Privacy Policy

1. Who We Are — Data Controller

Olkot is the Data Controller in respect of:

• Your account and business information;
• Your usage of the Olkot platform;
• Business metrics (Layer 2) we derive from your activity.

For personal data contained within your customers' Instagram DMs that you process through the Service, you are the Data Controller and Olkot is your Data Processor. This relationship is governed by our Data Processing Agreement (DPA), available at olkot.app/dpa or upon request.

Data Protection contact: olkot.app@gmail.com

2. Personal Data We Collect

2.1 Account and Identity Data

• Email address, business name, industry sector, country, language preference;
• Password (stored as a bcrypt hash — we cannot recover plaintext passwords);
• Any additional profile information you choose to provide;
• IP address and timestamp recorded at account creation.

2.2 Instagram Account Data

• Instagram username, account ID, account type (Business/Creator), verification status;
• OAuth access tokens used to connect your Instagram account (stored encrypted);
• Account-level metadata retrieved via Meta's API (follower count, profile photo URL).

2.3 DM Content — Layer 1 (Most Sensitive)

• Instagram direct messages: text content, images, voice messages, stickers, attachments;
• Sender metadata for each message: sender's Instagram username, profile photo, follower count, verification status;
• Message timestamps, read/delivery status, conversation identifiers;
• Voice message transcriptions (generated by AI).

DM Content is encrypted at rest using AES-256-GCM. No Olkot team member has standing access to Layer 1 data. See Section 12 (Zero-Access Policy).

Card/IBAN masking: When our system detects structured financial data (credit/debit card numbers, IBAN/bank account numbers) in an incoming DM, the sensitive portion is masked before storage. The original data is not retained.

2.4 Business Metrics — Layer 2

• Aggregate per-account metrics: daily/weekly message volume, response time, reply rate;
• AI-generated classifications: purchase intent scores, conversation priority labels, "Dead Money" estimates, VIP scores;
• Conversation summaries and follow-up suggestions generated by AI;
• Wish-list items extracted from conversations (Business plan);
• Kanban stage assignments and custom labels you apply.

2.5 Billing and Subscription Data

• Current subscription plan, billing status, trial start/end dates, renewal dates;
• Subscription history and plan change events.

Payment card details and bank information are processed exclusively by Whop (our billing provider). Olkot never receives, stores, or processes raw card numbers or bank details.

2.6 Usage and Analytics Data

• Named product events captured via PostHog (e.g., "signup", "inbox_opened", "dead_money_viewed", "follow_up_sent");
• IP address (anonymized after collection), browser type and version, operating system, device type;
• Session duration, page views, feature interaction data;
• Referral source (how you found Olkot).

2.7 Error and Performance Data

• Application errors and stack traces captured via Sentry;
• Performance metrics (API response times, queue depths);
• Browser console errors you may encounter.

DM Content is never included in error reports. Error reports may include redacted account identifiers.

2.8 Communications Data

• Emails you send to us (support requests, feature requests, complaints);
• Trial sequence emails and transactional notifications we send to you (opens, click events);
• In-app feedback submissions.

3. How We Use Your Personal Data

3.1 To Provide the Service

• Authenticating your identity and managing your session;
• Receiving, processing, and displaying your Instagram DMs in the inbox;
• Running AI analysis on DM Content to generate classifications, summaries, drafts, and estimates;
• Detecting and masking sensitive financial data in incoming DMs;
• Generating your Layer 2 business metrics dashboard;
• Enabling AI draft replies, FAQ bot, follow-up suggestions, and voice transcription.

3.2 To Manage Your Account and Billing

• Processing Subscription activations, upgrades, downgrades, and cancellations;
• Coordinating payment processing with Whop;
• Enforcing plan-based feature access (tier gating);
• Managing your trial period and sending trial sequence emails (Days 1, 3, 5, 7).

3.3 To Communicate With You

• Sending account notifications (welcome, billing confirmations, plan changes);
• Responding to support requests and inquiries;
• Notifying you of material changes to the Service or these policies;
• Sending product updates and new feature announcements (you may opt out at any time).

3.4 To Improve the Service

• Analyzing aggregated usage patterns to identify product improvements;
• Debugging errors and performance issues;
• Training and evaluating our AI classification models using fully anonymized and aggregated data only (never raw DM Content);
• Computing anonymous industry benchmarks (Layer 3 — see Section 6).

3.5 To Protect the Service and Comply With Law

• Detecting and preventing fraud, abuse, spam, and security incidents;
• Maintaining our data access audit log for GDPR compliance;
• Complying with legal obligations, court orders, and lawful regulatory authority requests;
• Enforcing our Terms of Service.

