Privacy Policy of Oxolo GmbH
At Oxolo, we take the protection of personal data seriously. This Privacy Policy informs you about how Oxolo GmbH processes personal data when you use our website oxolo.com, the Oxolo web application, the Oxolo iOS app, the Oxolo Android app, our support, communication and contract processes, and the B2B services we offer.
Oxolo is directed exclusively at business customers and their authorized users. This Privacy Policy is therefore designed for the use of Oxolo in a B2B context within the EU.
Insofar as we process personal data on behalf of a customer, the respective customer is generally the controller within the meaning of the General Data Protection Regulation. Oxolo then acts as a processor in accordance with the data processing agreement concluded with the customer. In addition, Oxolo processes certain data as its own controller, in particular for website operation, registration, account management, billing, security, support, communication, legal obligations, legal updates, marketing and its own product-operation data.
1. Controller and Data Protection Contact
The controller for the processing described in this Privacy Policy, insofar as Oxolo itself decides on the purposes and means, is:
Oxolo GmbH
Bohnenstrasse 2
20457 Hamburg
Germany
Email for general communication: team@oxolo.com
Email for data protection requests and data subject rights: gdpr@oxolo.com
The Data Protection Officer of Oxolo GmbH can be reached at gdpr@oxolo.com.
The competent supervisory authority is:
The Hamburg Commissioner for Data Protection and Freedom of Information
Kurt-Schumacher-Allee 4
20097 Hamburg
Email: mailbox@datenschutz.hamburg.de
2. Terms and Roles
Personal data are all information relating to an identified or identifiable natural person. Processing means any handling of such data, such as collection, storage, transmission, retrieval, structuring, use, deletion or restriction.
In the product context, a distinction must be made:
Customer data / Customer Content: Content that customers or users enter, upload, record, share or have generated in Oxolo, for example audio recordings, transcripts, project data, photos, videos, signatures, reports, tasks, variations, delays, chat/WhatsApp content and other project documentation.
Account, contract and operational data: Data that Oxolo processes for its own account management, billing, security, support, communication, legal enforcement and product provision.
Website, marketing and analytics data: Data processed when visiting oxolo.com, when consenting to cookies/tracking, with the newsletter, with social-media profiles and with marketing campaigns.
For Customer Content, the customer is regularly the controller. Oxolo generally processes such data as a processor bound by instructions. For account, contract, security, support, website, marketing, communication and legal data, Oxolo is regularly its own controller.
3. Scope of Application
This Privacy Policy applies to:
the oxolo.com website and its subpages;
the Oxolo web application;
the Oxolo iOS app and Android app;
registration, login, user account, organizations, teams and subscriptions;
B2B contract initiation, contract performance, customer communication and legal updates;
support via email and comparable support channels;
WhatsApp Cloud API, insofar as this function is activated or used by a customer;
newsletter;
Oxolo's social-media profiles on LinkedIn, Facebook, Instagram and YouTube or comparable portals;
analytics, marketing and attribution technologies, insofar as these are used and legally permissible.
This Privacy Policy does not apply to third-party websites, services or content to which we merely link or which are provided independently by third parties. The privacy notices of the respective providers apply to such services.
4. Website Access and Technical Server Data
When you visit oxolo.com, we process technically necessary data transmitted by your browser or end device. This may include in particular the IP address, date and time of access, time zone, requested page or file, HTTP status, amount of data transferred, referrer URL, browser type, browser version, operating system, end-device type and similar technical information.
The purposes of this processing are the provision of the website, system security, abuse detection, error analysis, technical administration and improvement of the website. The legal basis is Article 6(1)(f) GDPR. Our legitimate interest lies in the secure, stable and user-friendly operation of the website. Insofar as access is necessary for the performance of pre-contractual measures, Article 6(1)(b) GDPR may additionally apply.
Technically necessary server data are stored only for as long as this is necessary for the stated purposes, subject to statutory retention obligations, security purposes and legal enforcement.
