Oyami Privacy Policy

Version: 1.3. Effective: upon Oyami's public launch. Last updated: 2026-05-27.

Oyami is a video service for planned, periodic listening conversations. It is operated as a small project (one person, the same person who runs Pharmacopedia), not a company. This page describes what Oyami collects, why, how long it keeps it, and what you can ask us to do with it. Plain language; if anything is unclear, ask.

Who runs Oyami, and what role it plays with Pharmacopedia

Oyami and Pharmacopedia are operated by the same person, Mark Elliott, MD, as separate sides of the same project. The named data controller on each privacy page is Mark Elliott, MD.

Your account and your assessments live on Pharmacopedia. Pharmacopedia is the data controller for that shared layer; rights related to your account or your assessments are exercised through Pharmacopedia at About:Privacy. Oyami reads from that layer only with your consent (see below). Oyami is itself an independent data controller, both for the data you generate inside Oyami (matching preferences, availability, veto and meeting history, check-in responses) and for Oyami's own processing of any Pharmacopedia-layer data it pulls. The two sides coordinate but each holds its own page, and neither speaks for the other.

How sign-in works

Oyami does not have its own account or password. You sign in with Pharmacopedia. When you click "Sign in with Pharmacopedia," Pharmacopedia authenticates you, shows you what Oyami is asking for, and, with your consent, sends you back to Oyami with a short-lived access token. Pharmacopedia never gives Oyami your password or your second factor.

Three scopes appear on Pharmacopedia's consent screen. You can grant any subset; the first two are needed only if you want assessment-based matching, and the third is off by default and requires a separate explicit consent step:

  • oyami-assessments-personality: share your personality-style assessments (OCEAN, Enneagram, MBTI) with Oyami to inform conversational matching.
  • oyami-assessments-needs: share your psychological-needs assessments (BPNS, NFCS, WHOQOL-BREF) with Oyami to inform conversational matching.
  • oyami-assessments-clinical: share your clinical-scope assessments (ADHD, autism, mood, anxiety, sleep screens) with Oyami, and enable the brief check-in shown before and after each meeting. This is medical information; review carefully before granting.

You can disconnect Oyami from Pharmacopedia at any time from your Oyami settings. This clears Oyami's stored tokens and stops Oyami from reading anything from Pharmacopedia. Signing back in restores access.

What Oyami stores about you

When you sign in and use Oyami:

  • Your Pharmacopedia user ID and the display name you chose.
  • Your timezone, your availability windows, and your matching preferences (mode, plus the descriptors you have chosen to expose).
  • The date your Oyami account was created and the date of your most recent sign-in.
  • A history of your match proposals, meeting outcomes, and vetoes, including any written veto explanations attached.
  • The counts used to enforce the veto rate limit (lifetime and 30-day rolling) and the end-time of any active cooldown.
  • Your responses to the brief pre- and post-meeting check-in, if you have granted the oyami-assessments-clinical consent. These are stored per meeting against your account, encrypted at rest, and never shown to other humans in the meeting.
  • Your encrypted OAuth access and refresh tokens, for as long as you stay connected to Pharmacopedia.

When you visit without signing in, the web server records your IP address and user-agent in its access log, the same way every web server does. Sign-in events also record an IP for up to 24 hours for anti-abuse, then delete it.

What Oyami does not do

These are commitments, not aspirations:

  • Audio is never recorded. Ever.
  • Video is never recorded. Ever.
  • Meetings are not transcribed. There is no server-side speech-to-text.
  • No AI is ever placed in your meeting. No bots, no copilots, no listening assistants.
  • No analytics SDK, advertising tracker, or third-party telemetry runs on Oyami.
  • Your data is not sold.
  • No ads are shown. There are no advertisers.
  • No public rating, no leaderboard, no reputation signal is exposed to other users. Your veto and meeting counts are visible only to you and to the matching engine.

What Oyami reads from Pharmacopedia, and how

Pharmacopedia is the durable store; Oyami is a conversational surface. Data flows from Pharmacopedia to Oyami only on your terms.

  • Assessment data is nothing by default. Your Pharmacopedia self-assessments are not visible to Oyami unless you explicitly opt in on the Pharmacopedia side, per assessment, under the Oyami section of your Pharmacopedia profile (Special:MyProfile on pharmacopedia.wiki).
  • Clinical-scope assessments (PID-5-BF, CATI/CAT-Q, ASRS, BSL-23, OCI-PCP, HYD-PCP, ESS-PCP) sit behind a separate explicit consent on Pharmacopedia, with a "this is medical information, who can see this?" notice. Oyami cannot reach them unless you grant that consent.
  • What Oyami reads, it reads live. Oyami pulls exposed assessments at session-relevant moments, holds them in memory for minutes, and discards. Assessment payloads are not replicated into Oyami's database.
  • One Pharmacopedia-side profile field, titled "What I'd like my Oyami conversation partner to know." Free text you write on Pharmacopedia; default private, opt-in to share with Oyami. Oyami reads it at session start.
  • No transcripts and no session history flow from Oyami back to Pharmacopedia in this version.
  • Check-in responses are Oyami-side, not from Pharmacopedia. The brief pre- and post-meeting check-in is original Oyami-side data, collected by Oyami; nothing about it is pulled from Pharmacopedia or written back to Pharmacopedia. The oyami-assessments-clinical consent gates both clinical-scope Pharmacopedia reads and check-in participation.

