Privacy Policy

1. Scope of This Policy

This privacy policy explains how Ooklo collects, uses, stores, shares and protects your personal data when you:

• Visit our website ooklo.com;
• Use the Ooklo platform and its services (campaign creation, multi-channel marketing, social media management, analytics);
• Connect your social media accounts (Facebook, Instagram, etc.) to the Ooklo platform;
• Use the Ooklo Assistant on Telegram or WhatsApp to manage your business by chat (campaigns, reviews, bookings, briefings, alerts);
• Contact us via our forms, email or phone.

"Personal data" means any information relating to an identified or identifiable natural person.

2. Data We Collect

In accordance with the principle of minimisation, we collect only the data strictly necessary for the purposes described below.

2.1 Data you provide directly

• Account & contact data: name, surname, email address, phone number, password (encrypted), business name, position, industry, billing address.
• Form submissions: message content, enquiries, newsletter subscription.
• Content you create: marketing campaign content, customer lists you upload, brand assets (logos, images), templates.
• Payment data: processed securely by our payment provider Stripe. Ooklo does not store full card numbers.

2.2 Data collected automatically

• Technical data: IP address, browser type, device type, operating system, language, time zone.
• Usage data: pages visited, features used, click events, session duration, referrer URL.
• Cookies and trackers: see our cookie policy section below.

2.3 Data collected from third-party platforms

When you connect external services to Ooklo (Facebook/Instagram via Meta, Google services, Telegram, WhatsApp Business, etc.), we receive data via their APIs, with your consent and within the scope of permissions you grant. See section 3 below for Meta-specific data and section 3.5 for data collected via the Ooklo Assistant (Telegram & WhatsApp).

3. Data Collected via Meta Platforms (Facebook & Instagram)

3.1 Data we collect from Meta

Depending on the permissions you grant during the OAuth authorisation flow, we may collect and store:

• Profile information: your name, profile picture, Facebook/Instagram user ID, email address (if granted).
• Page data: Page name, Page ID, Page profile picture, Page category, list of admins.
• Page content: existing posts, scheduled posts, comments, messages received via the Page (when applicable).
• Insights and metrics: reach, impressions, engagement, follower demographics (aggregated data only), best-performing content.
• Access tokens: short-lived and long-lived OAuth access tokens, stored encrypted, used to publish content and retrieve analytics on your behalf.
• Instagram Business data: account ID, media (existing and scheduled posts), insights, hashtag performance.

3.2 How Ooklo uses Meta data

We use this data exclusively to provide the services you have requested:

• Publishing content: scheduling and posting content to your Facebook Page or Instagram account at the time you choose.
• Displaying analytics: showing performance metrics (reach, engagement, audience growth) within the Ooklo dashboard.
• Content suggestions: our AI may analyse historical performance to suggest optimal posting times, hashtags or content angles.
• Audience management: displaying follower/audience insights to help you tailor your campaigns.
• Message management: if granted, helping you reply to comments and direct messages from a unified inbox.

We never use Meta data for purposes other than those listed above. We do not sell, rent or trade Meta data to third parties. We do not use Meta data to build advertising profiles outside the scope of services you have explicitly subscribed to.

3.3 How Ooklo stores and secures Meta data

• Storage location: European Union data centres (compliant with GDPR).
• Encryption: all OAuth tokens and sensitive data are encrypted at rest (AES-256) and in transit (TLS 1.2+).
• Access controls: only authorised Ooklo personnel with a strict need-to-know basis can access stored data, with audit logging.
• Retention: Meta data is retained only as long as your Ooklo account is active and the integration is connected. See section 7 for full retention details.

3.4 Disconnecting your Meta accounts

You can disconnect your Facebook/Instagram integration at any time:

• From within Ooklo: Settings → Integrations → Disconnect.
• From Facebook directly: Settings → Business Integrations → Remove Ooklo.

Upon disconnection, the OAuth tokens are immediately revoked. Associated data is deleted within 30 days, except where retention is required by law (e.g. billing records).