5. Cookies, Consent Management and Tracking on oxolo.com
On oxolo.com, we use a consent management system from OneTrust. Non-necessary cookies, pixels, tags, SDKs and comparable technologies are only set or read if you have consented beforehand. You can revoke or change a consent you have given at any time via the cookie settings.
The legal basis for technically non-necessary cookies, pixels, tags, SDKs and comparable technologies is your consent, Article 6(1)(a) GDPR and, insofar as information is accessed on or stored in your end device, the applicable consent provision for end devices under the Telecommunications Digital Services Data Protection Act (TDDDG). Technically necessary cookies and comparable technologies are used on the basis of Article 6(1)(f) GDPR and the applicable exception for strictly necessary storage or access operations.
As of the current status, we use the following tools:
Tool / Provider | Purpose | Duration | Third-Country Transfer | Legal Basis |
OneTrust | Obtaining, storing and documenting the consent decision as well as the banner status | up to 1 year | USA possible; DPF certification of OneTrust, insofar as applicable | Article 6(1)(f) GDPR; technically necessary for consent management |
Google Tag Manager | Tag management and delivery of website tags | n/a (loads further tags after consent) | USA possible; DPF certification of Google LLC | Consent (Article 6(1)(a) GDPR in conjunction with Section 25 TDDDG), insofar as non-necessary tags are delivered |
Google Ads (Conversion Tracking and Remarketing) | Measurement of ad performance, conversion tracking and remarketing | typically up to 90 days | USA possible; DPF certification of Google LLC | Consent |
Meta Pixel (Facebook/Instagram) - currently exclusively on the Oxolo landing page | Measurement and optimization of campaigns on Meta platforms, remarketing | up to 2 months | USA possible; DPF certification of the Meta group | Consent; assess joint/independent controllership depending on the Meta configuration |
PostHog (EU instance, eu.i.posthog.com) | Product and web analytics, usage evaluation, feature analysis, funnel and error analysis | up to 1 year | EU processing; supplementary EU SCCs vis-à-vis the US parent company | Consent for non-necessary analytics |
AppsFlyer (mobile SDK in iOS/Android app) | Mobile attribution, campaign measurement, installation and conversion attribution in the mobile apps | usually up to 24 months | Processing in Germany (AppsFlyer Germany GmbH); group connection to Israel (adequacy decision) | Consent or app/device-based agreement pursuant to ATT (iOS) or Google UMP (Android) |
Framer | Hosting and provision of the oxolo.com landing page, delivery of website scripts and hosted assets as well as provision and processing of lead/contact forms | essentially session-based | EU/Netherlands (Framer B.V.); supplementary EU SCCs, insofar as required | Article 6(1)(f) GDPR for the technically necessary website provision; consent, insofar as non-necessary tags/cookies are set |
Google Fonts | Display of fonts on the website or in product interfaces | n/a | USA possible with external retrieval; DPF certification of Google LLC | With external retrieval: consent; with local embedding: technically necessary |
6. Registration, User Account and Login
A user account is required to use Oxolo. In a B2B context, users may be invited by a customer, administrator or authorized team lead. In addition, business self-registration may be possible.
Upon registration and login, we process in particular:
name, business email address, telephone number, company, role, team/organization affiliation and permissions;
password or password hash, one-time passwords (OTP) and other authentication information;
verification status, time of registration, login and security events, IP address, device and browser information;
profile details, user preferences, settings, language, organization and project assignments;
invitations, roles, permissions, project memberships and administrative actions.
The purposes are registration, identity verification, login, provision of the user account, management of organizations and teams, rights and role concept, security, abuse prevention, support and contract performance. The legal bases are Article 6(1)(b) GDPR for contract performance and pre-contractual measures, as well as Article 6(1)(f) GDPR for security, abuse prevention, ability to demonstrate and stable product provision.
Login currently takes place via email address, password and/or telephone number. Authentication and account data are generally processed for as long as the user account or the contractual relationship exists and beyond that, insofar as this is necessary for security, legal obligations, legal enforcement or evidentiary purposes.
