This policy covers every piece of personal data OKY touches — what, why, for how long, and what you can do about it. GDPR Article 13/14 compliant.
Last updated: 22 April 2026 · Effective: on publication · Version: 1.0
The "controller" of your data under GDPR Article 4(7).
30 Abovyan str., 0001 Yerevan, Armenia.
Contact: privacy@oky.ai
Data protection contact: Davit Vardanov
OKY is operated from Armenia, which is outside the EU/EEA. As we offer services to individuals in the EU/EEA, we are designating an Article 27 representative. Until the representative is finalized, residents of the EU/EEA may raise GDPR requests directly via the contact above and we will respond within the 30-day statutory window.
Every category mapped to its purpose — no hidden buckets.
Name and email address obtained from Google / Microsoft OAuth when you sign up. Used to create your OKY account and bill your tier.
OAuth access tokens, refresh tokens, JWT session identifiers. Used to authorize requests to your mailbox and to keep you signed in.
For users who enable Gmail / Outlook scanning: the full body, subject, headers, and attachment metadata of incoming messages. Used once for security analysis, then either deleted (clean) or retained in encrypted form (malicious / suspicious) per retention below.
Email addresses and message contents of people who send email to our users. Processed under legitimate interest (GDPR Art. 6(1)(f)) to protect the recipient from fraud. Never retained longer than the recipient's message, never used for any purpose outside the security verdict.
URLs you submit for scanning (via extension, dashboard, API, or Telegram bot), their hostnames, paths, query parameters, and the verdict we produced. Cached to avoid repeat API costs.
Package names, version codes, permissions, cert hashes, and tracker counts for Android apps you scan. We do not upload the APK binary to third parties without explicit action.
Telegram user IDs, usernames, chat IDs of people involved in scans you initiate via the OKY support bot. Stored only long enough to deliver a verdict to you.
IP address, user-agent, request timestamps, HTTP referer. Used for rate-limiting, security, and debugging. Aggregated after 30 days.
Your dashboard settings, extension toggles, scan history, verdict disputes, and token balance. Used to personalize the product.
Browser / extension / mobile app fingerprints used to verify that scan requests come from an unmodified client. Device-bound, not linked to any external identifier.
Special categories (Art. 9 GDPR): we do not deliberately process health, political, religious, sexual, biometric, or trade-union data. Email bodies may incidentally contain such content; we scan only for threat indicators and do not extract or analyze sensitive attributes as such.
Children: OKY is not directed at anyone under 16. If you are under 16, do not create an account. If we learn we are processing data of a child under 16 without parental consent, we will delete it.
The lawful basis for each purpose (GDPR Art. 6(1)).
Creating your account, scanning your inbox, returning verdicts, charging your tier, delivering support.
Analyzing messages from third-party senders so we can warn you of phishing. The recipient's interest in fraud protection outweighs the sender's interest in not being scanned; senders retain all rights to object (see "Your rights" below).
Rate-limiting, abuse detection, intrusion prevention, log retention. 30-day IP/UA retention cap.
Complying with tax, accounting, and incident-response laws. Invoices retained 10 years per German HGB § 257.
Optional analytics cookies, email newsletter (if you opt in). Withdrawable any time with no impact on the core service.
How we call "malicious" and what you can do if we're wrong.
Every scan produces a machine verdict — clean, suspicious, or malicious — using a weighted score across ~40 signals. The verdict may hide an email in Gmail, flag a URL as blocked in your browser extension, or quarantine an APK.
The verdict never irreversibly affects your legal status. You can always override (mark as safe, dispute, request rescan). We provide an explicit dispute path in the dashboard at /dispute.
If you believe a verdict is wrong, open a dispute. A human reviewer responds within 3 business days. This is free for every tier, including free.
In plain terms: ~15 URL heuristics + domain age + reputation feeds + a Claude language-analysis pass + VirusTotal / APIVoid lookups. Weights are tunable in-product by our operators; we never expose individual signal scores publicly so attackers can't probe thresholds.
Our sub-processors. Changes are notified in this policy — we don't add new ones silently.
Server hosting. Signed a GDPR Art. 28 DPA. ISO 27001, ISO 27701 certified. Data stored in Nuremberg, Germany.
Gmail API, Google Cloud Storage (encrypted email archives), Pub/Sub (inbox push). Standard Contractual Clauses in place. DPA.
Claude language analysis. PII redaction applied to email content before it is sent to Claude — emails, phone numbers, SSNs, card numbers are masked. Standard Contractual Clauses.
URL & file-hash reputation lookups. URLs you scan are sent to VirusTotal. Standard Contractual Clauses.
