Privacy Policy

Last updated: March 24, 2026

1. Scope and Applicability

This Privacy Policy ("Policy") governs the collection, use, processing, and protection of information provided to or collected by Backpack ("we," "us," "our") through the Backpack App service at app.backpackontology.com and related services (collectively, the "Service").

This Policy applies exclusively to the Backpack App cloud service. The open source Backpack Local software (backpack-ontology, backpack-viewer) operates entirely on your device and is governed by a separate privacy policy. Backpack Local does not transmit ontology data to our servers.

By creating an account or using the Service, you acknowledge that you have read, understood, and agree to the terms of this Policy.

2. Information We Collect

2.1 Account Information

When you create an account or sign in through a third-party identity provider (such as Microsoft Entra ID), we collect your email address and display name. This information is necessary to identify your account, authenticate your sessions, and enable collaboration features such as sharing and team management.

2.2 Ontology Data (User Content)

When you use the Service, you may create, upload, or synchronize ontology data including nodes, edges, properties, metadata, and associated structured content ("User Content"). This User Content is stored on our servers and is necessary to provide the core functionality of the Service.

2.3 Usage and Analytics Data

We automatically collect information about how you interact with the Service, including pages visited, features used, session duration, ontology sizes, and interaction patterns. This data is used to understand how the Service is used, identify issues, and inform product development.

We use Google Analytics, a web analytics service provided by Google LLC, to collect and analyze usage data on our marketing website (backpackontology.com). Google Analytics uses cookies and similar technologies to collect information such as pages visited, time spent on pages, referral sources, browser type, device type, and approximate geographic location (derived from IP address). This information is transmitted to and stored by Google on servers that may be located outside your country of residence. Google may use this data in accordance with its own privacy policy. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

2.4 Server and Access Logs

Our infrastructure automatically records request metadata including IP addresses, timestamps, request paths, HTTP methods, response status codes, and user agent strings. These logs are retained for security monitoring, abuse prevention, and operational diagnostics for a period of 90 days, after which they are automatically purged.

2.5 Cookies and Session Data

We use a strictly necessary session cookie to maintain your authenticated state on app.backpackontology.com. Additionally, Google Analytics sets cookies (such as _ga and _ga_*) on our marketing website to distinguish unique visitors and track session information. We do not use advertising cookies or track you across unrelated websites.

3. How We Use Your Information

3.1 Providing the Service

We use your information to operate and deliver the Service, including storing and displaying your ontologies, enabling sharing and collaboration, authenticating your identity, and processing your requests.

3.2 Improving and Developing the Service

We may access, analyze, and process User Content to improve the Service, develop new features, build data products, train models, conduct research, and enhance the overall user experience. This processing may include analyzing ontology structures, relationship patterns, usage trends, and content characteristics across our user base.

We use this understanding of how customers structure and utilize knowledge graphs to build better tools, suggest improvements, and develop features that serve our users more effectively. This is a core part of how we deliver value through the Service.

3.3 Safety, Compliance, and Enforcement

We reserve the right to access, review, and analyze User Content to ensure compliance with our Terms of Service and Acceptable Use Policy. This includes, but is not limited to, automated and manual screening for prohibited content such as protected health information (PHI), export-controlled materials, classified information, or illegal content. We may take action including content removal and account suspension or termination if violations are identified.

3.4 Communications

We may use your email address to send transactional communications related to the Service, including account verification, sharing and invitation notifications, security alerts, service updates, and material changes to this Policy or our Terms of Service. We do not send marketing emails without your explicit opt-in consent.

4. Data Processing by Service Tier

The extent to which we process and analyze User Content varies by your subscription tier:

4.1 Free and Standard Tiers

User Content may be accessed and processed as described in Section 3.2 to improve the Service, develop features, and build data products. Compliance screening as described in Section 3.3 applies. Data is stored in shared infrastructure with logical tenant separation.

4.2 Teams Tier

User Content may be processed as described in Section 3.2 in aggregated and anonymized form. Individually identifiable ontology content will not be used for purposes unrelated to providing the Service to your team without explicit consent from a team administrator. Compliance screening as described in Section 3.3 continues to apply.

4.3 Enterprise Tier

Enterprise customers may negotiate a Data Processing Agreement (DPA) that restricts or eliminates data processing beyond what is strictly necessary to provide the Service. Enterprise deployments may include options for dedicated infrastructure, customer-managed encryption keys, and contractual commitments regarding data isolation. Compliance screening may be adjusted by mutual agreement. Contact [email protected] for details.

5. Data Sharing and Disclosure

We do not sell, rent, lease, or trade your personal information or User Content to third parties for their own commercial purposes. We may disclose information in the following circumstances:

  • With your consent: When you explicitly authorize sharing, such as when you invite a collaborator or share an ontology with a team member.
  • Service providers: We may engage trusted third-party service providers who assist in operating our infrastructure, subject to contractual obligations of confidentiality and data protection no less protective than this Policy.
  • Legal requirements: When required to comply with applicable law, regulation, legal process, or enforceable governmental request, including court orders, subpoenas, or national security demands.
  • Protection of rights: When necessary to protect the rights, property, or safety of Backpack, our users, or the public, including enforcing our Terms of Service and investigating potential violations.
  • Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections described in this Policy.

6. Data Storage, Security, and Retention

6.1 Storage and Security

User Content is stored in encrypted databases within secure, access-controlled infrastructure. All data in transit is encrypted using TLS 1.2 or higher. Access to production systems is restricted to authorized personnel through role-based access controls, multi-factor authentication, and audit logging. We conduct regular security assessments and apply timely patches to address known vulnerabilities.

6.2 Data Retention

We retain your User Content for as long as your account is active or as needed to provide the Service. When you request deletion of your data through the account settings, your ontologies are marked for removal and permanently purged from our primary systems within 30 days. Residual copies in encrypted backups are purged within 90 days. We may retain anonymized, aggregated data that cannot be associated with your account indefinitely for analytics and product improvement purposes.

7. Your Rights and Choices

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal information:

  • Right of Access: You may request a copy of all personal information and User Content associated with your account. This can be done through the account settings page or by contacting us.
  • Right of Rectification: You may update or correct your account information at any time through the account settings page.
  • Right of Deletion: You may request deletion of all your data through the account settings page. Upon request, we will delete your personal information and User Content in accordance with Section 6.2.
  • Right of Data Portability: You may export your ontology data at any time in a standard, machine-readable format through the Service.
  • Right to Object: You may object to certain processing activities as described in Section 3.2. Objections may be accommodated through an upgrade to a tier with enhanced privacy protections or, where legally required, at no additional cost.

To exercise any of these rights, contact [email protected]. We will respond to verified requests within 30 days.

8. International Data Transfers

Your information may be transferred to, stored in, and processed in jurisdictions other than your country of residence. Where such transfers occur, we ensure appropriate safeguards are in place to protect your information in accordance with this Policy and applicable data protection laws.

9. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal information, we will take steps to promptly delete such information. If you believe a child has provided us with personal information, please contact us at [email protected].

10. Backpack Local (Open Source)

This Policy does not apply to the open source Backpack Local software. Backpack Local operates entirely on your device and does not transmit ontology data to our servers. The Backpack Local MCP server collects optional, anonymous usage telemetry (tool call counts, session duration) which can be disabled with DO_NOT_TRACK=1. For full details, see the Backpack Local Privacy Policy.

11. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will notify you of material changes by email and/or through a prominent notice on the Service at least 14 days before the changes take effect. Your continued use of the Service after the effective date of the revised Policy constitutes acceptance of the updated terms. We encourage you to review this Policy periodically.

12. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: