Trust & Security

Your script never trains us.
Your contract never leaves you.

OGF AI is built for filmmakers who guard their work. Here, in plain language, is exactly how we treat what you upload — your own work, the people you bring with you, and the data we collect that has nothing to do with your IP.

v1.2 Last updated: May 7, 2026
The Founder's Pledge
We will never use your project content to train any AI model. We will never sell, license, or share it. We process it only to render the service you asked for. When you enter information about other people — investors, collaborators, even minors — it’s held under the same protection as your own work: never trained on, never shared, and locked to your account so the only person who can read it is you.
— AJ Rome, Director & Founder, One Grand Film
01 — The Promises

What we will never do

Every commitment below is enforced architecturally — not just legally. They're encoded into how the platform is built, who has access, and what gets logged. We've also written them into our binding Privacy Policy and Terms of Use.

02 — What We Collect

Three categories. Two protected.

Every piece of data on the platform falls into one of three categories. The line between them is architectural — encoded in our database, our access controls, and our backups. Two of the three are sacred. One is structural and is what makes the platform measurably better over time.

◆ Bucket A · Sacred (yours)
Your Project Content

Untouched except to fulfill your direct request. Encrypted. Locked to your account. Never logged. Never trained on. Never shared.

  • Scripts, treatments, character bios
  • Pitch decks, image prompts
  • Budgets, backend splits
  • Generated contracts, redlines
  • Festival strategies
  • Distribution outreach drafts
  • Your personal information
◆ Bucket A · Sacred (others)
Third-Party Personal Data

Same protections as your own content. Bound to your project and your account. We never separately contact, market to, or profile these third parties.

  • Collaborator names and addresses
  • Investor names and contributions
  • Minor performer information
  • Distribution executive contacts
  • Crew rates and roles
  • Locations and owners
  • Anything you enter about another person

The test that decides which bucket

Is it about you, your project, or someone else you're working with? Bucket A. Is it structural, behavioral, or operational and reveals nothing about what's inside any project? Bucket B. When in doubt, it goes in Bucket A. The default is protection, not collection.

03 — AI Providers

Our AI infrastructure. Here's what each part sees.

Most platforms hide their AI infrastructure. We don't, because the protections you have are inseparable from understanding what processes what. We name our text-generation provider and our image-generation stack — and disclose what data flows to each.

→ Text · all 5 tools
Anthropic
What we send System prompt + your project context + your tool inputs + (when you upload them) scripts and treatments
Training Prohibited under Anthropic's standard API policy
Retention Zero Data Retention configured for our production account — nothing held beyond immediate processing
Web search Festival Strategy and Pitch Deck use Anthropic's web search. Queries are abstracted (festival name + year, comp film title) — never your full project content
→ Images · pitch deck only
Image generation stack
What we send Image prompts derived from your Style Bible (palette, lighting, scene descriptions). These can include references to your characters and world.
The stack Nano Banana Pro (primary), Flux 2 Pro (failover), and DALL-E 3 (backstop). A given image render routes through one of these depending on per-request availability.
Training Prohibited under each vendor's standard API policy
Retention Zero Data Retention configured wherever the vendor offers it for our account; otherwise, the vendor's standard policy applies
Why disclose The image prompts are derived from your IP. Honest disclosure beats simplicity.

What about web search?

Two of our tools — Festival Strategy and Pitch Deck Builder — use web search to verify current information (festival deadlines, comp film budgets, tax incentive rates). The search queries we construct are designed to be abstracted from your project content. We don't paste your script into a search bar. We search "Sundance 2026 narrative competition deadline," not "deadline for [your specific film concept]." This is an engineering rule, written into the system prompts.

04 — How We Protect It

Encryption isn't enough. Architecture is.

Most platforms list a few security buzzwords and stop. We go further because the entire OGF brand is built on filmmaker protection — and a single sloppy backup or chatty error logger would undo it.

→ ENCRYPTION
In transit and at rest
TLS 1.2+ on every connection. AES-256 at rest. Application-level encryption on the most sensitive fields — full session transcripts, generated contract bodies, third-party PII — using keys held in our secrets vault. Decryption only inside the API request that needs the data.
→ ACCESS
Row-level security, tested
Every table containing your content is locked so you can only read your own rows. For Studio family, Enterprise, and Film School accounts, additional tenant-aware policies prevent cross-user reads inside an institution. Automated tests confirm policies on every deploy.
→ INTERNAL
No routine access by our team
OGF team members do not have routine read access to your content or to third-party data you've entered. The only path to your content is a support ticket you initiated, with the access logged and revoked when the ticket closes.
→ LOGGING
Redacted by default
Our application logs capture timing, status codes, and user IDs — never prompt content, completion content, or uploaded files. Error trackers are configured to scrub request bodies before they leave our infrastructure.
→ EMAIL
Sensitive content never in email body
When we deliver something sensitive — like an E&O Readiness Report listing your collaborators by name — we send a notification email with an authenticated link, not the content itself. Email isn't end-to-end encrypted; an authenticated link is.
→ BACKUPS
Same rules as production
Backups carry the same encryption, retention, and deletion rules as production. When you delete content, deletion propagates to backups within 30 days.
→ DELETION
Real, not soft
Delete a project: 30-day grace period to undo, then it's gone from production and backups. Close your account: same window, full purge. For minor child data: shorter retention where law permits. Audit logs of OGF's own actions are retained 24 months — they record us, not your content.
→ EXPORT
Yours to take, anytime
Export your full project vault as a downloadable ZIP archive at any time, free. Machine-readable formats. No friction. No dark patterns.
→ BREACH
72-hour notification
If we discover a security incident affecting your data, you'll be notified by email within 72 hours of confirmation. If the incident affects third-party data you've entered, we'll work with you on appropriate notification to those people.
→ ACQUISITION
A buyer doesn't get to weaken these terms
If OGF is ever acquired, the buyer is bound by the protections in place at the time of transition. Users get 30 days' notice and an option to export and delete before the transition completes. Any weakening of protections requires explicit opt-in — not a forced acceptance.

