Privacy Policy
Last updated: 2026-04-19
This Privacy Policy explains how OIO(“we”, “us”) collects, uses, and protects personal data in connection with the OIO service (the “Service”). We comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and applicable local data protection laws.
1. Data Controller
OIO (operated by Albert Megbenyo)
Pentecost Junction, Ablekuma Fan Milk
Accra 00233, Ghana
Email: privacy@oio.app
If you are a business customer using the Service to process personal data of your own clients, you are the data controller for that data and we act as your data processor. A Data Processing Agreement (DPA) is available on request from privacy@oio.app.
2. What We Collect
Account data
- Email address, name, authentication identifier (via Google or email/password).
- Profile preferences (language, theme, business profile details).
Service data
- Content you create: projects, clients, tasks, notes, invoices, files, whiteboards, calendar entries, chat messages with the AI assistant.
- Files you upload (stored in encrypted private buckets, accessible only via short-lived signed URLs).
Usage & technical data
- IP address, browser type, device info, timestamps.
- Pages visited, features used, error logs.
- Authentication tokens (stored in HttpOnly cookies).
Payment data
- Processed by our payment provider (Paystack). We do not store full card details. We retain transaction IDs and billing addresses.
3. Legal Bases for Processing (GDPR Art. 6)
- Contract (Art. 6(1)(b)) — to provide the Service you requested.
- Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent fraud, improve reliability, debug. Balanced against your rights.
- Consent (Art. 6(1)(a)) — for optional features such as AI processing of specific content you choose to submit.
- Legal obligation (Art. 6(1)(c)) — for tax, accounting, and regulatory compliance.
4. How We Use Your Data
- Deliver, maintain, and secure the Service.
- Authenticate you and authorize access to your data.
- Process payments and issue invoices.
- Send service-related notifications (account, security, transactional emails).
- Detect and prevent abuse, fraud, and security incidents.
- Comply with legal obligations and respond to lawful requests.
We do not sell your personal data. We do not use your data for advertising or profiling for marketing purposes. We do not share your data with third parties except the sub-processors listed below.
5. Sub-Processors
We use the following sub-processors to operate the Service. Each is bound by data protection obligations equivalent to those in this policy.
- Supabase Inc. (United States) — database, authentication, realtime. Hosted in EU region where possible.
- Cloudflare, Inc. (United States) — edge compute (Workers), CDN, R2 object storage for uploaded files.
- Anthropic, PBC (United States) — AI assistant processing. Data submitted to AI features is sent for inference; Anthropic does not use it to train models under our commercial agreement.
- Paystack Payments Limited (Nigeria / global) — payment processing.
- Cloudflare, Inc. — transactional email delivery via Cloudflare Email Routing.
Material changes to this list will be communicated by email at least 30 days before they take effect. Customers may request an updated list at any time fromprivacy@oio.app.
6. International Data Transfers
Some sub-processors are located outside the European Economic Area. Where required, transfers rely on the European Commission's Standard Contractual Clauses (SCCs), applicable adequacy decisions, or other lawful transfer mechanisms. You can request a copy of the relevant safeguards by writing to privacy@oio.app.
7. Data Retention
- Account and Service data is retained while your account is active.
- On account deletion, your data is soft-deleted immediately and permanently erased within 30 days, except for data we are legally required to retain (e.g., invoicing records — typically up to 10 years depending on jurisdiction).
- Backups are retained for up to 30 days and then overwritten.
- Access logs are retained for up to 90 days for security purposes.
8. Your Rights (GDPR)
You have the following rights, subject to legal limits:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure (“right to be forgotten”) — request deletion.
- Portability — receive your data in a structured, machine-readable format. Most of your Service data is directly exportable from within the app.
- Restriction — limit how we process your data.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent.
To exercise any right, email privacy@oio.app. We will respond within 30 days. You also have the right to lodge a complaint with a supervisory authority in your EU member state.
9. Security
We implement technical and organizational measures appropriate to the risk, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 via infrastructure providers).
- Row-level security policies at the database layer — users can only access their own data or data shared with them.
- Private file storage with short-lived signed URLs (no public buckets).
- Authentication via secure providers; session tokens stored in HttpOnly cookies.
- Principle of least privilege for infrastructure access.
- Rate limiting, CSRF protection, content security policies.
- Regular dependency updates and security monitoring.
See our Security Statement for details.
10. Data Breach Notification
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, and notify affected users without undue delay where the breach is likely to result in a high risk.
11. Cookies & Similar Technologies
We use strictly-necessary cookies for authentication and session management. We do not use advertising, tracking, or third-party analytics cookies. No cookie consent banner is legally required for strictly-necessary cookies under EU ePrivacy rules.
12. Children
The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If we learn we have done so, we will delete it.
13. Automated Decision-Making
We do not use your personal data to make decisions that produce legal or similarly significant effects based solely on automated processing. AI assistant output is suggestive; you remain in control of all decisions within the Service.
14. Changes to This Policy
We may update this policy. Material changes will be communicated by email or in-product notice at least 14 days before they take effect. The “Last updated” date at the top reflects the most recent revision.
15. Contact
Privacy questions: privacy@oio.app