Authentication and account management are carried out systemically with an SMS one-time password for account verification; the precise processing region is set out in Annex 3 of the data processing agreement.
7. Contact After Registration, Contract Communication, Contract Initiation and Legal Updates
If a user registers, provides a telephone number or email address, creates an account, requests a demo, trial, product information or an offer, or otherwise makes recognizable business contact with Oxolo, we may use these contact details to contact them by telephone or email in the course of contract initiation. This includes in particular follow-up questions on registration, qualification of the business need, explanation of the Oxolo functions, product demonstrations, onboarding, references to suitable paid plans, licenses, modules or offers, as well as the preparation of a contract conclusion.
After a registration, we may contact registered users, customer administrators, account owners, relevant billing contacts and invited users by email or telephone, insofar as this is necessary to discuss an existing or potential contract, a subscription, a trial, an order, onboarding, product use, support, product advice, contract initiation, contract extension or contract performance.
This contact does not serve general advertising without a legal basis, but rather the initiation, performance, extension or support of a concrete B2B contractual or usage relationship. The legal basis is Article 6(1)(b) GDPR insofar as the communication is necessary for contract performance or for the performance of pre-contractual measures. Insofar as we contact authorized B2B contact persons, Article 6(1)(f) GDPR may additionally apply. Our legitimate interest lies in efficient B2B contract initiation, customer support, product advice, license marketing and product provision.
Insofar as the contact, beyond the immediate contract performance or concrete contract initiation, also has an advertising character, in particular in the case of active outreach regarding paid plans, additional licenses, modules, upgrades or similar products, this takes place in a B2B context only in accordance with the applicable advertising-law requirements, in particular Section 7 of the German Act Against Unfair Competition (UWG). Telephone outreach to other market participants requires at least presumed consent; email marketing generally requires consent or a legally permissible existing-customer situation. You may object to advertising contact at any time with effect for the future.
We may inform customer administrators, account owners, billing contacts and, insofar as necessary, affected users by email about legal, contractual or security-relevant changes, in particular about changes to the GTC, the data processing agreement, this Privacy Policy, security information, price/subscription information or product-related mandatory information. The legal bases are Article 6(1)(b) GDPR, Article 6(1)(c) GDPR and Article 6(1)(f) GDPR. For general communication we may use team@oxolo.com; please direct data protection requests to gdpr@oxolo.com.
8. Subscriptions, Payment Processing and Invoicing Data
When a customer, administrator, account owner or user orders, manages or pays for paid Oxolo services, we process the contract, billing and payment data necessary for this. This may include in particular: name, business contact details, company, billing address, value-added tax or tax information, order and subscription data, plan, term, seats, prices, invoice status, payment status, transaction identifiers, IP address and technical payment metadata.
Depending on the chosen payment method, processing takes place via invoice, Stripe, the Apple App Store or Google Play, or another payment channel supported by Oxolo.
For payments via Stripe, we use Stripe Payments Europe, Limited, Ireland. Stripe may process payment data both as a processor and, for its own legal, regulatory, security and fraud-prevention purposes, as an independent controller. Oxolo generally does not receive complete credit-card data, but rather payment and transaction information that is necessary for subscription management, invoicing, accounting, abuse prevention and contract performance.
If a subscription is concluded via the Apple App Store or Google Play, the payment processing is carried out by Apple or Google under their own responsibility. Oxolo generally receives from Apple and Google only the information necessary to verify and manage the subscription, such as transaction identifiers, product/plan information, term, status and technical confirmation information.
The legal bases are Article 6(1)(b) GDPR for contract performance and billing, Article 6(1)(c) GDPR for tax, commercial and accounting obligations, and Article 6(1)(f) GDPR for receivables management, fraud prevention and evidentiary purposes.
9. Use of the Oxolo Product and Customer Content
Oxolo is B2B software for digital project, deployment, construction-site and field documentation. Depending on the booked or activated scope of functions, customers and users can enter, upload, record, structure, analyze, share data and have it transferred into reports or other outputs.
