Privacy Policy

1. Who we are

OpenCores Inc. (“OpenCores,” “we,” “us”) is a Delaware corporation that operates the OpenCores platform at opencores.ai (the “Service”). This Privacy Policy describes how we collect, use, share, and protect personal data about visitors, account holders, and customers of the Service. For the purposes of the EU and UK General Data Protection Regulation (collectively, “GDPR”), OpenCores Inc. is the data controller of personal data described below.

You can contact us at privacy@opencores.ai for any privacy matter, including to exercise the rights described in Section 9.

2. Data we collect

Account data.

Email address, password (hashed), display name and, if you sign in via Google OAuth, the basic profile information that Google returns to us (name, email, avatar).

Design data.

The prompts you submit, the HDL code, testbenches, synthesis logs, layouts and GDSII outputs generated through the Service, and metadata associated with each design (timestamps, status, token consumption, error logs).

Usage and technical data.

Pages viewed, features used, IP address, browser type, device identifiers, approximate location derived from IP, and cookies or local-storage tokens necessary to operate authentication, theming and the chat interface.

Billing data.

If you purchase a subscription or top-up, payments are processed by our merchant of record (Lemon Squeezy). We receive transaction confirmations, the last four digits of your card, your billing country, and tax-related data; we do not store full card numbers.

Support data.

If you contact us by email or through the in-app feedback channel, we receive the content of your message and any attachments you choose to send (for example, proof of academic affiliation when requesting edu credits).

3. Why we process your data (legal bases under GDPR)

• Performance of contract — to create and operate your account, deliver the Service, generate HDL and GDSII outputs, process payments and provide customer support.
• Legitimate interest — to monitor and improve the Service, detect fraud and abuse, maintain security, debug, and conduct aggregated analytics.
• Legal obligation — to comply with tax, accounting, anti-money laundering and other legal requirements.
• Consent — for any processing that requires it (such as optional marketing communications), which you can withdraw at any time.

4. How we use your designs

Your prompts, HDL outputs, testbenches and GDSII files are processed solely to deliver the Service to you. We do not use your designs to train or fine-tune any AI model without your explicit, separate opt-in consent. Aggregated, fully anonymised metrics (such as average tokens per design or synthesis success rate) may be used to monitor platform performance.

5. Sharing and sub-processors

We do not sell or rent your personal data. We share it only with the following categories of recipients:

• Infrastructure providers: Vercel Inc. (hosting and analytics, USA), Supabase Inc. (authentication and database, USA / EU regions).
• AI providers: OpenAI L.L.C. (large-language-model inference, USA) under their enterprise data-processing terms (no training on inputs).
• Synthesis pipeline: GitHub, Inc. (Actions runners for OpenLane2/SKY130 jobs, USA).
• Payment processing: Lemon Squeezy (Saasquatch Inc., USA), acting as merchant of record.
• Professional advisors: our auditors, lawyers and bankers, under confidentiality obligations.
• Authorities: regulators, courts or law-enforcement agencies when legally required.
• Successors: in connection with a merger, financing, acquisition or sale of assets, subject to confidentiality and to this Policy continuing to apply.

6. International transfers

We are based in the United States. When we transfer personal data of users in the EEA, the UK or Switzerland to recipients in countries that have not been recognised as providing an adequate level of protection, we rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK and Swiss addenda, together with supplementary technical and organisational measures.

7. Retention

Account data is retained for as long as your account is active and for up to 90 days after deletion to allow for recovery and to satisfy our legal obligations. Design data and chat history are retained until you delete them or until your account is closed, after which they are removed within 90 days. Billing records are retained for the period required by applicable tax law (typically 7 years). Aggregated, anonymised data may be retained indefinitely.

8. Security

We apply industry-standard technical and organisational measures, including TLS in transit, encryption at rest for credentials and payment metadata, row-level security on database tables, least-privilege access controls, and periodic review of logs and dependencies. No system is perfectly secure; you are responsible for keeping your account credentials confidential and for using a strong, unique password.

9. Your rights

Subject to local law, you have the right to:

• access the personal data we hold about you;
• request correction of inaccurate or incomplete data;
• request deletion (“right to be forgotten”);
• restrict or object to certain processing;
• request a portable copy of the data you provided to us;
• withdraw consent at any time, without affecting prior processing;
• lodge a complaint with your local data-protection authority (in the EU, the supervisory authority of your country of residence).

To exercise any of these rights, email privacy@opencores.ai. We will respond within 30 days. We may need to verify your identity before fulfilling the request.

10. Notice to California residents (CCPA / CPRA)

If you are a California resident, you have the right to know the categories and specific pieces of personal information we collect, to delete it, to correct it, and to opt out of any “sale” or “sharing” of personal information for cross-context behavioural advertising. We do not sell or share personal information within the meaning of the CCPA. You may exercise your CCPA rights by emailing privacy@opencores.ai. We will not discriminate against you for doing so.

11. Cookies and analytics

We use a small number of first-party cookies and local-storage entries that are strictly necessary to keep you signed in, remember your theme preference and run the chat interface. We also use Vercel Analytics, which records aggregate page-view metrics without setting cross-site tracking cookies or identifying individual visitors. We do not run third-party advertising trackers.

12. Children

The Service is not directed to children under 16, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us so that we can delete it.

13. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will notify registered users by email and update the “Last updated” date above. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

14. Contact

OpenCores Inc.
Privacy enquiries: privacy@opencores.ai
General enquiries: hello@opencores.ai