3.5 Data Collected via the Ooklo Assistant (Telegram & WhatsApp)

3.5.1 Data we collect

When you link a Telegram or WhatsApp number to your Ooklo account, we receive and store:

• Channel identifiers: Telegram user ID, Telegram chat ID, WhatsApp phone number, WhatsApp business display name. These let the Assistant address you and route notifications back to the right conversation.
• Profile metadata: first name, last name, language preference, profile picture (where the channel exposes it).
• Message content: the messages you send to the Assistant and the Assistant's replies. Used to execute your requests (launch a campaign, reply to a review, fetch your KPIs) and to improve the bot's understanding over time. Messages are never used for advertising or sold to third parties.
• Authentication artefacts: a short-lived magic link / QR token to pair your messaging account with your Ooklo dashboard the first time.
• Operational metadata: message timestamps, delivery status, command latency, language detected. Used for product reliability and analytics (aggregated, never personally identifying).

3.5.2 How we use it

• Execute the actions you request from the chat: campaigns, reviews, bookings, briefings, alerts, balance checks, multi-location KPIs.
• Send you proactive notifications you have opted into (daily briefing, weekly report, negative-review alert, cancellation alert) within your configured quiet hours.
• Generate short AI-assisted suggestions (response drafts, campaign copy) using our sovereign AI provider. Each AI call processes only the strict context needed; full conversation history is never sent.
• Provide support and debug incidents (engineers act on an as-needed basis with logged audit trail).

3.5.3 Third-party platforms involved

The Assistant relies on the official APIs of Telegram and Meta (for WhatsApp Business). Personal data is processed by these providers in line with their own privacy notices, in addition to ours:

• Telegram: see telegram.org/privacy.
• Meta / WhatsApp Business: see whatsapp.com/legal/business-privacy-policy.

3.5.4 Storage, retention & disconnection

• Storage: Assistant data lives in the same European infrastructure as the rest of the Ooklo platform (OVHcloud, EU region). Messages are encrypted at rest.
• Retention: conversation history is kept for as long as your Ooklo account is active. You can request a wipe of the chat history at any time without deleting your Ooklo account.
• Disconnection: at any time, send /unlink to the Assistant, or remove the integration from Settings → Integrations → Assistant. Tokens are revoked immediately; associated chat data is deleted within 30 days (except where retention is required by law).
• Outside the Ooklo Assistant: messages exchanged with Ooklo via standard customer-support channels (email, contact form) are governed by the rest of this policy.

4. Why We Process Your Data

We process your personal data for the following purposes:

• Service delivery: creating, managing and operating your Ooklo account; running campaigns; publishing content; displaying analytics.
• Customer support: responding to your enquiries, troubleshooting, providing assistance.
• Service improvement: analysing usage patterns to improve features, fix bugs, and develop new functionalities.
• Communication: sending service-related notifications, product updates, and (with your consent) marketing communications.
• Billing: processing payments, issuing invoices, recovering unpaid amounts.
• Security & fraud prevention: detecting unauthorised access, abuse and fraudulent activity.
• Legal compliance: meeting our legal and regulatory obligations.

5. Legal Basis for Processing

We process your personal data on one or more of the following legal bases:

• Consent: for cookies and trackers, marketing communications, optional features, and Meta integrations.
• Performance of a contract: to deliver the services you have subscribed to.
• Legitimate interest: for service improvement, fraud prevention, B2B prospecting (balanced against your rights).
• Legal obligation: for billing records, tax compliance, responses to lawful authorities.

6. Who We Share Data With

We never sell your personal data. We share it only with:

6.1 Trusted service providers (subcontractors)

Acting on our behalf under strict contractual obligations and GDPR-compliant data processing agreements:

• Hosting & infrastructure: all our hosting subprocessors are located in the European Union.
  • OVH SAS — data hosting in Roubaix, France.
  • Hetzner Online GmbH — additional compute capacity in Falkenstein/Nuremberg (Germany) and Helsinki (Finland).
  • Scaleway SAS — French cloud provider, data centres in Paris and Amsterdam.
  • Backblaze B2 Cloud Storage — object storage for backups and media assets, EU region (Amsterdam, Netherlands). All buckets pinned to the EU region; no data leaves the EU.
• Payments: Stripe (PCI-DSS compliant payment processor).
• Email delivery: Brevo, SendGrid or equivalent transactional email providers.
• SMS gateway: Infobip Ltd (EU operations) for SMS delivery across Europe. Mobile numbers are forwarded to operator networks via Infobip's official A2P channels under a GDPR-compliant data processing agreement.
• Analytics: Plausible / privacy-respecting analytics tools (no personal data).
• Customer support tools: ticketing and live chat providers.
• Data Management Platforms (DMP) and gateway providers: for campaign delivery and audience activation.

