Privacy Policy

1. Controller

The controller responsible for data processing on this website is:

2. What data we collect

We collect the following categories of personal data:

• Account data: name, email address, and password (stored securely via Supabase Auth)
• Profile data: user type, role, and onboarding answers you provide
• Usage data: pages visited, features used, session duration (via analytics)
• Technical data: IP address, browser type, device type, operating system
• Communication data: any messages you send us via email

3. How we use your data

We process your personal data for the following purposes:

• To provide and operate the Octara platform
• To send you transactional emails (e.g. welcome email, weekly digest)
• To analyse and improve our service
• To respond to your enquiries and support requests
• To comply with legal obligations

The legal basis for processing is Art. 6(1)(b) GDPR (performance of a contract), Art. 6(1)(a) GDPR (consent for analytics/marketing cookies), and Art. 6(1)(f) GDPR (legitimate interests for service improvement).

4. Cookies and analytics

We use cookies and similar tracking technologies. Essential cookies are required for the platform to function and do not require your consent. With your consent, we also use:

• Google Analytics (GA4): to understand how visitors use our website. Data is processed by Google LLC, USA. Google is certified under the EU–US Data Privacy Framework.
• Hotjar: to analyse user behaviour through heatmaps and session recordings. Data is processed by Hotjar Ltd., Malta.

You can manage your cookie preferences at any time via the cookie settings banner on this site.

5. Third-party services

We use the following sub-processors to operate the platform:

• Supabase (database and authentication) — AWS EU infrastructure
• Vercel (hosting and deployment) — servers in the EU/USA
• Resend (transactional email) — USA, processes email addresses
• Anthropic (AI content generation) — USA, processes content you submit
• Google Search Console API — data you connect voluntarily

Where data is transferred outside the EEA, we rely on Standard Contractual Clauses or adequacy decisions.

6. Data retention

We retain your account data for as long as your account is active. If you delete your account, your personal data is deleted within 30 days, unless we are required to retain it for legal reasons. Analytics data is retained in accordance with the respective provider's retention policies (GA4: 14 months by default).

7. Your rights

Under the GDPR, you have the following rights:

• Right of access — request a copy of your personal data
• Right to rectification — correct inaccurate data
• Right to erasure — request deletion of your data
• Right to restriction — limit how we process your data
• Right to data portability — receive your data in a structured format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — at any time, without affecting prior processing

To exercise any of these rights, contact us at hello@octara.app.

8. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO): ico.org.uk.

9. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or via a notice on the platform. The date at the top of this page indicates when the policy was last revised.

10. Contact

For any privacy-related questions, please contact us at hello@octara.app.