3.6 Outbound Communications Sent on Your Behalf

Olkot can send Instagram direct messages from your connected business account, but only through the channels listed below. Two of these channels are opt-in: they are disabled by default and only operate when you explicitly turn them on in Settings. You can disable any of them at any time and the change takes effect immediately.

User-initiated sends (you press Send each time)

• Manual replies. A message you typed in the inbox composer is sent to the customer when you press Send.
• AI Draft Reply. The AI generates a suggested reply, but it is only sent after you press Use draft and then Send. Drafts never leave your account on their own.
• One-Tap Follow-Up (Pro plan and above). The AI proposes a follow-up message; nothing is sent until you press the send button in the follow-up panel.

Automated sends (off by default, opt-in only)

• FAQ Bot (Pro plan and above). When you enable the FAQ Bot and switch its mode to auto-send, it will automatically reply to incoming questions that match — above the matching threshold you set — a question/answer pair you wrote yourself in Settings → FAQ. The bot only sends from your library of approved answers; it does not generate new content. Default state: disabled; default mode if enabled: draft (suggested replies only, never auto-sent).
• Welcome Autoresponder. When you enable this feature in Settings → Welcome Message, the first time a new contact messages your business, Olkot sends them a single greeting based on the template you wrote (with optional placeholders such as the contact's username). The autoresponder fires only once per new contact. Default state: disabled.

We do not send Instagram messages for any other purpose. Olkot will never message your customers for marketing, surveys, upsells, or promotion of our own service from your account. The full audit trail of every message sent — manual or automated — is available in your inbox view, and the message will appear in your real Instagram conversation history exactly as your customer sees it.

4. Legal Bases for Processing (GDPR Article 6)

We process personal data only where we have a valid legal basis. The table below sets out our legal basis for each processing purpose:

5. Three-Layer Data Architecture

Your data is organized in three strictly isolated layers:

Layer 1 — Personal DM Content (Most Protected)

Raw Instagram DMs, identifiable to you and your customers. Data Controller: you. Data Processor: Olkot. Encrypted at rest with AES-256-GCM. Never shared across tenants. Never sold. Never used to train AI models (DM Content is sent to OpenAI only for real-time inference under our API agreement; OpenAI does not retain or train on API data). Team access requires your explicit consent and is fully logged (see Section 12).

Layer 2 — Per-Account Business Metrics

Aggregate metrics and AI-generated classifications derived exclusively from your account. Data Controller: Olkot (you are the subject). Visible only to you and your Authorized Users. Never shared with other customers. Retained for the duration of your account plus a 30-day deletion grace period.

Layer 3 — Anonymous Industry Aggregates

Fully anonymized cross-tenant patterns used for industry benchmarks. Not personal data (see Section 6). Processed on the basis of legitimate interest. Visible to all customers in the relevant industry segment. Retained indefinitely as it contains no personal data. You may opt out of contributing to Layer 3 at any time in Settings → Privacy.

6. Legal Basis for Anonymous Industry Aggregates (Layer 3)

Layer 3 Aggregate Data is derived through a multi-step anonymization process applied to Layer 1 and Layer 2 data:

1. Structured PII removal: all emails, phone numbers, credit card patterns, IBANs, URLs, Instagram usernames, and physical addresses are removed using pattern matching;
2. AI entity redaction: a named-entity recognition model identifies and removes residual references to person names, company names, and geographic locations;
3. Minimum group threshold: data is only published when at least 50 businesses in the same industry segment and region contribute to the aggregate;
4. Differential privacy: calibrated statistical noise is added to all published figures to prevent reverse-engineering of individual contributions;
5. Irreversible aggregation: once aggregated, the contribution of any single account cannot be mathematically isolated.

The resulting Aggregate Data is not personal data within the meaning of GDPR Art. 4(1) because no natural person can reasonably be identified from it, directly or indirectly (GDPR Recital 26). We process it on the basis of legitimate interest (GDPR Art. 6(1)(f)) to: (i) improve our AI models and product features; (ii) provide meaningful industry benchmark intelligence to all Olkot customers.

Commercial licensing of Aggregate Data. Layer 3 Aggregate Data may be licensed or sold to third parties, including but not limited to: market research firms, financial institutions, banks, credit organizations, industry associations, consulting firms, and government statistical agencies. Any such transfer is of anonymous aggregate data only — no individual business, person, or DM content is ever included or identifiable. Because Layer 3 is not personal data, GDPR restrictions on personal data transfers do not apply to these transactions.

