VICMEDIA LTD, trading as Ooklo, processes personal data on its own behalf and on behalf of its customers and business partners. We are committed to ensuring that our systems and practices comply with the European General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR").
Ooklo (hereinafter "we", "us", "our") acts as data controller within the meaning of the GDPR for the processing operations described in this charter. Where we process data on behalf of our customers (for example, customer lists they upload to the platform), we act as a data processor under their instructions.
We undertake to comply with applicable regulations and to protect the personal data of our partners, suppliers, users, visitors and any other data subject ("you", "your"). The role of Data Protection Officer is carried out internally by VICMEDIA LTD.
1. Scope
This charter sets out how we process personal data through our website ooklo.com, the Ooklo platform, and the Ooklo Assistant available on Telegram and WhatsApp (together, the "Service").
It applies to any operation ("processing") performed on information that allows you to be directly or indirectly identified ("personal data").
When we deliver services to our business customers, we may act as a data processor on their behalf. In that case, the customer (acting as controller) is responsible for informing the data subjects via their own privacy notices.
2. What Personal Data We Process and Why
In line with the principle of data minimisation, we collect only the data strictly necessary for the purpose pursued, and we make it easy for data subjects to exercise their rights.
2.1 Account and contact data
When you create an Ooklo account or contact us, we may collect:
- First name, surname, email address;
- Phone number, business name, role, industry (optional);
- Billing address and tax identifiers, where applicable;
- Any message or enquiry you send us, including newsletter subscription.
2.2 Customer-list uploads
Ooklo customers may upload their own contact lists (their end-customers, prospects, members) into the platform in order to run campaigns. For this data, the uploading customer acts as data controller and Ooklo acts as data processor under a Data Processing Agreement.
2.3 Marketplace prospect data
Through the Ooklo Marketplace, customers can rent qualified prospect data sets for the duration of a single campaign. This data is sourced from licensed partners operating under their own GDPR-compliant collection notices, supplied to Ooklo under contractual safeguards, and made available to customers on a per-campaign basis only. It cannot be exported or retained beyond the campaign.
2.4 Platform usage and connection data
When you use our website or the platform, we automatically collect:
- IP address, browser type, device, operating system, language, time zone;
- Pages visited, features used, click events, session duration, referrer URL;
- Cookies and similar trackers (see section 9 below).
2.5 Ooklo Assistant data (Telegram & WhatsApp)
When you connect the Ooklo Assistant to your account, we process channel identifiers (Telegram user ID and chat ID, WhatsApp phone number and business display name), profile metadata, the messages you exchange with the Assistant, short-lived pairing tokens, and operational metadata (timestamps, delivery status, command latency). Telegram data is processed via the official Telegram Bot API; WhatsApp data is processed via Meta's WhatsApp Business Cloud API.
Conversation data is kept for the duration of your subscription and wiped within 30 days of disconnection or upon explicit request. Full details — including AI-context minimisation and disconnection procedure — in our Privacy Policy, section 3.5.
2.5 How we use the data
We may use this personal data to:
- Deliver the Service you have subscribed to and operate your account;
- Send you product updates, service notifications and (with your consent) marketing communications about Ooklo;
- Process payments, issue invoices and recover unpaid amounts;
- Provide support, troubleshoot incidents and improve the Service;
- Detect fraud, abuse and unauthorised access;
- Comply with our legal and regulatory obligations.
2.6 How we contact you
Depending on the contact details you have provided and your communication preferences, we may reach you by:
- Electronic message (email, SMS, in-app notification);
- Telephone, when you have requested a call back or for service-critical issues;
- Postal mail, in limited cases (contracts, legal notices).
You can update your communication preferences at any time from your account settings or by contacting us at contact@ooklo.com.
3. Legal Basis for Processing
Ooklo processes personal data on one or more of the following legal bases:
- Your consent: when you submit a contact form, subscribe to our newsletter, or accept the deposit of cookies and trackers on your device.