In doing so, the following categories of personal data may in particular be processed:
audio recordings, voice data, transcripts, speaker assignments and, insofar as activated or used, voice profiles or voiceprints;
photos, videos, evidence files, image/video metadata, project images, avatar images and other uploads;
project, construction-site, organization, customer, team and role information;
tasks, variations, delays, reports, logs, signatures, sharing links, download and export information;
AI-generated content such as summaries, titles, tasks, tags, descriptions, translations, report suggestions or other structured outputs;
usage, security, audit and activity data, insofar as they are necessary for operation, security, rights management, support, traceability or compliance.
Insofar as it concerns Customer Content, the processing is generally carried out on behalf of the respective customer and on its instructions. The purposes are in particular the provision of the Oxolo functions, project and construction-site documentation, transcription, speaker assignment, report creation, task and variation management, collaboration, sharing, export, support, security and contract performance. The legal basis on the part of Oxolo as a processor is the contract with the customer including the data processing agreement. Insofar as Oxolo processes its own account, security, support or operational data, the legal bases stated in this Privacy Policy apply.
Customers and users are responsible for ensuring that they have the necessary rights, notices, legal bases and, insofar as necessary, consents for personal data that they upload, record or otherwise have processed in Oxolo. This applies in particular to persons whose voice, image, location, signature or other personal data are contained in construction-site, project or communication content.
10. Audio Recordings, Transcription and Speaker Recognition
When users create or upload audio recordings, Oxolo processes the audio data in order to create transcripts, summaries, speaker assignments, tasks, reports and other project-relevant outputs. Audio data may be captured and processed via mobile apps, the web application or connected communication channels.
For transcription and speech processing, Oxolo may use specialized service providers, in particular AssemblyAI for transcription and Pyannote.ai for speaker diarization, speaker identification and, insofar as activated or used, voiceprint functions. Streaming transcription is carried out via the AssemblyAI EU endpoint; the downstream batch/diarization processing is carried out via an AssemblyAI endpoint in the USA. For the transfer to the USA we use appropriate safeguards under Article 46 GDPR, in particular EU Standard Contractual Clauses and – insofar as certified – the EU-US Data Privacy Framework. Further details are contained in the data processing agreement.
Audio recordings and transcripts are, as Customer Content, generally processed for the duration of the contract or on the instructions of the customer, unless a deletion, anonymization, legal obligation, legal hold, security requirement or deviating contractual provision applies.
The user who starts or uploads a recording is responsible for properly informing data subjects and, insofar as necessary, for ensuring their consent or another appropriate legal basis. This applies in particular when the voices of employees, subcontractors, customers, visitors or other third parties are recorded.
11. Voiceprints and Biometric Speaker Recognition, Insofar as Activated or Used
Insofar as voiceprint-based speaker recognition is activated or used, Oxolo may process voice profiles in order to re-recognize speakers in later recordings. Voiceprints are biometric data for the unique identification of a natural person and thus special categories of personal data within the meaning of Article 9(1) GDPR, insofar as they are or can be used for unique identification.
11.1 An identity is the assignment of a speaker name to one or more voiceprints. A voiceprint is a technical or numerical representation of a voice sample. When a user registers their voice again, a new voiceprint can be added to the existing identity; this does not necessarily replace the previous voiceprint. In speaker recognition, the voiceprint with the highest match may be decisive.
Voiceprints are isolated on an organization-specific basis and are not used across organizations for speaker recognition. Automatic speaker recognition (auto-enrollment) is activated by default on the organization side (opt-out model). As long as a customer administrator has not deactivated this function, speakers in a recording whose voice is not already assigned to a registered identity are automatically created as a new identity with an anonymized placeholder label (e.g. "Speaker b74bj73") and a voiceprint is generated for them. An authorized user of the customer can later name or delete this identity. Customers can deactivate auto-enrollment in the organization settings at any time.
