SOC 2 certification in progress.Our security practices
/ legal

Privacy Policy

Last updated: January 1, 2026

This policy explains how Occlo collects, uses, and protects your personal data. Questions? privacy@occlo.ai

1. Who we are

Occlo ("we", "us", "our") is the data controller for personal data processed through occlo.ai and app.occlo.ai. Contact us at privacy@occlo.ai for any privacy-related enquiries.

2. What we collect

Account data: name, email address, and Google OAuth identifier when you sign in. Identity data: email addresses, phone numbers, physical addresses, usernames, and crypto wallet addresses you add to your profile for scanning. Scan results: data-broker and surface-web listings found during scans. Usage data: feature interactions, session data, and error logs — used solely for service reliability and improvement. Billing data: processed by Stripe; we store only a Stripe customer ID and subscription status.

3. How we use your data

We use your data to: run OSINT scans against data-broker databases and surface-web sources; generate your privacy health score; submit opt-out and removal requests on your behalf; send exposure alerts via email, Slack, or Telegram (as configured); process subscription payments via Stripe; operate the AI assistant (your data is sent to OpenAI only when you actively use the assistant feature). We do not sell, rent, or share your personal data with third parties for advertising.

4. Legal bases (GDPR)

We process your data on the basis of: contractual necessity (running scans and removals you signed up for); legitimate interests (security, fraud prevention, service improvement); consent (marketing communications — withdrawable at any time); legal obligation (responding to valid legal requests).

5. Data retention

We retain your data for as long as your account is active. If you delete your account, all personal data is deleted within 30 days, except where retention is required by law (e.g. billing records, which are retained for 7 years under tax obligations). Scan results are purged immediately on account deletion.

6. Third-party processors

We use the following third-party processors: Stripe (payments, US — Standard Contractual Clauses), OpenAI (AI assistant, US — SCC), cloud infrastructure (EU). All sub-processors are bound by data processing agreements consistent with GDPR requirements.

7. International transfers

Your data is stored within the EU. Where sub-processors are located outside the EEA, transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring equivalent protection.

8. Your rights

Under GDPR, you have the right to: access your data (Settings → Data Export); correct inaccurate data; delete your account and all data (Settings → Account → Delete Account); restrict or object to processing; data portability. For requests that cannot be fulfilled in-app, email privacy@occlo.ai. We respond within 30 days.

9. Cookies

We use strictly necessary cookies for session management and authentication. We do not use third-party advertising or tracking cookies. See our Cookie Policy for details.

10. Security

We implement encryption at rest (AES-256) and in transit (TLS 1.3), role-based access controls, and regular security reviews. We will notify you within 72 hours of becoming aware of a personal data breach that is likely to result in risk to your rights and freedoms.

11. Changes to this policy

We may update this Privacy Policy at any time. Material changes will be communicated by email at least 14 days before they take effect. The current version is always available at occlo.ai/legal/privacy.

12. Contact

Privacy Team: privacy@occlo.ai. For GDPR requests: privacy@occlo.ai. For security concerns: security@occlo.ai. We respond to all enquiries within 30 days.