PRIVACY POLICY

Your data. Our rules, plain-spoken.

This policy covers every piece of personal data OKY touches — what, why, for how long, and what you can do about it. GDPR Article 13/14 compliant.

Last updated: 22 April 2026 · Effective: on publication · Version: 1.0

Who we are

The "controller" of your data under GDPR Article 4(7).

OKY Labs (operated by Davit Vardanov)

30 Abovyan str., 0001 Yerevan, Armenia.
Contact: privacy@oky.ai
Data protection contact: Davit Vardanov

EU / UK representative

OKY is operated from Armenia, which is outside the EU/EEA. As we offer services to individuals in the EU/EEA, we are designating an Article 27 representative. Until the representative is finalized, residents of the EU/EEA may raise GDPR requests directly via the contact above and we will respond within the 30-day statutory window.

What personal data we process

Every category mapped to its purpose — no hidden buckets.

Account data

Name and email address obtained from Google / Microsoft OAuth when you sign up. Used to create your OKY account and bill your tier.

Authentication

OAuth access tokens, refresh tokens, JWT session identifiers. Used to authorize requests to your mailbox and to keep you signed in.

Email content

For users who enable Gmail / Outlook scanning: the full body, subject, headers, and attachment metadata of incoming messages. Used once for security analysis, then either deleted (clean) or retained in encrypted form (malicious / suspicious) per retention below.

Third-party senders

Email addresses and message contents of people who send email to our users. Processed under legitimate interest (GDPR Art. 6(1)(f)) to protect the recipient from fraud. Never retained longer than the recipient's message, never used for any purpose outside the security verdict.

URL metadata

URLs you submit for scanning (via extension, dashboard, API, or Telegram bot), their hostnames, paths, query parameters, and the verdict we produced. Cached to avoid repeat API costs.

APK metadata

Package names, version codes, permissions, cert hashes, and tracker counts for Android apps you scan. We do not upload the APK binary to third parties without explicit action.

Telegram identifiers

Telegram user IDs, usernames, chat IDs of people involved in scans you initiate via the OKY support bot. Stored only long enough to deliver a verdict to you.

Traffic data

IP address, user-agent, request timestamps, HTTP referer. Used for rate-limiting, security, and debugging. Aggregated after 30 days.

Preference & behavior data

Your dashboard settings, extension toggles, scan history, verdict disputes, and token balance. Used to personalize the product.

Attestation data

Browser / extension / mobile app fingerprints used to verify that scan requests come from an unmodified client. Device-bound, not linked to any external identifier.

Special categories (Art. 9 GDPR): we do not deliberately process health, political, religious, sexual, biometric, or trade-union data. Email bodies may incidentally contain such content; we scan only for threat indicators and do not extract or analyze sensitive attributes as such.

Children: OKY is not directed at anyone under 16. If you are under 16, do not create an account. If we learn we are processing data of a child under 16 without parental consent, we will delete it.

Why we process your data

The lawful basis for each purpose (GDPR Art. 6(1)).

To deliver the service — Art. 6(1)(b) contract

Creating your account, scanning your inbox, returning verdicts, charging your tier, delivering support.

Security of third parties — Art. 6(1)(f) legitimate interest

Analyzing messages from third-party senders so we can warn you of phishing. The recipient's interest in fraud protection outweighs the sender's interest in not being scanned; senders retain all rights to object (see "Your rights" below).

Our own security — Art. 6(1)(f) legitimate interest

Rate-limiting, abuse detection, intrusion prevention, log retention. 30-day IP/UA retention cap.

Legal obligation — Art. 6(1)(c)

Complying with tax, accounting, and incident-response laws. Invoices retained 10 years per German HGB § 257.

Consent — Art. 6(1)(a)

Optional analytics cookies, email newsletter (if you opt in). Withdrawable any time with no impact on the core service.

Automated decision-making — the verdict

How we call "malicious" and what you can do if we're wrong.

What is automated

Every scan produces a machine verdict — clean, suspicious, or malicious — using a weighted score across ~40 signals. The verdict may hide an email in Gmail, flag a URL as blocked in your browser extension, or quarantine an APK.

Why this is not Art. 22 "solely automated"

The verdict never irreversibly affects your legal status. You can always override (mark as safe, dispute, request rescan). We provide an explicit dispute path in the dashboard at /dispute.

Human review on request

If you believe a verdict is wrong, open a dispute. A human reviewer responds within 3 business days. This is free for every tier, including free.

Logic & significance

In plain terms: ~15 URL heuristics + domain age + reputation feeds + a Claude language-analysis pass + VirusTotal / APIVoid lookups. Weights are tunable in-product by our operators; we never expose individual signal scores publicly so attackers can't probe thresholds.

Who we share your data with

Our sub-processors. Changes are notified in this policy — we don't add new ones silently.

Netcup GmbH (Germany)

Server hosting. Signed a GDPR Art. 28 DPA. ISO 27001, ISO 27701 certified. Data stored in Nuremberg, Germany.

Google Cloud (USA / EU)

Gmail API, Google Cloud Storage (encrypted email archives), Pub/Sub (inbox push). Standard Contractual Clauses in place. DPA.

Anthropic (USA)

Claude language analysis. PII redaction applied to email content before it is sent to Claude — emails, phone numbers, SSNs, card numbers are masked. Standard Contractual Clauses.

VirusTotal (Google, USA)

URL & file-hash reputation lookups. URLs you scan are sent to VirusTotal. Standard Contractual Clauses.

APIVoid (Cyprus)

Domain, IP, email reputation lookups. EU-based processor.