11.2 With a user's own registration for speaker recognition, the processing is generally based on the explicit consent of the data subject, Article 9(2)(a) GDPR as well as Article 6(1)(a) GDPR. The consent must be freely given, informed, explicit and demonstrable. Users may generally withdraw a consent with effect for the future.
In the case of voices of persons who are not users themselves or who do not themselves register a voice profile in the product – including speakers automatically captured within the framework of the function described above – the customer or the recording user is responsible for obtaining and documenting the necessary notices, legal bases and, insofar as necessary, explicit consents outside the product. Oxolo generally processes such data as a processor in relation to the customer.
11.3 When a voiceprint is deleted, the voiceprint and the associated source audio are removed. Deletion occurs in particular in the following cases:
The user deletes their own voiceprint via the app;
The user is removed from an organization; in this case, the user's own voiceprints in that organization are deleted;
The account is deleted or archived;
The organization owner deletes an identity via the settings;
A speaker is marked as "noise".
Transcripts, original recordings and audit-trail data, however, are retained as Customer Content or compliance data, insofar as they are not deleted separately or a deviating instruction, legal obligation or contractual provision applies. Old transcripts may therefore continue to contain the name displayed at the time; new recordings may, after deletion, display anonymized speaker labels.
12. Photos, Videos, Uploads, EXIF/GPS Metadata and Signatures
Depending on the activated function, users can capture or upload photos, videos, evidence files, project images, avatar images, signatures and other files in Oxolo. These data are processed in order to create project and construction-site documentation, manage evidence, generate reports, share content and provide product-related workflows.
Uploaded images or videos may contain metadata, for example date, time, device information, camera settings, location data or other EXIF/GPS metadata. Metadata is currently not removed on the server side. Users and customers should therefore check which files they upload and whether metadata must be removed before upload.
In relation to customer content, the legal basis is generally the commissioned processing on the instructions of the customer. Insofar as Oxolo pursues its own operational or security purposes, Article 6(1)(b) and (f) GDPR may apply.
13. Location Data and Mobile Permissions
The Oxolo iOS and Android apps may request certain device permissions. Permissions are generally only requested if they are necessary for a specific function or are required by the operating system.
Permission / Data Category | Purpose | Note |
|---|---|---|
Microphone / Audio | Recording of audio documentation, transcription and report creation. | Core function for recordings. Without authorization, the recording function cannot be used. |
Camera and Photos / Media Library | Capture and upload of photos, videos and evidence files. | Optional depending on the function. Uploads may contain EXIF/GPS metadata. |
Location Data | Tagging of recordings or evidence with the construction-site/project location and support with project assignment. | Optional and only when a relevant function is activated. Location data may include GPS coordinates and derived place names. |
Storage / Files | Export or storage of reports, images or other files on the end device. | Optional depending on the operating system and function. |
Biometric device lock such as Face ID / fingerprint | Local unlocking of the app, if activated by the user. | Oxolo generally does not receive any biometric raw data from the device; the verification takes place via the operating system. |
Speech recognition / local system services | Possible local speech-recognition or operating functions, insofar as provided by the device. | The primary transcription takes place via cloud service providers |
Depending on the function, the legal bases are Article 6(1)(b) GDPR for the provision of the desired product function, Article 6(1)(a) GDPR for consent-requiring device or tracking functions, and Article 6(1)(f) GDPR for security and operational purposes. App permissions can be managed in the operating system settings.
14. AI Processing and Automatically Generated Content
Oxolo uses AI functions to generate from Customer Content, for example, transcripts, summaries, tasks, variations, delays, report suggestions, translations, tags, image descriptions, project context or other outputs. AI-generated content may be incomplete, erroneous or misleading and must be reviewed by the user.
For AI-supported text and image processing, LLM models are used. A current overview of the AI service providers deployed is contained in Section 22. Oxolo does not use Customer Content to train its own AI models. Oxolo furthermore does not process Customer Content to train the large language models provided by third parties, insofar as this is excluded under the relevant product and contractual terms of these third-party providers. Use of Customer Content for product improvement by Oxolo takes place only if the customer has expressly activated the corresponding system setting, and only within the framework of the contractual agreements and applicable data-protection requirements.
