Privacy Policy

Last updated: 2026-04-19

This Privacy Policy explains how OIO(“we”, “us”) collects, uses, and protects personal data in connection with the OIO service (the “Service”). We comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and applicable local data protection laws.

1. Data Controller

OIO (operated by Albert Megbenyo)
Pentecost Junction, Ablekuma Fan Milk
Accra 00233, Ghana
Email: privacy@oio.app

If you are a business customer using the Service to process personal data of your own clients, you are the data controller for that data and we act as your data processor. A Data Processing Agreement (DPA) is available on request from privacy@oio.app.

2. What We Collect

Account data

  • Email address, name, authentication identifier (via Google or email/password).
  • Profile preferences (language, theme, business profile details).

Service data

  • Content you create: projects, clients, tasks, notes, invoices, files, whiteboards, calendar entries, chat messages with the AI assistant.
  • Files you upload (stored in encrypted private buckets, accessible only via short-lived signed URLs).

Usage & technical data

  • IP address, browser type, device info, timestamps.
  • Pages visited, features used, error logs.
  • Authentication tokens (stored in HttpOnly cookies).

Payment data

  • Processed by our payment provider (Paystack). We do not store full card details. We retain transaction IDs and billing addresses.

3. Legal Bases for Processing (GDPR Art. 6)

  • Contract (Art. 6(1)(b)) — to provide the Service you requested.
  • Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent fraud, improve reliability, debug. Balanced against your rights.
  • Consent (Art. 6(1)(a)) — for optional features such as AI processing of specific content you choose to submit.
  • Legal obligation (Art. 6(1)(c)) — for tax, accounting, and regulatory compliance.

4. How We Use Your Data

  • Deliver, maintain, and secure the Service.
  • Authenticate you and authorize access to your data.
  • Process payments and issue invoices.
  • Send service-related notifications (account, security, transactional emails).
  • Detect and prevent abuse, fraud, and security incidents.
  • Comply with legal obligations and respond to lawful requests.

We do not sell your personal data. We do not use your data for advertising or profiling for marketing purposes. We do not share your data with third parties except the sub-processors listed below.

5. Sub-Processors

We use the following sub-processors to operate the Service. Each is bound by data protection obligations equivalent to those in this policy.

  • Supabase Inc. (United States) — database, authentication, realtime. Hosted in EU region where possible.
  • Cloudflare, Inc. (United States) — edge compute (Workers), CDN, R2 object storage for uploaded files.
  • Anthropic, PBC (United States) — AI assistant processing. Data submitted to AI features is sent for inference; Anthropic does not use it to train models under our commercial agreement.
  • Paystack Payments Limited (Nigeria / global) — payment processing.
  • Cloudflare, Inc. — transactional email delivery via Cloudflare Email Routing.

Material changes to this list will be communicated by email at least 30 days before they take effect. Customers may request an updated list at any time fromprivacy@oio.app.

6. International Data Transfers

Some sub-processors are located outside the European Economic Area. Where required, transfers rely on the European Commission's Standard Contractual Clauses (SCCs), applicable adequacy decisions, or other lawful transfer mechanisms. You can request a copy of the relevant safeguards by writing to privacy@oio.app.

7. Data Retention

  • Account and Service data is retained while your account is active.
  • On account deletion, your data is soft-deleted immediately and permanently erased within 30 days, except for data we are legally required to retain (e.g., invoicing records — typically up to 10 years depending on jurisdiction).
  • Backups are retained for up to 30 days and then overwritten.
  • Access logs are retained for up to 90 days for security purposes.

8. Your Rights (GDPR)

You have the following rights, subject to legal limits:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure (“right to be forgotten”) — request deletion.
  • Portability — receive your data in a structured, machine-readable format. Most of your Service data is directly exportable from within the app.
  • Restriction — limit how we process your data.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent.

To exercise any right, email privacy@oio.app. We will respond within 30 days. You also have the right to lodge a complaint with a supervisory authority in your EU member state.

9. Security

We implement technical and organizational measures appropriate to the risk, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256 via infrastructure providers).
  • Row-level security policies at the database layer — users can only access their own data or data shared with them.
  • Private file storage with short-lived signed URLs (no public buckets).
  • Authentication via secure providers; session tokens stored in HttpOnly cookies.
  • Principle of least privilege for infrastructure access.
  • Rate limiting, CSRF protection, content security policies.
  • Regular dependency updates and security monitoring.

See our Security Statement for details.

10. Data Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, and notify affected users without undue delay where the breach is likely to result in a high risk.

11. Cookies & Similar Technologies

We use strictly-necessary cookies for authentication and session management. We do not use advertising, tracking, or third-party analytics cookies. No cookie consent banner is legally required for strictly-necessary cookies under EU ePrivacy rules.

12. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If we learn we have done so, we will delete it.

13. Automated Decision-Making

We do not use your personal data to make decisions that produce legal or similarly significant effects based solely on automated processing. AI assistant output is suggestive; you remain in control of all decisions within the Service.

14. Changes to This Policy

We may update this policy. Material changes will be communicated by email or in-product notice at least 14 days before they take effect. The “Last updated” date at the top reflects the most recent revision.

15. Contact

Privacy questions: privacy@oio.app