OAuth grant and revocation for Oyami's connection to Pharmacopedia are managed from your Pharmacopedia account at Special:OAuthManageMyGrants on pharmacopedia.wiki. A per-Oyami activity log (login timestamps, scopes, session durations) is planned for a later version; the structure is in place, but v0 does not surface it.

Third parties

A few outside services are involved in running Oyami:

  • LiveKit (video provider). Routes your audio and video in real time. Nothing is written to disk on LiveKit's side under Oyami's configuration. v1 runs on LiveKit Cloud; a self-hosted option is planned for a later version.
  • Pharmacopedia. Holds your account; supplies the OAuth identity layer; holds the assessment data Oyami reads from. Governed by Pharmacopedia's own privacy policy at About:Privacy.
  • Sentry. Receives technical error reports from Oyami's frontend and backend. No user-level tracking; technical detail only.
  • Hosting. Frontend on Vercel; backend and database on a host that has not yet been selected. The final list of subprocessors will be published before sign-up opens.

Oyami does not run any analytics service, advertising SDK, or third-party tracking. There is no payments integration.

Cookies

Sign-in uses an HttpOnly, Secure, SameSite=Strict cookie holding your encrypted OAuth tokens; browser JavaScript cannot read it. A CSRF protection cookie and a session cookie for the active tab are also set. No tracking cookies, no third-party cookies.

Encryption

  • In transit: every connection to Oyami is HTTPS.
  • OAuth tokens: stored encrypted at rest in the HttpOnly cookie described above. Refresh tokens are rotated on every use.
  • Check-in responses: your responses to the brief pre- and post-meeting check-in are encrypted at rest.
  • Video and audio: routed live through LiveKit; not written to disk under Oyami's configuration.

How long things are kept

  • Server access logs: rotated daily, kept for 14 days, then deleted.
  • Sign-in IP addresses: kept for up to 24 hours for anti-abuse, then deleted.
  • Ephemeral matching state (Redis cache): minutes to hours.
  • Account data and the content you have stored against your account: kept until you ask us to delete it (see below).
  • OAuth tokens: kept for as long as you stay connected to Pharmacopedia.

Your data, what you can do with it

  • See it. Your Oyami settings show what is stored against your account.
  • Change it. Every field you have filled in can be edited or emptied from the page where you entered it.
  • Export it. Email us and we will return your Oyami account data in a machine-readable form.
  • Delete it. Email us and we will delete your Oyami data. The live copies are removed promptly. Backups are kept up to 7 days on the host, then up to 14 days in active off-site storage. The off-site provider keeps deleted files in a recovery layer for up to 180 additional days, during which the encrypted bundle may remain recoverable by the account operator; after that window the bundle is permanently deleted. The backup is GPG-AES256 encrypted at all times; the off-site provider cannot read it.
  • Disconnect from Pharmacopedia. At any time, from Oyami settings. This clears tokens and severs the link; it does not delete Oyami data unless you also ask for deletion.

For any of the above, email privacy@oyami.org.

If you are in California (CCPA / CPRA)

You additionally have the right to know the categories of personal information collected, the right to opt out of sale or sharing (Oyami does not sell or share personal information for cross-context behavioral advertising; there is no sale to opt out of), the right to limit use of sensitive personal information, and the right to non-discrimination for exercising these rights. The categories are listed above; retention periods are in "How long things are kept."

If you are in the EU, UK, or another GDPR-aligned jurisdiction

The same baseline rights apply, framed as your GDPR rights of access, rectification, erasure, restriction, portability, and objection. The legal basis for processing is your consent (for the OAuth connection and any assessment exposure) and Oyami's legitimate interest in running the matching service you signed up for. There is no automated decision-making with legal effects. International data transfers from the EU/UK to the United States, where Oyami's servers live, are made under appropriate safeguards (standard contractual clauses or successor mechanisms).

Children

Oyami is for adults (18+) in this version. Personal information is not knowingly collected from anyone under 13. A separate approach for users between 13 and 17 is being developed; until that is published, no one under 18 should use Oyami. If a child under 13 has provided personal information, contact privacy@oyami.org and it will be deleted.

Open items

A few items finalize before Oyami's public launch:

  • The final list of subprocessors. The specific email provider, database host, and backend host are still being chosen. The chosen backend must support the backup approach described in the "Delete it" section above.
  • The detailed approach for users between 13 and 17.
  • The final wording of the OAuth consent screen on the Pharmacopedia side, reconciled with Pharmacopedia before launch.
  • The exact wording of the clinical-consent prompt and the "skip for now" flow on the check-in screen.

Any of these that move the substance of this policy will trigger a versioned update.

Changes to this policy

When something material changes, it is announced on Oyami and, if you have an active account, sent to you. The "Last updated" date at the top tracks the most recent change. Prior versions are kept on a public archive page.

Contact

Privacy questions: privacy@oyami.org. Pharmacopedia-side questions (your account, your assessments): info@pharmacopedia.wiki.