Privacy Policy
Last updated: 10 December 2025
This Privacy Policy explains how OCKTRA.IO LTD ("we", "us", "our") collects, uses, shares and protects personal data when you use Ocktra (the "Services"). We are the data controller for the purposes of the UK GDPR and Data Protection Act 2018, except where stated otherwise.
1) Who we are & how to contact us
Controller: OCKTRA.IO LTD, company number 15512388, registered address Willow Court, Stroud, Glos, GL5 4BJ, UK.
Trading as: Ocktra
Contact: privacy@ocktra.io
2) What data we collect
- Account & Identity Data: name, email, organisation, role, profile image/user ID.
- Authentication Data: hashed passwords, MFA setup, SSO identifiers (e.g., Microsoft/Google), tokens.
- Contact & Billing Data: company details, addresses, VAT number, transaction history; we do not store full card numbers.
- Usage & Product Analytics: feature usage, events, session timing, referring URLs.
- Device/Technical Data: IP address, device/browser, OS, language, crash logs.
- Support Data: tickets, chat/email threads, attachments you send.
- Marketing Preferences: subscription & consent records.
- Content you upload (Customer Content): data/files you process via the Services (may include personal data of your end‑users). For such content we generally act as your processor; see §12.
- Integration Data (from integrations you configure): If you connect third‑party services (e.g., CRM, email, storage, calendars, ad platforms) to the Services, we may receive data from those providers via API or webhooks, strictly within the permissions you grant. The categories depend on the specific integration and its scopes/fields you authorise.
We may also receive data from identity providers (SSO), payment processors, analytics platforms, or publicly available sources.
3) How we use personal data (purposes & lawful bases)
| Purpose | Lawful basis |
|---|---|
| Provide, maintain and secure the Services; account creation; support | Contract and Legitimate interests |
| Payments, billing, accounting, tax | Contract and Legal obligation |
| Product analytics & improvement (events, performance) | Legitimate interests or Consent (as configured) |
| Security monitoring, fraud/abuse prevention, incident response | Legitimate interests and Legal obligation |
| Service/transactional communications (changes, outages, security) | Contract and Legitimate interests |
| Marketing communications | Consent (and PECR soft opt‑in where applicable) |
| Enable and operate integrations you connect (sync & processing between systems) | Contract and Legitimate interests (service functionality at your request) |
| Compliance with law and legal claims | Legal obligation and Legitimate interests |
Where we rely on legitimate interests, we balance our interests against your rights and proceed only where not overridden.
4) Cookies & similar technologies
We use cookies/SDKs to operate the Service, remember preferences, perform analytics, and (with consent) for marketing. Manage preferences via our cookie banner and your browser settings. See our Cookie Policy for details.
5) Disclosures & recipients of personal data
- Processors (service providers): cloud hosting, payments, analytics, email, support/CRM, logging/monitoring and similar vendors acting on our instructions.
- Integration providers (you connect): when you enable an integration, we may send/receive data to/from that provider as necessary to deliver the integration. Each provider is typically an independent controller of its own service; your use of an integration is subject to that provider’s terms and privacy policy.
- Professional advisors under confidentiality, and authorities/courts where required by law.
- Corporate transactions: disclosures under confidentiality for M&A, financing or acquisition.
We do not sell personal data.
6) International transfers
If personal data is transferred outside the UK/EEA, we implement appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU Standard Contractual Clauses, with transfer risk assessments and technical/organisational measures. Contact us for details.
7) Data retention
- Account/billing: subscription term + 6 years.
- Support tickets: 3 years after closure.
- Analytics/logs: 12–24 months.
- Backups: rolling 30–60 days.
8) Security
- TLS encryption in transit and encryption at rest (AES-256 or equivalent)
- Access controls, least privilege, role‑based permissions, MFA for admin access
- Network security, monitoring, patching and vulnerability management
- Backups & disaster recovery; staff confidentiality and security training
- DPIAs where appropriate
No method is 100% secure; if a breach occurs, we will notify affected individuals and regulators as required.
9) Your rights
You have rights under the UK GDPR: access, rectification, erasure, restriction, portability, objection (including to direct marketing), and to withdraw consent where relied upon. Contact privacy@ocktra.io. You may complain to the UK ICO (ico.org.uk).
10) Marketing & PECR
If you opt in, we may send marketing about our Services. You can opt out anytime. For existing customers, we may use PECR “soft opt‑in” for similar products/services with an easy opt‑out. We do not send third‑party marketing without consent.
11) Children
The Services are not intended for children under 16. We do not knowingly collect children’s data. If you believe we have, contact us to delete it.
12) Your role as controller; our role as processor (Customer Content)
For personal data you upload or process in the Services about your customers, users or staff ("Customer Content"), you are the controller and we act as your processor. Our processing of Customer Content is governed by our Data Processing Addendum (DPA), which includes appropriate transfer safeguards.
Integrations & data flows: where you connect a third‑party integration, we process Customer Content to send/receive data between systems according to your configuration and the scopes you authorise. Each integration provider typically acts as an independent controller of its own service; please review that provider’s privacy policy and permissions screens.
13) Automated decision‑making
We do not conduct automated decision‑making that produces legal or similarly significant effects . If this changes, we will update this policy.
14) Third‑party links
The Services may link to third‑party sites/services. Their privacy practices are separate; please review their policies.
15) Changes to this policy
We may update this policy. We will post changes here and update the “Last updated” date. For material changes, we may notify you by email or in‑app.
16) Sub‑processors (summary)
We maintain a current list at /legal/subprocessors. An indicative list is shown below.
| Category | Provider | Location(s) | Purpose |
|---|---|---|---|
| Cloud hosting | AWS | Global | Hosting & storage |
| Email delivery | Brevo | EU | Transactional email |
| Error monitoring | Sentry | EU | Error tracking |
17) Integrations you configure
You may choose to connect third‑party integrations to the Services (for example, CRM, email, storage, identity, calendars, analytics or advertising platforms). When enabled, the Services will access and process data from/to those providers strictly as necessary to deliver the integration and only within the permissions (scopes) you grant. You can disconnect an integration at any time in settings; doing so will stop future sync. Historical data already processed will be retained/deleted in line with this policy and your settings. Each integration provider’s use of your data is governed by that provider’s own privacy policy and terms.
Contact us
Email: privacy@ocktra.io. Address: Willow Court, Stroud, Glos, GL5 4BJ, UK.