Privacy Policy

1. Privacy Overview

oakallow provides a hosted API for governing AI agent tool execution: permissions, approvals, tokens, and audit trails. This Privacy Policy describes how we collect, use, and protect information when you use our services, visit our website, or interact with our API.

By creating an account or using our API, you agree to the collection and use of information as described in this policy.

2. Data We Collect

2.1 Account Information

When you create an account, we collect your name and email address. oakallow does not use passwords. Authentication is handled with passkeys (WebAuthn) and email one-time codes. We store only the public key portion of each passkey, which cannot be used to sign assertions on your behalf. Email one-time codes are SHA-256 hashed and expire within 5 minutes. Recovery codes are 26-character single-use codes, stored only as SHA-256 hashes.

2.2 Billing Information

Payment processing is handled entirely by Stripe. We store your Stripe customer ID for linking purchases but never store credit card numbers, CVVs, or full card details on our servers.

2.3 API Usage Data

We log API requests for billing, debugging, and security purposes. This includes: API key prefix (not the full key), endpoint called, permission check results, execution logs, timestamps, and IP addresses. Tool parameters submitted during permission checks are processed but not permanently stored beyond the execution log retention period.

2.4 Support Data

When you contact support or submit feedback, we collect the content of your message, your email, and any screenshots you attach. This data is used to resolve your inquiry and improve our service.

3. How We Use Your Data

• Provide, maintain, and improve the oakallow API service
• Process payments and manage your credit balance
• Send transactional emails (account confirmation, password reset, ticket updates)
• Monitor for abuse, enforce rate limits, and prevent fraud
• Respond to support requests and feedback
• Generate aggregate analytics (never individually identifying)

We do not sell, rent, or trade your personal information to third parties. We do not use your data for advertising purposes.

4. API & Permission Data

oakallow processes permission check requests, tool definitions, approval workflows, and execution logs on your behalf. This data belongs to you. We act as a data processor, not a data controller, for the tool and permission data you submit through the API.

Permission resolution happens at the edge (Cloudflare Workers) for speed. Permission rules, tool definitions, approval requests, and execution logs are stored in Cloudflare-backed infrastructure, including Cloudflare D1 where applicable.

5. Third-Party Services

We use the following third-party services to operate oakallow:

• Cloudflare. Edge computing, data infrastructure, and site hosting (Workers, Pages, D1, KV, R2).
• Stripe. Web payment processing.
• Apple StoreKit. Verifies in-app purchases made in the iOS app.
• Google Play Billing. Verifies in-app purchases made in the Android app.
• Apple Push Notification Service (APNs). Delivers push notifications to the iOS app for approval requests.
• Firebase Cloud Messaging (FCM). Delivers push notifications to the Android app for approval requests.
• Resend. Transactional email delivery (sign-in codes, ticket replies, billing receipts).
• Cloudflare Turnstile. CAPTCHA on the web sign-in form to slow automated abuse.
• OpenAI and Anthropic. Operate the AI clients (ChatGPT, Claude) that connect to the oakallow MCP connector. They relay tool calls between the user and oakallow. Their handling of that traffic is governed by their own privacy policies.

Each provider has their own privacy policy. We select providers with strong security practices and data handling commitments.

Customer-configured notification channels (Slack, PagerDuty, webhooks)

You can configure oakallow to send approval-event notifications to third-party services you choose. Today these include Slack, PagerDuty, and arbitrary HTTPS webhook endpoints. The receiving service is a destination of outbound notifications, not a sub-processor of oakallow. You select the destination, you control what is configured, and you are responsible for the receiving service's data handling.

What we send to these destinations is intentionally minimal. Each notification contains the event type (approval requested, granted, denied, or expired), the tool name, a short PII-scrubbed reason string, and an oakallow reference id. We do not send tool parameters, customer data, end-user identities, or other identifying details. Decisions on approval requests are still made exclusively in the oakallow mobile app with enforced multi-factor authentication, never from the third-party destination.

The credentials you provide for each destination (Slack incoming webhook URL, PagerDuty API Key, webhook URL plus optional signing secret) are stored encrypted at rest in our database. Webhook signing secrets and PagerDuty API keys are write-only after creation; we never display them back through any user interface.

6. MCP Connector (Claude and ChatGPT)

When you install the oakallow MCP connector in Claude or ChatGPT, data flows between the AI client and oakallow's servers. The OAuth 2.1 authorization server is hosted by oakallow on our own infrastructure, with full compliance details documented at oakallow.io/docs/oauth. This section describes what is collected, who sees it, how long it is retained, and how you can revoke access.