- Performance of a contract: collecting personal data of our customers and users is necessary to deliver the Service you have subscribed to (account management, campaign execution, billing).
- Legitimate interest: for service improvement, security and fraud prevention, B2B prospecting, and statistical analytics. We continually assess that our legitimate interest is balanced against your rights and freedoms.
- Legal obligation: for accounting and tax records, responses to lawful authority requests, and other regulatory requirements.
4. How We Collect Data
4.1 Cookies on your device
We use cookies and similar technologies for essential site operation, audience measurement and (with your consent) analytics. See section 9 below.
4.2 Forms and account creation
When you sign up for an Ooklo account, request a demo, submit a contact form or subscribe to a paid plan, you provide personal data directly. We collect only what is necessary to deliver the requested service.
4.3 Phone and email
When you contact our support or sales teams by phone or email, we may record the substance of the exchange (not the audio) so that we can follow up on your request and keep an accurate record of the conversation. You may exercise your rights at any time on this data.
4.4 Indirect collection
In limited B2B scenarios, we may obtain professional contact data from third parties or from public sources (company websites, open data, business registries) for prospecting purposes. In all such cases we:
- Sign a contract with the third-party source;
- Notify data subjects of the transfer of their data to our files;
- Record the source of the data so it can be traced;
- Inform data subjects of how to exercise their rights.
5. Who Can Access Your Personal Data?
We never sell your personal data. We share it only with the following categories of recipient, under strict contractual obligations and GDPR-compliant data processing agreements:
5.1 Trusted service providers (data processors)
Acting on our behalf to deliver the Service:
- Hosting and infrastructure: all subprocessors are located in the European Union — OVH SAS (Roubaix, France), Hetzner Online GmbH (Falkenstein/Nuremberg, Germany and Helsinki, Finland), Scaleway SAS (Paris and Amsterdam), and Backblaze B2 Cloud Storage on its EU region (Amsterdam, Netherlands). Ooklo is hosted 100% within the European Union; no data leaves the EU.
- Artificial intelligence: Mistral AI (France), used for content-generation features and assistance tools.
- Payments: Stripe (PCI-DSS compliant payment processor); Ooklo does not store full card numbers.
- Email delivery: transactional email providers (e.g. Brevo, SendGrid) used to send service notifications and customer campaigns.
- SMS delivery: Infobip Ltd (EU operations) for SMS dispatch across Europe, under a GDPR-compliant data processing agreement.
- Customer support tools: ticketing and live-chat providers used to respond to your enquiries.
5.2 Connected platforms (with your consent)
When you connect external services (Meta/Facebook/Instagram, Google, etc.) to Ooklo, data is exchanged with those platforms via their official APIs, in accordance with the permissions you grant.
5.3 Marketplace data partners
For Marketplace prospect data, we work with licensed data providers who supply campaign-rented contact data. These partners act as independent data controllers for the collection of the data and as processors when delivering it for your campaign. All partners are bound by contract to comply with the GDPR and to respect data subject rights.
5.4 Authorities and legal requirements
We may disclose personal data to administrative or judicial authorities where required by law, court order, or to protect our legal rights, or to financial institutions and law enforcement to prevent or detect fraud where such disclosure is necessary.
We contractually ensure that all third parties acting on our behalf operate only on our instructions, implement appropriate technical and organisational measures, and do not use your data for purposes beyond what we have authorised. Unless expressly stated otherwise, the conditions of processing and your rights with these providers are equivalent to those described in this charter.
6. How Long We Keep Your Data
We keep personal data only for as long as is strictly necessary for the purposes set out in this charter and as required by applicable law. Retention periods depend on the nature of the relationship (customer or prospect), the activity concerned, and sector practice.
| Data category | Retention period |
|---|---|
| Active account data | Duration of the subscription |
| Data after account closure | 30-day grace period (re-activation / export window), then deleted (subject to legal retention and a 60-day backup purge) |
| Billing and invoicing records | 10 years (legal obligation) |
| Prospect data | 3 years from last contact |
| Marketplace prospect data (per-campaign) | Deleted at the end of each campaign |
| Cookies | 13 months maximum |
| Server logs | 12 months |
| Backups | Purged within 60 days |
Customer data is kept for the duration of the business relationship. In the event of judicial or administrative proceedings, data may be retained for the period necessary to resolve the matter.