Domain, IP, email reputation lookups. EU-based processor.
Bot messaging transport for the support and scan bots. Only used for users who explicitly connect Telegram.
Outlook API, for users who sign in with Microsoft. Standard Contractual Clauses.
We never sell your personal data. We never share it with advertisers. We never use your email content to train our own models.
What leaves the EU/EEA and how we protect it.
EU → US transfers rely on EU Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914 plus supplementary technical measures (TLS 1.3, at-rest AES-256-GCM, PII redaction before AI pass).
Operator location. Armenia has not yet been granted an EU adequacy decision; transfers rely on SCCs between OKY and the EU-based processors, and on this Privacy Policy as a transparency instrument to data subjects.
Applies only if you connect Telegram. SCCs in place with Telegram FZ-LLC. You can disconnect at any time from your dashboard.
Every category has an explicit expiry — we run an automated prune job daily.
90 days from receipt. Clean verdicts pruned sooner (7 days) to minimize exposure.
730 days (2 years) from receipt, or earlier on request. Needed for threat-history and dispute.
Retained for the life of the account + 90 days after deletion.
Clean: 1 hour. Suspicious: 30 minutes. Malicious: 10 minutes. All configurable in-product.
30 days, then aggregated and de-identified.
Deleted within 30 days of account closure except where legal retention applies.
10 years per German HGB § 257 (Netcup billing chain).
Every right in GDPR Chapter III is available to you. Free, within 30 days, no questions asked.
Request a full export of your data in JSON/ZIP. Use the "Export my data" button in Settings, or email us. We respond within 30 days.
Correct any inaccurate data in Settings. We can also do it manually if you email us.
Delete your account + all associated data. Use "Delete my account" in Settings. Hard deletion happens within 30 days across Postgres, GCS, and all caches.
Pause scanning without deleting your data. Toggle "Pause scanning" in Settings.
Your data export is a machine-readable JSON conforming to our public schema. Re-importable anywhere.
Object to any processing based on legitimate interest. Applies especially to email senders who did not consent to being analyzed — send us the affected email address and we will remove it from any retained dataset.
Anywhere we relied on consent (e.g., analytics cookies, newsletter), you can withdraw it. Does not affect the core service.
Every verdict is disputable. One click in the extension or dashboard opens a case with a human reviewer.
How to reach us:privacy@oky.ai — subject line "GDPR request". We'll confirm receipt within 48h and respond in full within 30 days (may extend once by a further 60 days for complex cases, per Art. 12(3)).
We use only what we need. No third-party advertising cookies. Ever.
Session cookie for the dashboard (HttpOnly, SameSite=Strict, Secure). Used for authenticated session only. Expires on logout or after 72 hours of inactivity.
chrome.storage.local / browser.storage.local — holds your JWT token and UI preferences. Stays on your device, never sent to us except as the Authorization header on API requests.
None active today. If we enable privacy-preserving analytics (e.g. Plausible) in future, it will require a consent banner and a separate opt-in.
The technical and organizational measures that satisfy Art. 32 GDPR.
TLS 1.3 only (HTTP/2 + HSTS with 1-year max-age). No cleartext anywhere in the stack.
Application secrets encrypted with AES-256-GCM in a self-hosted vault, master key on disk with 0600 permissions, never transmitted.
OAuth2 + JWT with 72h expiry. Role-based access. Every admin action audit-logged with operator identity, timestamp, and diff.
Attachment detonation runs in a Docker container with --cap-drop ALL, read-only root, tmpfs /tmp, no outbound network by default, non-root user.
Redis sliding-window rate limits on every public endpoint. Webhook senders authenticated via JWT (Google Pub/Sub) or shared-secret token (Telegram).
URL scanner rejects loopback, private, link-local, metadata, and intranet addresses at the scanner boundary + per-probe. DNS rebinding defense applied.
In the event of a personal-data breach, we notify the competent supervisory authority within 72 hours (Art. 33) and, where required, notify affected data subjects without undue delay (Art. 34).
You can complain to a supervisory authority in your EU/EEA member state.
EU/EEA residents have the right under Art. 77 GDPR to lodge a complaint with the supervisory authority in the country where you live, work, or where the alleged infringement took place. The European Data Protection Board keeps a full list of national authorities.
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart. Website.
We notify you in-product and by email for any material change.
New sub-processor, new purpose of processing, expanded retention, change in legal basis — we email you at least 14 days in advance and require you to re-accept on next login.
Typos, clarifications, URL updates — we update this page and bump the version + "Last updated" date.
We keep a public log of changes at /privacy/changes. Every diff is attributable to a commit hash in the public OKY source repository.