15. WhatsApp Cloud API
Insofar as a customer activates or uses the WhatsApp function, users or end users can interact with Oxolo workflows via WhatsApp. In doing so, in particular telephone numbers, WhatsApp profile information, message content, media, attachments, timestamps, technical delivery information, template variables and assignments to customer, workspace, project or workflow contexts may be processed.
The purposes are the provision of the respective WhatsApp workflow, the import of messages and media into Oxolo, assignment to projects or customer contexts, handling of user requests, notifications, documentation and support. In relation to Customer Content, the legal basis is regularly the commissioned processing on the instructions of the customer. Insofar as Oxolo pursues its own operational, security or support purposes, Article 6(1)(b) and (f) GDPR may apply.
WhatsApp is provided by Meta. When WhatsApp is used, Meta processes personal data in accordance with its own terms and privacy notices. Customers and users should inform data subjects about the use of this channel and check whether WhatsApp is suitable for the specific communication content. Further information on the use of WhatsApp is available at https://www.whatsapp.com/legal/privacy-policy-eea. For WhatsApp Business, the information can be viewed at https://www.whatsapp.com/legal/business-data-processing-terms.
16. Support, Live Chat and Other Communication
When you contact us or request support, we process the data you transmit. This may include in particular name, business email address, company, user account, message text, attachments, screenshots, technical information, product context, browser/device data, timestamps, communication history and support status.
The purposes are the handling of your request, error analysis, customer support, contract performance, internal documentation, quality assurance and security review. The legal bases are Article 6(1)(b) GDPR insofar as the communication is necessary for contract performance or pre-contractual communication, as well as Article 6(1)(f) GDPR. Our legitimate interest lies in efficient B2B support, error resolution and customer satisfaction.
17. Email Dispatch, Transactional Messages and Postmark
Oxolo may send emails that are necessary for registration, verification, account management, security, invitation, billing, contract performance, support, product use or for legal updates. For this purpose, Oxolo may use email service providers such as Postmark.
In particular, the email address, name, company, language, content of the message, technical dispatch information, delivery status, open/click information, insofar as technically necessary and legally permissible, and timestamps are processed. The legal bases are Article 6(1)(b) GDPR, Article 6(1)(c) GDPR and Article 6(1)(f) GDPR.
18. Newsletter
When you sign up for the newsletter, we process your email address, where applicable name, company, role, language, time of sign-up, time of confirmation, IP address, consent status and unsubscribe status.
Sign-up takes place via a double-opt-in procedure. After signing up, you receive a confirmation email and are only added to the newsletter distribution list after confirmation. Every newsletter contains an unsubscribe option. The legal basis is your consent under Article 6(1)(a) GDPR. You can withdraw your consent at any time with effect for the future.
Insofar as newsletter emails contain tracking pixels or click tracking, we use these only insofar as there is a valid legal basis for this and the function is transparently described.
19. Social-Media Profiles
Oxolo maintains presences on
LinkedIn (https://www.linkedin.com/company/oxoloai/);
Facebook (https://www.facebook.com/oxoloAI);
Instagram (https://www.instagram.com/oxoloai/) and;
YouTube (https://www.youtube.com/@oxoloAI)
When you interact with our profiles, for example by following, commenting, liking, sharing, direct messages or viewing our content, we may process the profile data and communication content visible in the process.
The purposes are corporate communication, B2B marketing, relationship management, handling of messages, evaluation of the reach of our content and public relations. The legal bases are Article 6(1)(f) GDPR and, insofar as you send us a message or make a concrete request, Article 6(1)(b) GDPR. The platform providers additionally process data under their own responsibility in accordance with their respective privacy notices.
With page statistics or comparable insights functions, depending on the platform, joint controllerships or independent controllerships of the platform providers may exist. Further information can be found in the privacy notices of the respective platform.
