics (configured to minimize personal data; no email sent)
Cloudflare
STUN servers used to facilitate WebRTC connectivity (STUN only; no TURN)
Service providers process data according to their own policies and contractual obligations. We share only what is necessary for the Services to function.
4.3 Legal and safety
We may disclose information if we believe in good faith that disclosure is reasonably necessary to:
Comply with law or legal process,
Protect the rights, safety, and security of users, OVRLab, or the public,
Detect, prevent, or address fraud, abuse, or security issues.
4.4 Business transfers
If OVRLab is involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to applicable law.
5) Data retention
We retain data only as long as needed for the purposes described above:
Message content: Not stored on OVRLab‑controlled servers.
Cryptographic keys (Google Drive App Data): Stored in your Google Drive App Data until you delete the App Data and/or revoke the App’s access.
Crash reports (Sentry): Retained for 30 days, then deleted according to our Sentry retention settings.
Support communications: If you contact us, we retain support emails and related correspondence as long as needed to address your request and maintain support records.
6) Your choices and controls
6.1 Google access and App Data
You can control the App’s access to your Google account by:
Revoking the App’s access in your Google account settings, and/or
Deleting the App Data stored in Google Drive App Data (appDataFolder).
6.2 Privacy rights (EEA/UK and other regions)
Depending on your location, you may have rights to request access to, correction of, or deletion of certain personal data we control, or to object to or restrict certain processing.
To submit a request, contact support@ovrlab.io
.
Important limitation: Because message content is end‑to‑end encrypted and not stored on OVRLab servers, we generally cannot access or delete message content on your device or on a recipient’s device.
7) Legal bases for processing (EEA/UK GDPR)
If you are in the EU/EEA/UK, we process personal data under the following legal bases:
Performance of a contract: to provide the Services you request (login, key storage in your account, peer connectivity)
Legitimate interests: to secure, maintain, and improve the Services (e.g., crash diagnostics, abuse prevention)
Legal obligation: where applicable
8) International data transfers
Our service providers (such as Google, Sentry, and Cloudflare) may process data in countries outside the Netherlands/EEA. Where required, we rely on appropriate safeguards for international transfers.
9) Security
We use reasonable technical and organizational measures designed to protect information. However, no system is perfectly secure. You are responsible for maintaining the security of your device and your Google account.
Because your cryptographic keys are stored in your Google Drive App Data without additional encryption by OVRLab, protecting your Google account (strong password and, ideally, two‑factor authentication) is especially important.
10) Children’s privacy
The Services are intended for a general audience and are not specifically directed to children. We do not knowingly collect personal information from children. If you believe a child has provided personal information to OVRLab, please contact support@ovrlab.io
and we will take appropriate steps.
11) Google API user data compliance
OVRLab’s use and transfer of information received from Google APIs will comply with the Google API Services User Data Policy, including the Limited Use requirements.
12) Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated policy on our website and update the “Last updated” date. If changes are material, we will take reasonable steps to notify you.
13) Contact
If you have questions about this Privacy Policy or want to make a privacy request, contact:
support@ovrlab.io