Privacy Policy
Last updated: January 1, 2026
This policy explains how Occlo collects, uses, and protects your personal data. Questions? privacy@occlo.ai
1. Who we are
Occlo ("we", "us", "our") is the data controller for personal data processed through occlo.ai and app.occlo.ai. Contact us at privacy@occlo.ai for any privacy-related enquiries.
2. What we collect
Account data: name, email address, and Google OAuth identifier when you sign in. Identity data: email addresses, phone numbers, physical addresses, usernames, and crypto wallet addresses you add to your profile for scanning. Scan results: data-broker and surface-web listings found during scans. Usage data: feature interactions, session data, and error logs — used solely for service reliability and improvement. Billing data: processed by Stripe; we store only a Stripe customer ID and subscription status.
3. How we use your data
We use your data to: run OSINT scans against data-broker databases and surface-web sources; generate your privacy health score; submit opt-out and removal requests on your behalf; send exposure alerts via email, Slack, or Telegram (as configured); process subscription payments via Stripe; operate the AI assistant (your data is sent to OpenAI only when you actively use the assistant feature). We do not sell, rent, or share your personal data with third parties for advertising.
4. Legal bases (GDPR)
We process your data on the basis of: contractual necessity (running scans and removals you signed up for); legitimate interests (security, fraud prevention, service improvement); consent (marketing communications — withdrawable at any time); legal obligation (responding to valid legal requests).
5. Data retention
We retain your data for as long as your account is active. If you delete your account, all personal data is deleted within 30 days, except where retention is required by law (e.g. billing records, which are retained for 7 years under tax obligations). Scan results are purged immediately on account deletion.
6. Third-party processors
We use the following third-party processors: Stripe (payments, US — Standard Contractual Clauses), OpenAI (AI assistant, US — SCC), cloud infrastructure (EU). All sub-processors are bound by data processing agreements consistent with GDPR requirements.
7. International transfers
Your data is stored within the EU. Where sub-processors are located outside the EEA, transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring equivalent protection.
8. Your rights
Under GDPR, you have the right to: access your data (Settings → Data Export); correct inaccurate data; delete your account and all data (Settings → Account → Delete Account); restrict or object to processing; data portability. For requests that cannot be fulfilled in-app, email privacy@occlo.ai. We respond within 30 days.
9. Cookies
We use strictly necessary cookies for session management and authentication. We do not use third-party advertising or tracking cookies. See our Cookie Policy for details.
10. Security
We implement encryption at rest (AES-256) and in transit (TLS 1.3), role-based access controls, and regular security reviews. We will notify you within 72 hours of becoming aware of a personal data breach that is likely to result in risk to your rights and freedoms.
11. Changes to this policy
We may update this Privacy Policy at any time. Material changes will be communicated by email at least 14 days before they take effect. The current version is always available at occlo.ai/legal/privacy.
12. Contact
Privacy Team: privacy@occlo.ai. For GDPR requests: privacy@occlo.ai. For security concerns: security@occlo.ai. We respond to all enquiries within 30 days.