20. Product Analytics, Security, Error Analysis, Attribution and Logs
To provide, secure and improve Oxolo, we process usage, security, system, attribution and error data. This may include in particular user ID, organization ID, project ID, timestamps, IP address, device and browser information, app version, feature usage, event logs, error messages, performance data, crash reports, API usage, campaign parameters, installation data, audit events and similar technical information.
For this purpose we use, among others:
PostHog (EU instance, eu.i.posthog.com) for product analytics, feature analysis, website/product usage events, funnel evaluation and feature flags;
Sentry (DE instance, ingest.de.sentry.io) for error, crash and performance analysis;
AppsFlyer for mobile attribution, campaign measurement, installation and conversion attribution in the mobile apps.
The purposes are system security, error resolution, abuse detection, product stability, product improvement, support, campaign measurement and the ability to demonstrate. The legal basis is Article 6(1)(f) GDPR insofar as the processing is technically necessary or necessary for security/operational purposes. For non-necessary analytics, marketing, attribution or tracking functions, we obtain consent insofar as this is legally required.
Audit and security logs may be stored for longer insofar as this is necessary to fulfill legal obligations, for security, for abuse and fraud prevention, for demonstrability or for the assertion, exercise or defense of legal claims.
21. Google Fonts
Oxolo may use Google Fonts or comparable fonts to display the website or product interfaces. When fonts are hosted locally, there is generally no transmission to Google when the page is loaded. When fonts are loaded externally from Google servers, your browser may transmit technical data such as IP address, browser information, requested font and time of retrieval to Google.
22. Recipients, Service Providers and Subprocessors
We disclose personal data only insofar as this is necessary for the stated purposes, a legal basis exists or we are obliged to do so. Recipients may in particular be:
Hosting, cloud and infrastructure providers, in particular AWS and Supabase for product operation, as well as Framer for the oxolo.com landing page including the website scripts, hosted assets and lead/contact forms embedded there;
transcription, speaker-recognition and AI service providers, in particular AssemblyAI, Pyannote.ai, Anthropic Ireland Ltd. and – insofar as activated – OpenAI Ireland Limited;
email, support and communication service providers, in particular Postmark for transactional emails and in-app support, as well as HubSpot for CRM, lifecycle and marketing communication;
payment and subscription service providers, in particular Stripe, the Apple App Store and Google Play;
analytics, error, attribution and tracking service providers, in particular PostHog, Sentry, AppsFlyer, Google (including Google Ads and Google Tag Manager), Meta (limited to the landing page) and OneTrust;
Meta for the WhatsApp Cloud API, insofar as this function is activated or used;
Google Maps, insofar as location or map functions are activated or used;
Slack Technologies LLC, insofar as used as an accompanying channel
tax advisors, legal advisors, auditors, authorities, courts and other bodies, insofar as this is legally required or necessary for legal enforcement.
Insofar as service providers process personal data on our behalf, we conclude appropriate agreements on commissioned processing. Insofar as providers act as independent controllers, their own data protection information additionally applies.
23. International Data Transfers
The core operation, in particular essential compute, database, authentication, embedding and AI processing, is designed to be EU-resident. Nevertheless, depending on the function, provider and configuration, data may be processed outside the European Economic Area.
Insofar as personal data are transferred to countries outside the European Economic Area for which no adequacy decision exists, we use appropriate safeguards under Article 46 GDPR, in particular EU Standard Contractual Clauses, supplementary measures, provider data processing agreements or other permissible transfer mechanisms, insofar as required. For transfers to the USA we additionally rely, insofar as the respective recipient is certified, on the EU-US Data Privacy Framework (adequacy decision of the EU Commission C(2023) 4745 final of July 10, 2023).
24. Retention Period and Deletion
We store personal data only for as long as this is necessary for the respective purposes. The specific retention period depends on the type of data, contract and customer settings, instructions of the customer, product functions, statutory retention obligations, security requirements, evidentiary interests, backup cycles, legal holds and the assertion, exercise or defense of legal claims.