7. International Data Transfers
Ooklo is hosted exclusively in the European Union — across OVH (France), Hetzner (Germany / Finland), Scaleway (France / Netherlands) and Backblaze B2 (EU region, Netherlands) — and we make every effort to keep personal data within the EU/EEA.
Where data must be transferred to a service provider in a third country, we ensure that appropriate safeguards are in place (Standard Contractual Clauses, an adequacy decision from the European Commission, or any other GDPR-compliant transfer mechanism) so that an equivalent level of protection is maintained.
8. How We Protect Your Data
We process your data in a manner that ensures an appropriate level of security, through technical and organisational measures including:
- Encryption at rest (AES-256) and in transit (TLS 1.2+);
- Strict role-based access controls and the principle of least privilege;
- Audit logging of sensitive operations;
- Regular security audits and penetration testing;
- A "Privacy by Design and by Default" approach to product development;
- Data Protection Impact Assessments (DPIA) for high-risk processing;
- Staff training on data protection and information security.
In the event of a personal data breach likely to affect your rights and freedoms, we will notify you and the competent supervisory authority within 72 hours, in accordance with the GDPR.
9. Cookies and Trackers
We use cookies for essential site operation (language preferences, session management, security) and, with your consent, for audience measurement. You can configure your browser to refuse cookies, although this may affect site functionality.
For full details, see the cookie section of our Privacy Policy. You can revisit your cookie choices at any time via the consent banner on our website.
10. Your Rights
You have rights over your personal data that allow you to access, correct, restrict, port or delete it:
| Right | What it lets you do |
|---|---|
| Access | Obtain confirmation that we process your data and receive a copy. |
| Rectification | Correct inaccurate or incomplete data. |
| Object | Object to processing (except where based on a contract, legal obligation or vital interests). |
| Erasure | Have your data deleted (except where required by a legal obligation or public interest). |
| Portability | Receive your data in a structured, machine-readable format (where processing is based on consent or contract). |
| Restriction | Limit how we process your data in specified circumstances. |
| Post-mortem instructions | Define guidelines for the retention, erasure and communication of your data after your death. |
| Withdraw consent | Withdraw consent at any time, where processing is based on consent. |
| Lodge a complaint | Complain to a supervisory authority if you believe we have not handled your request properly. |
These rights may be exercised at any time, subject to certain conditions. We will respond as quickly as possible and at the latest within one month of receipt of your request.
11. How to Exercise Your Rights
Data Controller: VICMEDIA LTD (trading as Ooklo)
126 Aldersgate Street, London, England, EC1A 4JQ
Contact: contact@ooklo.com
To exercise your rights, email us at contact@ooklo.com with the subject line "GDPR Rights Request".
To allow us to handle your request quickly and correctly, please include your full name, the email address associated with your Ooklo account, a postal address and a phone number. For some requests (right of access, right to portability, requests made by heirs), and to protect you against identity theft, we may ask you to attach a copy of an identity document and any other information needed to verify your request.
Right to be forgotten: your personal data will be erased from our active systems within one month of receipt of a valid request. Backup copies are purged within an additional 60 days. Data subject to a legal retention obligation (e.g. invoicing) will be archived securely until the legal period expires, then deleted.
You may also lodge a complaint with our lead supervisory authority (the UK Information Commissioner's Office, ICO) or, if you are an EU resident, with your national data protection authority (such as the CNIL in France or the AEPD in Spain).
12. Updates to This Charter
We may update this charter at any time. The revised version will be published on this page with the latest update date. For material changes, we will notify you by email or through the Ooklo platform.
Last updated: April 2026
Adapted with permission from our data partner.