Privacy Policy

1. Privacy Overview

oakallow provides a hosted API for governing AI agent tool execution: permissions, approvals, tokens, and audit trails. This Privacy Policy describes how we collect, use, and protect information when you use our services, visit our website, or interact with our API.

By creating an account or using our API, you agree to the collection and use of information as described in this policy.

2. Data We Collect

2.1 Account Information

When you create an account, we collect your name and email address. We use Supabase Authentication to manage your login credentials securely. Passwords are hashed and never stored in plain text.

2.2 Billing Information

Payment processing is handled entirely by Stripe. We store your Stripe customer ID for linking purchases but never store credit card numbers, CVVs, or full card details on our servers.

2.3 API Usage Data

We log API requests for billing, debugging, and security purposes. This includes: API key prefix (not the full key), endpoint called, permission check results, execution logs, timestamps, and IP addresses. Tool parameters submitted during permission checks are processed but not permanently stored beyond the execution log retention period.

2.4 Support Data

When you contact support or submit feedback, we collect the content of your message, your email, and any screenshots you attach. This data is used to resolve your inquiry and improve our service.

3. How We Use Your Data

• Provide, maintain, and improve the oakallow API service
• Process payments and manage your credit balance
• Send transactional emails (account confirmation, password reset, ticket updates)
• Monitor for abuse, enforce rate limits, and prevent fraud
• Respond to support requests and feedback
• Generate aggregate analytics (never individually identifying)

We do not sell, rent, or trade your personal information to third parties. We do not use your data for advertising purposes.

4. API & Permission Data

oakallow processes permission check requests, tool definitions, approval workflows, and execution logs on your behalf. This data belongs to you. We act as a data processor, not a data controller, for the tool and permission data you submit through the API.

Permission resolution happens at the edge (Cloudflare Workers) for speed. Permission rules are stored in Cloudflare D1 and Supabase. Tool definitions, approval requests, and execution logs are stored in Supabase.

5. Third-Party Services

We use the following third-party services to operate oakallow:

• Supabase — Database, authentication, and file storage
• Cloudflare — Edge computing (Workers, D1, KV) for permission resolution
• Fly.io — API server hosting
• Vercel — Dashboard and website hosting
• Stripe — Payment processing
• Resend — Transactional email delivery

Each provider has their own privacy policy. We select providers with strong security practices and data handling commitments.

6. Data Retention

Account data is retained as long as your account is active. If you delete your account, we will remove your personal information within 30 days, except where retention is required by law or for legitimate business purposes (e.g., billing records).

API execution logs and permission check logs are retained according to your plan. You can request deletion of your data at any time by contacting us.

7. Data Security

8. Your Privacy Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Export your data in a portable format
• Object to or restrict certain processing

To exercise these rights, contact us at privacy@oakallow.io. We will respond within 30 days.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by posting a notice on our website. Continued use of the service after changes constitutes acceptance of the updated policy.

10. Contact Us