Your opt-out right: You may object to your account's data being included in future Layer 3 aggregation runs at any time via Settings → Privacy. We will honor opt-outs for all subsequent runs. Historical aggregates already computed cannot be reversed as they contain no individual data. Your objection does not affect Layers 1 or 2.

7. PII Redaction Before Any Cross-Tenant Processing

Before any message content is considered for Layer 3 aggregation (and before any message is sent to AI models for classification), Olkot applies the following redaction steps:

• Regex-based masking of structured PII: email addresses, phone numbers (E.164 and regional formats), credit/debit card numbers (all major schemes), IBAN/BBAN, URLs, and Instagram @usernames;
• Named-entity recognition (NER) to identify and redact person names, organization names, and geographic locations from message text;
• Card/IBAN masking on ingest: when detected in an incoming DM, the sensitive digits are replaced with asterisks before the message is stored — the original data is not written to the database.

These measures minimize the risk that any personal data of your customers could appear in Layer 3 Aggregate Data.

8. Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies:

Strictly Necessary (cannot be disabled)

• Authentication cookie: Supabase session token that keeps you logged in. Expires when you sign out or your session expires.
• CSRF token: Protects form submissions against cross-site request forgery. Session-scoped.

Functional (required for full experience)

• Preference cookies: Store your language, display settings, and UI preferences. Expire after 12 months.

Analytics (can be disabled)

• PostHog: Captures named product events (what features you use) to help us understand usage patterns and improve the product. IP addresses are anonymized. PostHog operates as a sub-processor under our DPA. Does not track you across third-party sites.

Error Monitoring (can be disabled)

• Sentry: Captures application errors and session replay data to help us debug issues. DM Content is excluded from error reports.

You can manage analytics and error monitoring cookies in Settings → Privacy → Cookie Preferences. Disabling non-essential cookies does not affect your access to core features.

9. Data Retention

We retain personal data only as long as necessary for the stated purpose, legal obligation, or legitimate interest:

After the applicable retention period, data is permanently and securely deleted from all production systems, including database backups, within 90 days.

10. Your Rights Under GDPR

If you are located in the EEA, you have the following rights in respect of your personal data. These rights may be limited in certain circumstances by applicable law.

Right of Access (Art. 15)

You may request a copy of the personal data we hold about you, along with information about how we process it. We will respond within 30 days. You can also export your account data directly from Settings → Privacy → Export Data.

Right to Rectification (Art. 16)

You may correct inaccurate or incomplete personal data. Most account details can be updated directly in Settings. For data we hold that you cannot edit, contact olkot.app@gmail.com.

Right to Erasure — "Right to Be Forgotten" (Art. 17)

You may request deletion of your personal data. Account deletion can be initiated via Settings → Privacy → Delete Account. We apply a 7-day grace period before initiating deletion to protect against accidental requests. Deletion is completed within 30 days.

Exceptions to deletion: (a) billing records are retained for 7 years under Spanish commercial law; (b) anonymous Layer 3 aggregates cannot be individually deleted because they contain no personal data; (c) we may retain data where required by applicable law or legitimate legal obligation.

Right to Data Portability (Art. 20)

You may receive your personal data in a structured, machine-readable format (JSON) from Settings → Privacy → Export Data, and transmit it to another controller.

Right to Restriction of Processing (Art. 18)

You may request that we restrict processing of your data while you contest its accuracy, the lawfulness of our processing, or while we investigate an objection.

Right to Object (Art. 21)

You have the right to object to processing based on legitimate interest (including Layer 3 aggregation and product analytics). You may object to each type of processing independently via Settings → Privacy or by contacting olkot.app@gmail.com. We will cease the processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights Related to Automated Decision-Making (Art. 22)

AI Features in Olkot (message classification, priority scores, Dead Money estimates) are analytical tools designed to assist your decision-making. They do not produce legal or similarly significant effects autonomously — a human (you) reviews and acts on the outputs. You retain full control over any action taken as a result of AI outputs.

Right to Withdraw Consent

Where processing is based on your consent, you may withdraw consent at any time with effect for the future. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

How to Exercise Your Rights

Email olkot.app@gmail.com with the subject line "GDPR Request — [Right Name]" and your account email address. We will verify your identity before processing the request. We will respond within 30 days; for complex or high-volume requests, we may extend this by up to 60 additional days, with notice. We will not charge a fee for reasonable requests.

