Effective date: March 21, 2026

Privacy Policy

This Privacy Policy explains how Oack ("we", "us", "our") collects, uses, stores, and protects your information when you use our website (oack.io) and platform (app.oack.io).

We believe in transparency. This policy is written in plain language so you can understand exactly what data we handle and why.

1. What We Collect

1.1 Account Information

When you sign up, we collect:

Name and email address — provided directly or via OAuth (Google, GitHub, Slack, Microsoft, Apple, Yandex).
Company name, job role, and company size — optional, collected during onboarding.
Phone number — only if you enable SMS or call alert channels.
Profile picture — optional.
Timezone and language preference — for display and notification timing.

1.2 Monitoring Data

When you create monitors, we collect and store:

URLs and endpoints — the addresses you choose to monitor.
Probe results — HTTP status codes, response times (DNS, TCP, TLS, TTFB), response headers, and truncated response bodies (up to 1 KB).
TCP telemetry — kernel-level metrics (RTT, retransmits, congestion window) collected during probes.
Packet captures — optional per-probe pcap data, only when debug mode is enabled by you.
Custom request headers and body — configured by you for authenticated endpoint monitoring. These may contain API keys or tokens you provide.

1.3 Session & Device Data

When you log in, we record:

IP address — for session management and security.
Browser and device information — user agent, device type, operating system.
Last active timestamp — to manage session lifecycle.

1.4 Payment Data

We use a third-party payment processor. We store a payment provider customer ID to link your account to your subscription. We do not store credit card numbers, CVVs, or full payment details on our servers.

1.5 Communication Data

If you contact us via the demo request form, we collect your name, email, company, and message. If you connect alert channels, we store the minimum data needed to deliver notifications (e.g., Slack webhook URL, Telegram chat ID, PagerDuty API key).

1.6 Marketing Attribution

We may collect UTM parameters (source, medium, campaign) and referral source when you sign up, to understand how you found us. This data is not shared with third parties.

2. How We Use Your Data

We use your data to:

Provide the service — run monitors, deliver alerts, display dashboards and analytics.
Authenticate you — manage sessions and enforce role-based access control.
Send notifications — deliver alerts via your configured channels (email, Slack, Discord, Telegram, PagerDuty, SMS, push, webhooks).
Manage your subscription — process payments, enforce plan limits, handle invoicing.
Improve the product — understand usage patterns to prioritize features and fix issues.
Communicate with you — respond to support requests, send service updates (not marketing).

We do not sell your data. We do not use your monitoring data to train AI models. We do not show you ads.

3. Legal Basis for Processing

Under GDPR and similar regulations, we process your data based on:

Contract performance — processing necessary to provide the monitoring service you signed up for.
Legitimate interest — session security, fraud prevention, service improvement.
Consent — optional data like marketing attribution, which you can decline.

4. Data Sharing & Third Parties

We share data only with services necessary to operate the platform:

Service	Purpose	Data Shared
Resend	Transactional email	Recipient email, subject, message content
Payment processor	Subscription billing	Customer ID, plan selection
OAuth providers	Authentication	Email, name (received from provider)

When you connect integrations (Slack, Discord, Telegram, PagerDuty), alert data is sent to those services as configured by you. We do not share data with any other third parties, advertisers, or data brokers.

We may disclose data if required by law or to protect the safety and security of our users.

5. Data Retention

We retain data for as long as needed to provide the service:

Data Type	Retention Period
Account data	Until you delete your account + 30-day grace period
Probe results	7 days (Free), 90 days (Pro), 365 days (Business)
Traceroute data	7 days
Session data	90 days from last activity
Notification logs	90 days
Unverified email subscriptions	Automatically deleted after 24 hours

When you delete your account, we soft-delete your data immediately and permanently remove it after a 30-day grace period (in case you change your mind).

6. Data Security

We take reasonable measures to protect your data:

Encryption in transit — all connections use TLS (HTTPS). No exceptions.
Password hashing — passwords are hashed using industry-standard algorithms. We never store plaintext passwords.
API key security — API keys are stored as SHA-256 hashes. Only the key prefix is visible in the UI.
OAuth with PKCE — OAuth flows use PKCE (Proof Key for Code Exchange) for additional security.
Role-based access control — account and team-level roles restrict data access.
Webhook HMAC signatures — webhook payloads are signed so you can verify they came from Oack.

No system is 100% secure. If you discover a vulnerability, please report it to [email protected] or reach us on Discord / Telegram.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — correct inaccurate personal data.
Erasure — request deletion of your account and associated data.
Data portability — receive your data in a structured, machine-readable format.
Object to processing — opt out of data processing based on legitimate interest.
Withdraw consent — where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, email [email protected] or reach us on Discord / Telegram. We will respond within 30 days.

California residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect, request its deletion, and opt out of its sale. We do not sell personal information. To make a request, email [email protected] or reach us on Discord / Telegram.

8. Cookies & Local Storage

We use minimal client-side storage:

Key	Type	Purpose
theme	localStorage	Remember your light/dark mode preference
language	localStorage	Remember your language preference
Session token	httpOnly cookie	Authenticate your session in the app
cookie-consent	localStorage	Remember your analytics consent choice
Google Analytics	cookies	Website usage analytics (loaded only with your consent)
Yandex Metrica	cookies	Website usage analytics, session replay (loaded only with your consent)

Analytics cookies from Google Analytics and Yandex Metrica are only loaded after you give explicit consent via the cookie banner. If you decline, no analytics scripts are loaded and no tracking cookies are set. We do not use third-party advertising cookies.

9. International Data Transfers

Oack's infrastructure may process data in multiple regions. When your data is transferred outside your home jurisdiction, we ensure appropriate safeguards are in place, including standard contractual clauses where required by applicable law.

10. Children's Privacy

Oack is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will notify you by email or by posting a notice on our website. The "Effective date" at the top of this page indicates the last revision.

12. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights:

Privacy inquiries: [email protected]
Security issues: [email protected]
General support: [email protected]
Community: Discord · Telegram