What the connector collects at install

When you authorize the connector, you are redirected to sign in to oakallow with your normal passkey or email code. You then choose which scopes to grant on a consent screen oakallow hosts. On approval, oakallow issues an opaque access token bound to the resource https://api.oakallow.io/mcp. The token carries your oakallow user identifier as part of its grant.

Tokens are stored encrypted in our infrastructure (Cloudflare KV) with the access token itself as encryption key material. The AI client holds the plaintext token and presents it with each connector call. oakallow validates the token on every request and resolves your account.

What flows through the connector during use

Each tool invocation sends a JSON-RPC request from the AI client to https://api.oakallow.io/mcp containing the tool name, its input arguments, and the access token. oakallow then:

• Verifies the token and resolves your user identity.
• Looks up your primary organization.
• For standard read-only tools, reads the corresponding data and returns it to the AI client.
• For customer-defined tools, resolves the permission rule, creates an approval request if required, and returns an approval reference. Execution of customer-defined tools is performed by the owning organization's backend, not by oakallow.

Tool-call parameters pass through an automatic PII redaction filter (SSN, card, email, phone, address, ZIP patterns) before being written to our database. We nonetheless recommend avoiding sensitive personal information in tool-call arguments. The filter is best-effort.

Who sees what

• The AI provider (Anthropic for Claude, OpenAI for ChatGPT) relays the tool-call request and response. Their handling of that traffic is governed by their own privacy policies (Anthropic, OpenAI).
• oakallow's OAuth 2.1 authorization server (self-hosted on api.oakallow.io) issues, validates, and revokes access tokens. Token validation does not involve any third party.
• oakallow processes every tool call, writes an audit log entry, and (for customer-defined tools) dispatches an approval webhook to the configured URL.
• The owning organization's backend (for customer-defined tools) receives the approval webhooks and executes the underlying action.

Data retention

MCP-originated requests are retained on the same schedule as direct API traffic. Access tokens are not stored. They are verified on each request and discarded. Approval records persist in our database until your account is deleted. Tool-call arguments are not stored beyond what is written (PII-redacted) to the approval record's reason field and the corresponding audit log.

How to revoke access

1. In your AI client: visit your connector settings and remove the oakallow connector. The client will delete the stored access token.
2. In oakallow: sign in to the dashboard and revoke the session associated with your MCP connector.
3. By calling the revocation endpoint: any holder of the token can POST /revoke on api.oakallow.io with the access or refresh token (RFC 7009). The token becomes invalid immediately.

Revoking in any one place is sufficient. Subsequent tool calls will fail token validation and be rejected.

7. Mobile App Specifics

The oakallow iOS and Android apps are companion apps for sign-in, approvals, activity, and credit purchases. Account creation, recovery code management, and configuration of organizations, tools, and permission rules all happen on the web.

Push notifications

If you grant notification permission, the app registers a device token with our servers (Apple Push Notification Service for iOS, Firebase Cloud Messaging for Android). We use this token only to deliver approval-request notifications. The token is rotated by the operating system from time to time, and we delete it when you sign out, revoke notification permission, or uninstall the app.

Per-device identifier

The app generates a random UUID on first launch and stores it in the platform secure enclave (Keychain on iOS, EncryptedSharedPreferences on Android). It is sent on every API request as a hint so we can offer to enroll a passkey on the device for faster sign-in. The identifier does not contain any personally identifying information and is reset if you uninstall the app.

In-app purchases

Mobile credit purchases are processed by Apple StoreKit (iOS) or Google Play Billing (Android). We receive the purchase receipt to verify and credit your account. We never see your payment method or card details. Apple and Google handle the payment under their respective terms.

8. Team Context and Member Visibility

If you are a member of a team, an admin or owner of that team can switch their dashboard view to your account context to help you set up tools or troubleshoot. While viewing your context they can see the same operational data the team shares: tools, permission rules, organizations, tenants, approvals, activity logs, and credit balance.

Personal security state is never visible to other team members in this mode. Your passkeys, your recovery codes, and your security audit log can only be viewed and managed by you, regardless of role. The Security section of the dashboard is hidden entirely while another team member is viewing your context.

9. Data Retention

Account data is retained as long as your account is active. If you delete your account, we will remove your personal information within 30 days, except where retention is required by law or for legitimate business purposes (e.g., billing records).

API execution logs and permission check logs are retained according to your plan. You can request deletion of your data at any time by contacting us.

10. Data Security

11. Your Privacy Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Export your data in a portable format
• Object to or restrict certain processing

To exercise these rights, contact us at privacy@oakallow.io. We will respond within 30 days.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by posting a notice on our website. Continued use of the service after changes constitutes acceptance of the updated policy.

13. Contact Us