Privacy Policy

Openly by North Tumbleweed LLC · Last updated April 25, 2026

1. Overview

North Tumbleweed LLC (“we”, “us”) publishes Openly, an AI chat client for iOS that routes your messages to a curated set of open-source language models. This Privacy Policy explains, end to end, what we collect, why, and what happens to it.

Openly is designed around a single principle: the only data we need is what is required to enforce a fair-use cap on a paid subscription. We hold ourselves to that line.

2. What We Collect

2.1 An Anonymous Device Identifier (X-Device-ID)

When you launch Openly, the app generates a per-device pseudonymous identifier derived from Apple’s identifierForVendor — a value that is stable for our app on your device but is not the same identifier any other app sees, and not your AppleID. This identifier is sent on every request to our backend in an HTTP header (X-Device-ID).

This identifier exists for one purpose: counting how much of your monthly fair-use cap you have used, so we can enforce the cap on your subscription tier. It is never tied to your conversations, your name, your email, your AppleID, or any account record. It is not a marketing identifier. It is not shared with anyone.

2.2 Subscription Receipt

When you subscribe to Openly or Openly Plus through the App Store, Apple issues a receipt. The app sends this receipt to our backend so we can validate it server-side against Apple’s receipt-validation endpoint. We store only the validation result (which tier you’re entitled to and through what date), keyed against your anonymous device identifier. We do not see and do not store your name, your billing address, your payment card, or any other Apple Account information.

2.3 Cap-Counting Records

For each request you make, our backend increments a counter in Cloudflare Workers KV / a Durable Object, keyed by your anonymous device identifier and the current monthly window. The counter holds: the device identifier, the current month, and the running total of cap units consumed. Nothing about the message itself is recorded — not the prompt, not the reply, not the model used, not a timestamp of when you sent it.

3. What We Do Not Collect

To make this concrete, here is what Openly does not see, log, or store:

• The text of your prompts.
• The text of model replies.
• Your IP address (the Worker discards it after the request returns).
• Your name, email, AppleID, or any other personal identifier.
• Your location (precise or coarse). The app never requests location permission.
• Your contacts, calendar, photos, or microphone. The app never requests these permissions.
• Any analytics events. There are no analytics SDKs in Openly — no AppsFlyer, no Firebase, no Mixpanel, no Amplitude, no PostHog, no Sentry, nothing.
• Any advertising identifier. We do not show the App Tracking Transparency prompt because we do not collect IDFA.
• Any payment information. Apple processes payment; we never see card data, billing address, or anything similar.

4. How a Message Flows

When you send a message:

1. Your iPhone opens an HTTPS connection to our Cloudflare Worker proxy at api.openly.chat, with your anonymous device identifier in the X-Device-ID header.
2. The Worker checks your subscription receipt against the cached validation result (already keyed to your device identifier). If valid, it checks how many cap units you have left for the month.
3. If you have units left, the Worker forwards your message to the upstream model provider (Novita) over its OpenAI-compatible API. The Worker does not write the prompt or the reply to any log, database, or file.
4. The model’s reply streams back through the Worker to your iPhone, where it is displayed and stored locally on your device only.
5. The Worker increments your monthly cap counter by the number of units this request consumed (varies by model). The counter holds a running total only — not a per-message record.

We log nothing about the content of the request or the reply. The only durable state on our side is: device identifier → subscription tier → current-month cap counter. That is the entire shape of our database.

5. Third Parties

5.1 Cloudflare (Infrastructure)

The Worker proxy and the cap counters run on Cloudflare’s edge network. Cloudflare necessarily sees the request as it transits its network in order to route it. Cloudflare’s standard edge logs (which include source IP) are governed by their data-handling policies; we have configured the Worker to discard the IP within the request handler so it is never written to our own storage. We do not retain Cloudflare’s edge logs and do not use them for any analytics purpose.