Our vendor list

Every third party in our stack is audited annually. Here's the current list and what each one receives.

ANTHROPIC
AI text generation for all five tools. Receives: project content + third-party PII strictly to process your request. ZDR enabled.
NANO BANANA PRO
Image generation (Pitch Deck only) — primary in our image stack. Receives: IP-derived image prompts strictly to process your pitch deck. ZDR enabled where available.
FLUX 2 PRO
Image generation (Pitch Deck only) — failover in our image stack. Receives: IP-derived image prompts strictly to process your pitch deck. ZDR enabled where available.
OPENAI
DALL-E 3 image generation (Pitch Deck only) — backstop in our image stack. Receives: IP-derived image prompts strictly to process your pitch deck.
SUPABASE
Database, authentication, file storage. Receives: all your project content + third-party PII (encrypted at rest, application-level encryption on the most sensitive fields).
VERCEL
Hosting, serverless functions, TLS termination. Receives: operational telemetry only — paths, latencies, status codes. No request bodies, no content.
STRIPE
Payment processing. Receives: email + payment information. Stripe holds card data; OGF stores only customer/subscription IDs.
RESEND
Transactional email. Receives: email metadata + Bucket B body content (welcome, alerts). Sensitive content delivered via authenticated link, not email body.
GOOGLE
Optional Google OAuth sign-in. Receives: email and profile name only when you choose Google sign-in.
SENTRY
Error tracking. Receives: error events and stack traces. Request bodies scrubbed before leaving our infrastructure.
05 — Security Roadmap

Where we are. Where we're going.

We publish our security roadmap so you can see what's live, what's in progress, and what's planned. We update this list when something changes.

● Live
Encryption in transit and at rest
● Live
Row-level security with automated tests
● Live
Server-side API proxy for all AI calls
● Live
No-training commitment with every AI inference provider in our stack
◐ In Progress
Zero Data Retention confirmed in writing with Anthropic
Pre-launch
◐ In Progress
Image-stack ZDR review and configuration (Nano Banana Pro, Flux 2 Pro, OpenAI/DALL-E 3)
Pre-launch
● Live
Multi-tenant RLS for Studio family, Enterprise, and Film School tiers
◐ In Progress
Application-level encryption on session content + retention scheduling
Pre-launch
◐ In Progress
User-rights flows: project deletion, account closure, data export
Pre-launch
◐ In Progress
Error tracker request-body scrubbing verification
Pre-launch
○ Planned
SOC 2 Type I report
Q4 2026
○ Planned
SOC 2 Type II certification
Q3 2027
○ Planned
Independent third-party penetration test (annual)
Q1 2027
○ Planned
Bug bounty program for security researchers
Post-launch
○ Planned
International readiness — privacy frameworks beyond U.S. baseline
Phased rollout
06 — Honest Answers

The questions you probably have.

Will my script be used to train your AI?

No. Not now, not ever, not by default. We don't fine-tune any model on user content. Every AI inference provider in our infrastructure — Anthropic for text, and our image generation stack of Nano Banana Pro, Flux 2 Pro, and DALL-E 3 — is contractually prohibited from training on what we send them under their respective standard API policies. We've also configured Zero Data Retention with Anthropic, and we configure ZDR on the image side wherever the vendor offers it for our account.

If we ever wanted to change this, it would require an explicit, opt-in, separately-consented program. You would not be opted in by default, by continuing to use the platform, or by accepting any update to the terms.

Why three image providers instead of one?

Most of OGF AI uses Anthropic's Claude for text. The Pitch Deck Builder also generates background images and identity-locked character imagery for your slides — and for that, we route through a stack of three image providers: Nano Banana Pro as primary, Flux 2 Pro as failover, and DALL-E 3 as backstop. A given image render goes through one of the three depending on per-request availability. This is how we keep your characters visually consistent across every slide even when one vendor has a bad day.

The image prompts we send to any of these vendors are derived from your Style Bible, which means they reference your characters, scenes, and world. Each vendor's standard API policy prohibits training on what we send. Where ZDR is available for our account on a vendor, we've configured it. If you'd rather not have IP-derived image prompts go to any of these vendors, you can use the Pitch Deck Builder without generating images, or skip that tool entirely.