For Customer Content, the following generally applies: The processing takes place during the contract term and on the instructions of the customer. Depending on the function, customers or authorized administrators can delete, export or terminate the processing of data. After the end of the contract, we provide an export option for at least thirty (30) days, insofar as this is technically available and legally permissible. Thereafter, Customer Content may generally be deleted or returned, insofar as no statutory retention obligations, legitimate evidentiary interests or deviating instructions conflict therewith. In all other respects, the provisions of the data processing agreement apply.
For voiceprints, the following applies: Voiceprints are deletable upon request or via a product function and are deleted upon account closure, account archiving, removal from an organization, deletion of an identity by the organization owner or marking as "noise". Transcripts, original recordings and audit-trail data may, however, persist as Customer Content or compliance data, insofar as they are not deleted separately or a deletion is not permissible or not provided for.
Account, contract, billing, payment and legal data may be stored beyond the end of the contract insofar as this is necessary for legal obligations, accounting, tax, legal enforcement, receivables management, security or evidentiary purposes. Accounting and tax data are regularly retained for the statutorily prescribed period.
25. Data Subject Rights
Under the GDPR, you have in particular the following rights:
right of access to the personal data concerning you;
right to rectification of inaccurate or incomplete data;
right to erasure of personal data;
right to restriction of processing;
right to data portability;
right to object to processing based on Article 6(1)(e) or (f) GDPR;
right to withdraw a consent given with effect for the future;
right to lodge a complaint with a data protection supervisory authority.
Please direct data protection requests to gdpr@oxolo.com. If your request relates to Customer Content for which an Oxolo customer is the controller, we may forward the request to the respective customer or refer you to that customer. We support customers within the framework of the data processing agreement in handling data subject requests.
An automated self-service interface for access or data-export requests is currently not available in the software. Requests are therefore handled manually via the data protection process. The statutory deadlines remain unaffected.
Automated decision-making, including profiling within the meaning of Article 22(1) and (4) GDPR, that produces legal effect concerning you or similarly significantly affects you does not take place within the framework of the processing carried out by Oxolo under its own responsibility. AI-supported functions such as transcription, speaker identification, summarization or report suggestions are technical aids; decisions with legal effect are made exclusively by the customer or its users.
26. Right to Object
Insofar as we process personal data on the basis of Article 6(1)(f) GDPR, you may object to this processing at any time on grounds relating to your particular situation. We will then no longer process the data, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves the assertion, exercise or defense of legal claims.
Insofar as we process personal data for direct marketing, you may object to this processing at any time. Thereafter we will no longer process your data for this purpose.
An objection to direct marketing does not automatically end communications about legal, contractual or security-relevant updates that are necessary for contract performance, the fulfillment of legal obligations or the safeguarding of legitimate interests.
27. Security
We use appropriate technical and organizational measures to protect personal data against loss, misuse, unauthorized access, alteration and disclosure. Depending on the processing, these include in particular access controls, role-based permissions, encryption in transit and storage, logging, tenant separation, security monitoring, confidentiality obligations and processes for handling security incidents.
No system is absolutely secure. Users and customers must, for their part, take appropriate security measures, in particular use secure passwords, treat access credentials as confidential, manage permissions appropriately and inform Oxolo without undue delay of any suspected compromises.
Insofar as Oxolo acts as a processor, the respective data processing agreement contains further details on technical and organizational measures.
28. Changes to This Privacy Policy
We may amend this Privacy Policy if this is necessary due to changes in our services, our data processing, our providers, the legal situation or official or judicial requirements. We inform customer administrators, account owners, billing contacts and, insofar as necessary, affected users of material changes in an appropriate manner, in particular by email, in the product or on oxolo.com.
For legal updates, in particular changes to the GTC, the data processing agreement, this Privacy Policy, security-relevant notices or comparable mandatory information, we may process and use the contact data necessary for this. The legal bases are Article 6(1)(b), (c) and (f) GDPR.