5.2 Novita (Upstream Model Provider)

Your prompt is forwarded to Novita, our upstream open-source-model provider. Novita is contractually bound to a no-log clause: prompts and replies are processed solely to generate the response and are not retained, not used for model training, and not used for any other purpose. Novita receives only the prompt and the chosen model name — it does not receive your device identifier, your subscription information, your IP, or anything else that could identify you.

5.3 Apple (Subscriptions)

Apple handles the entire subscription lifecycle through StoreKit: showing the subscription sheet, taking payment, issuing the receipt, processing renewals, and handling refunds. We send the receipt to Apple’s server-side receipt-validation endpoint to confirm the subscription is valid. Apple’s privacy practices govern how Apple itself handles your AppleID, payment, and purchase history.

6. Data Retention

7. Deletion and Reset

You can wipe everything Openly knows about you in one tap. In the app, open Settings → Delete all data. This:

• Deletes your local conversation history (SwiftData store on your device).
• Sends a delete request to the Worker, which removes your cap counter and any cached receipt-validation entry from KV / the Durable Object.

If you uninstall Openly without first tapping “Delete all data,” your cap counter remains on the Worker side until it is auto-deleted after 90 days of inactivity. Reinstalling within that window may surface your existing cap usage on a new device identifier (because identifierForVendor can change after an uninstall). To be certain everything is gone, tap “Delete all data” before uninstalling.

Your subscription is managed entirely by Apple. To cancel, open iOS Settings → [your name] → Subscriptions → Openly. Cancelling the subscription does not delete your data on our side — use the in-app reset for that.

8. Subscriptions

Openly offers two auto-renewing monthly subscriptions through Apple’s App Store: Openly ($9.99 / month) and Openly Plus ($29.99 / month). Each tier includes a monthly fair-use cap shown in Settings → Usage. Subscriptions auto-renew unless cancelled at least 24 hours before the end of the period. Refunds are handled by Apple at reportaproblem.apple.com.

9. Children’s Privacy

10. Your Rights Under GDPR (European Users)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have:

• Right of Access — to request a copy of any personal data we hold. (For Openly, this is at most: your anonymous device identifier and your current cap counter.)
• Right to Erasure — exercised in one tap via Settings → Delete all data, or by emailing us.
• Right to Restriction, to request that we limit processing.
• Right to Object, to object to processing based on legitimate interests.
• Right to Withdraw Consent.

Legal basis. We process the device identifier and cap counter under the “contract performance” basis — it is necessary to provide the paid Service you bought. We do not rely on consent for any data processing because we do not collect anything beyond what the contract requires.

11. Your Rights Under CCPA (California Residents)

California residents have:

• Right to Know the categories and specific pieces of personal information we have collected.
• Right to Delete personal information — exercised in one tap via Settings → Delete all data.
• Right to Opt-Out of Sale. We do not sell personal information. There is nothing to opt out of.
• Right to Non-Discrimination. We will not discriminate against you for exercising your CCPA rights.

12. Security

• All network communication uses HTTPS / TLS.
• The Worker proxy runs on Cloudflare’s edge with built-in DDoS protection and per-device rate limiting.
• Our upstream API key for Novita is stored only as a Cloudflare Worker Secret; it is never present in the iOS app, never in source control, and never transmitted to your device.
• Receipt validation is performed server-side against Apple’s endpoint; the iOS app never sees or stores the validation logic.

No method of transmission or storage is 100% secure. While we have designed Openly to minimize the data we hold in the first place — the strongest privacy posture is collecting nothing — we cannot guarantee absolute security.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we update the “Last updated” date at the top. We encourage you to review this policy periodically. Continued use of Openly after a change constitutes acceptance of the updated policy. For material changes we will make reasonable efforts to notify you in-app.

14. Contact

Questions about this Privacy Policy or your data? Reach us at support@openly.chat.

North Tumbleweed LLC
Wyoming, United States
support@openly.chat