Telegram FZ-LLC (UAE)

Bot messaging transport for the support and scan bots. Only used for users who explicitly connect Telegram.

Microsoft / Outlook (USA)

Outlook API, for users who sign in with Microsoft. Standard Contractual Clauses.

We never sell your personal data. We never share it with advertisers. We never use your email content to train our own models.

International data transfers

What leaves the EU/EEA and how we protect it.

USA (Google, Anthropic, Microsoft, VirusTotal)

EU → US transfers rely on EU Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914 plus supplementary technical measures (TLS 1.3, at-rest AES-256-GCM, PII redaction before AI pass).

Armenia

Operator location. Armenia has not yet been granted an EU adequacy decision; transfers rely on SCCs between OKY and the EU-based processors, and on this Privacy Policy as a transparency instrument to data subjects.

UAE (Telegram)

Applies only if you connect Telegram. SCCs in place with Telegram FZ-LLC. You can disconnect at any time from your dashboard.

How long we keep your data

Every category has an explicit expiry — we run an automated prune job daily.

Email content — free tier

90 days from receipt. Clean verdicts pruned sooner (7 days) to minimize exposure.

Email content — paid tiers

730 days (2 years) from receipt, or earlier on request. Needed for threat-history and dispute.

Verdicts & scan history

Retained for the life of the account + 90 days after deletion.

URL scan cache

Clean: 1 hour. Suspicious: 30 minutes. Malicious: 10 minutes. All configurable in-product.

Traffic logs (IP / UA)

30 days, then aggregated and de-identified.

Account data

Deleted within 30 days of account closure except where legal retention applies.

Invoices

10 years per German HGB § 257 (Netcup billing chain).

Your rights — how to use them

Every right in GDPR Chapter III is available to you. Free, within 30 days, no questions asked.

Access — Art. 15

Request a full export of your data in JSON/ZIP. Use the "Export my data" button in Settings, or email us. We respond within 30 days.

Rectification — Art. 16

Correct any inaccurate data in Settings. We can also do it manually if you email us.

Erasure — Art. 17 ("right to be forgotten")

Delete your account + all associated data. Use "Delete my account" in Settings. Hard deletion happens within 30 days across Postgres, GCS, and all caches.

Restriction — Art. 18

Pause scanning without deleting your data. Toggle "Pause scanning" in Settings.

Portability — Art. 20

Your data export is a machine-readable JSON conforming to our public schema. Re-importable anywhere.

Object — Art. 21

Object to any processing based on legitimate interest. Applies especially to email senders who did not consent to being analyzed — send us the affected email address and we will remove it from any retained dataset.

Withdraw consent — Art. 7(3)

Anywhere we relied on consent (e.g., analytics cookies, newsletter), you can withdraw it. Does not affect the core service.

Automated-decision review — Art. 22

Every verdict is disputable. One click in the extension or dashboard opens a case with a human reviewer.

How to reach us:privacy@oky.ai — subject line "GDPR request". We'll confirm receipt within 48h and respond in full within 30 days (may extend once by a further 60 days for complex cases, per Art. 12(3)).

Cookies & similar technologies

We use only what we need. No third-party advertising cookies. Ever.

Strictly necessary (no consent needed)

Session cookie for the dashboard (HttpOnly, SameSite=Strict, Secure). Used for authenticated session only. Expires on logout or after 72 hours of inactivity.

Extension storage

chrome.storage.local / browser.storage.local — holds your JWT token and UI preferences. Stays on your device, never sent to us except as the Authorization header on API requests.

Optional analytics

None active today. If we enable privacy-preserving analytics (e.g. Plausible) in future, it will require a consent banner and a separate opt-in.

How we secure your data

The technical and organizational measures that satisfy Art. 32 GDPR.

In transit

TLS 1.3 only (HTTP/2 + HSTS with 1-year max-age). No cleartext anywhere in the stack.

At rest

Application secrets encrypted with AES-256-GCM in a self-hosted vault, master key on disk with 0600 permissions, never transmitted.

Access control

OAuth2 + JWT with 72h expiry. Role-based access. Every admin action audit-logged with operator identity, timestamp, and diff.

Sandbox isolation

Attachment detonation runs in a Docker container with --cap-drop ALL, read-only root, tmpfs /tmp, no outbound network by default, non-root user.

Rate limiting & abuse

Redis sliding-window rate limits on every public endpoint. Webhook senders authenticated via JWT (Google Pub/Sub) or shared-secret token (Telegram).

SSRF protection

URL scanner rejects loopback, private, link-local, metadata, and intranet addresses at the scanner boundary + per-probe. DNS rebinding defense applied.

Incident response

In the event of a personal-data breach, we notify the competent supervisory authority within 72 hours (Art. 33) and, where required, notify affected data subjects without undue delay (Art. 34).

Filing a complaint

You can complain to a supervisory authority in your EU/EEA member state.

Your local supervisory authority

EU/EEA residents have the right under Art. 77 GDPR to lodge a complaint with the supervisory authority in the country where you live, work, or where the alleged infringement took place. The European Data Protection Board keeps a full list of national authorities.

Germany (our hosting location)

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart. Website.

Changes to this policy

We notify you in-product and by email for any material change.

Material changes

New sub-processor, new purpose of processing, expanded retention, change in legal basis — we email you at least 14 days in advance and require you to re-accept on next login.

Non-material changes

Typos, clarifications, URL updates — we update this page and bump the version + "Last updated" date.

Version history

We keep a public log of changes at /privacy/changes. Every diff is attributable to a commit hash in the public OKY source repository.