6.2 Connected platforms (with your consent)

When you connect external services to Ooklo, data is exchanged with these platforms via their official APIs, in accordance with the permissions you grant:

• Meta: Facebook, Instagram and WhatsApp Business (Cloud API).
• Google: Google Business Profile, Google Ads.
• Telegram: Telegram Bot API for the Ooklo Assistant.

6.3 Authorities and legal requirements

We may disclose personal data if required by law, court order, or to protect our legal rights.

7. How Long We Keep Your Data

• Active account data: kept for the duration of your subscription.
• After account closure: a 30-day grace period applies, during which you can re-activate or export your data; after that, account data is deleted, except where retention is legally required (see Billing & invoicing below) or technically required for ongoing backups (purged within 60 days, see last bullet).
• Billing & invoicing: 10 years (legal obligation).
• Prospect data: 3 years from last contact.
• Cookies: 13 months maximum.
• Meta integration data: deleted within 30 days of disconnection.
• Ooklo Assistant data (Telegram & WhatsApp): conversation history kept while your account is active; wiped within 30 days of disconnection or on request.
• Backups: automatically purged within 60 days.

8. How We Protect Your Data

We implement appropriate technical and organisational measures, including:

• Encryption at rest (AES-256) and in transit (TLS 1.2+).
• Strict access controls (role-based, principle of least privilege).
• Audit logging of sensitive operations.
• Regular security audits and penetration testing.
• Privacy by Design and by Default in our development practices.
• Data Protection Impact Assessments (DPIA) for high-risk processing.
• Staff training on data protection and security.

In the event of a data breach affecting your rights, we will notify you and the relevant supervisory authority within 72 hours, in accordance with the GDPR.

9. Your Rights

Under the GDPR, you have the following rights over your personal data:

• Right of access: obtain confirmation of processing and a copy of your data.
• Right of rectification: correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): request deletion of your data.
• Right to restriction: limit the processing of your data.
• Right to portability: receive your data in a structured, machine-readable format.
• Right to object: object to processing, particularly for direct marketing.
• Right to withdraw consent: at any time, where processing is based on consent.
• Right to define post-mortem instructions: for the retention, erasure and communication of your data after death.
• Right to lodge a complaint: with a supervisory authority. UK residents may contact the ICO; EU residents may contact their national data protection authority (e.g. the CNIL in France, the AEPD in Spain).

To exercise your rights, email dpo@ooklo.com. We will respond within one month.

10. How to Request Data Deletion

Your request should include:

• Your full name and the email address associated with your Ooklo account;
• Confirmation that you wish to delete all data, or specifying particular data sets (e.g. only Meta data);
• A copy of an identity document (to prevent identity theft).

Within 30 days of receipt of a valid request:

• All your personal data will be permanently deleted from our active systems;
• OAuth tokens (Meta, Google, etc.) will be revoked;
• Backup copies will be purged within 60 additional days;
• Data subject to legal retention (e.g. invoicing) will be archived securely until the legal period expires, then deleted.

You will receive written confirmation once deletion is complete.

Direct deletion of Meta data: you can also request deletion of Meta-specific data directly via your Facebook settings (Settings → Apps & Websites → Ooklo → Remove). Removal will trigger automatic deletion on our side within 30 days.

11. Contact & DPO

12. International Data Transfers

Your personal data is primarily processed within the European Union. Where data is transferred to third countries, we ensure appropriate safeguards are in place (Standard Contractual Clauses, adequacy decisions, or other GDPR-compliant mechanisms).

13. Cookies

We use cookies for essential site operation (language preferences, session management) and audience measurement. You may configure your browser to refuse cookies, although this may affect site functionality.

14. Updates to This Policy

We may update this privacy policy at any time. The revised version will be published on this page with the latest update date. For material changes, we will notify you by email or through the Ooklo platform.

Last updated: April 2026