I'm using Contract Builder. Other people's data is going in there. What happens to it?

It's protected with the same architecture as your own work — encrypted, locked to your account, never used for training, never shared. We don't separately contact, market to, or build profiles of the people whose information you enter. Their data is bound to your project and to your account.

You agree at signup that you have the right to enter that information — for example, because you've discussed the contract with the person, because they're a collaborator who's expecting to receive a contract, or because applicable law permits you to. If they later contact you about their data, you can ask us to help. If they contact us directly, we'll route the request through you.

For minor children specifically (in the Minor Performer Release flow), you're confirming that you've obtained appropriate parent or guardian authorization. We retain minor information for the shortest period consistent with your production need.

Can OGF employees read my scripts?

Not in routine operation, no. There is no internal dashboard, search tool, or interface that gives our team bulk access to user content. The only path to your content is a support ticket you initiated, where access is granted only for the specific request, logged, and revoked when the ticket closes.

We're also small. The honest version: yes, technically, the founder has root access to the database — that's true of every early-stage SaaS company in existence. What we commit to is that we don't use it. We log access. We document our internal policy. And as we grow, we add the structural controls that make even technical access genuinely impossible without an audit trail.

What happens to my data if OGF gets acquired?

The buyer is bound by the same terms in place at the time of transition. They cannot weaken protections without giving you 30 days' notice and an explicit opt-in — not a forced acceptance. Before the transition takes effect, you'll have the option to export everything and delete your account.

This is written into our binding Terms of Use. It also makes OGF a more attractive acquisition target, because a clean privacy posture is worth more in a sale than a permissive one.

I uploaded a redline contract from my attorney. What happens to it?

It's processed in-session for whatever you asked for, then stored in your project vault under the same protections as everything else. We don't study it, extract clause patterns from it, or aggregate it with other users' contracts to "improve the platform."

We've thought about whether to build an opt-in program where filmmakers (and their attorneys) could choose to contribute redlines to help improve the Contract Builder for everyone — with explicit consent, compensation, and a right to withdraw. It's an idea we've architected for but haven't built. If we ever do, you'll know — and your existing redlines stay outside the program unless you opt them in.

What "metadata" do you actually collect about me?

The kind that describes how the platform works for you, not what's inside your project. Examples: which tool you opened first, how long generation took, where you dropped off in intake (the question identifier, not your answer), whether you completed the Securities Compliance Gate before generating an investor agreement (yes/no, not the gate's contents), how many tools you've used on this project.

This is the data that lets us see the "life of a project" — where filmmakers came in, how the platform moved them forward, where they got stuck. It's the foundation of our product decisions and our valuation. None of it reveals what's inside your script. You can request a full copy of all metadata associated with your account at any time.

What about the "Films like yours had 34% acceptance at these festivals" feature in the roadmap?

Good question. That's a Phase 4 feature — not yet built. When we build it, it will query a pre-computed aggregates table that enforces a minimum of 10 users per data point. Real-time per-user queries against your project to make outward-facing recommendations are prohibited. The aggregation rule is enforced at the database layer, not just in policy.

Can I get my data out, or delete it?

Yes to both. Export your full project vault as a downloadable ZIP archive any time, free of charge. Delete a project, and after a 30-day grace period, it's gone from production and from backups. Close your account, and after the same grace period, your content is permanently purged. Your aggregate metadata is anonymized at account closure — your user identifier is rotated to a non-reversible hash so the aggregate signal of past use is preserved while no individual record can be traced back to you.

I'm a film school administrator considering OGF AI for my students. How does this work for institutions?

Our Film School and Enterprise tiers support multiple users under one institutional account, with tenant-aware row-level security so one student can't read another student's projects. Institutional administrators can see organization-level usage metadata (which tools are used most, aggregate engagement) but not the contents of individual users' projects unless those users explicitly grant access.

For students under 18: the institution represents at signup that all student users are 18+, OR that the institution has obtained appropriate consent under applicable education-data law (FERPA in the United States). We don't directly verify student ages or parental consent — the institution is responsible for that. Talk to us before onboarding student users under 18.

What if there's a security breach?

You'll hear from us within 72 hours of confirmation, by email, with what happened, what data was involved, what we're doing about it, what we recommend you do, and how to reach us with questions. If the incident affected third-party data you'd entered, we'll work with you on appropriate notification to those people. We'll also notify regulators where required by law.

How do I report a security issue?

Email security@getogf.ai with a description of the issue. We commit to acknowledging within 48 hours and working with you in good faith. We don't currently run a paid bug bounty (it's on the roadmap), but we'll publicly credit responsible disclosures with permission.

07 — Talk To Us

Real humans, monitored inboxes.

If you have a question, a concern, or you've found something we should know about, write to us. We read everything.

Privacy
Data access, deletion, export, and questions about this page.
Security
Vulnerability reports and responsible disclosures.
Legal
Terms of Use questions, legal process, partnership inquiries.

For the binding legal version of these commitments, see our Privacy Policy and Terms of Use. This page is the human-readable companion — it's accurate, but the legal document governs.