Right to Lodge a Complaint

You have the right to lodge a complaint with the data protection supervisory authority in your country of residence. EU/EEA users can find their national authority at edpb.europa.eu/about-edpb/board/members.

11. Third-Party Sub-Processors

We share personal data with the following third-party sub-processors, each bound by a Data Processing Agreement meeting GDPR requirements:

Sub-processor changes: We will notify you by email at least 14 days before adding a new sub-processor or making a material change to an existing sub-processor's scope, giving you an opportunity to object. If you object and we cannot accommodate your objection, your sole remedy is to terminate the Agreement under Section 19 of the Terms of Service.

12. International Data Transfers

Several sub-processors (Supabase, OpenAI, Whop, Resend, PostHog, Sentry) are based in or transfer data to the United States, which is not subject to an EU adequacy decision for all transfer purposes. We ensure lawful international transfers through:

• EU-US Data Privacy Framework (DPF): Where the recipient sub-processor is certified under the EU-US DPF (or the UK extension thereof), transfers are lawful under that adequacy decision;
• Standard Contractual Clauses (SCCs): For transfers not covered by an adequacy decision, we rely on the Standard Contractual Clauses adopted by the European Commission (Implementing Decision (EU) 2021/914, Module 2 — Controller to Processor);
• Transfer Impact Assessments (TIAs): We conduct TIAs for transfers to high-risk jurisdictions to assess whether SCCs provide adequate protection in practice.

Documentation of the specific legal mechanism used for each sub-processor is available upon request at olkot.app@gmail.com.

13. Zero-Access Policy for DM Content

No Olkot employee, contractor, founder, or support agent has standing access to Layer 1 DM Content. Access is technically restricted at the database level through:

• Row Level Security (RLS) policies enforced at the PostgreSQL layer — all queries are tenant-scoped;
• AES-256-GCM encryption at rest — the encryption key is not available to application-layer personnel;
• No administrative "view as user" functionality in the Olkot backend.

Exception — support access: In exceptional circumstances where you request support for a technical issue that requires review of specific DM data, access may be granted only with:

• Your explicit, written consent specifying the scope and purpose;
• A time-limited access window (maximum 2 hours);
• A mandatory entry in our data access audit log recording who accessed what and when;
• Automatic expiry of elevated access after the window closes.

You may request a copy of your data access log entries at any time by contacting olkot.app@gmail.com.

14. Data Security

We implement technical and organizational measures appropriate to the risk, including:

• Encryption at rest: DM Content is encrypted using AES-256-GCM. Authentication tokens are encrypted before storage.
• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Tenant isolation: Row Level Security (RLS) is enforced at the database level on all tables containing user data. Queries from one tenant cannot access another tenant's data.
• Sensitive data masking: Credit/debit card patterns and IBAN numbers detected in incoming DMs are masked before database storage.
• Access controls: Least-privilege access principles are applied to all internal systems. Production database access requires multi-factor authentication.
• Security monitoring: We monitor for anomalous access patterns, authentication failures, and potential security incidents.
• Regular reviews: We conduct periodic reviews of our security practices and sub-processor DPAs.

No security measure is 100% foolproof. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and in any case within 72 hours of becoming aware (GDPR Arts. 33–34). Notification will include: the nature of the breach, likely consequences, measures taken or proposed, and contact details for further information.

15. Children's Data

The Service is intended exclusively for use by individuals who are at least 18 years old, acting in a professional or business capacity. We do not knowingly collect or process the personal data of children under 16 years of age (or the applicable age of digital consent in your jurisdiction).

If you believe we have inadvertently received personal data of a minor, please contact us immediately at olkot.app@gmail.com. We will delete such data promptly upon verification.

While DM Content from your connected Instagram account may contain messages from individuals of any age (including minors contacting your business), this data is processed solely on your behalf as Data Processor. You, as Data Controller, are responsible for ensuring your messaging practices comply with applicable laws concerning minors.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. For material changes — for example, new categories of personal data collected, new sub-processors, or changes to our legal bases — we will notify you by email to your registered address at least 30 days before the change takes effect.

The "Last updated" date at the top of this page shows when the Policy was most recently revised. We encourage you to review this Policy periodically. Continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the changes.

17. Contact and Data Protection Inquiries

For any privacy question, rights exercise request, or data protection concern:

• Email: olkot.app@gmail.com
• Subject line: Include "Privacy" or "GDPR Request" for faster routing

We aim to respond to all privacy inquiries within 5 business days and to complete substantive rights requests within 30 calendar days.

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. EU/EEA users can find their national authority at edpb.europa.eu/about-edpb/board/members.