Privacy Policy

Effective: May 4, 2026

1. Information We Collect

We collect the following types of information:

• Account information: email address, name, and authentication credentials when you register
• Approval request data: action type, agent identifier, timestamps, classification tier (safe, warning, review, high_stakes), and your approve or deny decisions
• Action context: the description and parameters of each intercepted action, as provided by your agent at the time of the approval request. This is what enables you (and us) to see what the agent was attempting to do
• Device information: push notification tokens for delivering approval alerts to your devices
• Usage data: API call logs, dashboard access patterns, and feature usage for service improvement

2. How We Use Your Information

We use your information to:

• Operate the approval flow, including delivering notifications and recording decisions
• Maintain audit logs of all approval requests and responses
• Send you alerts via push notifications, email, or Telegram
• Improve and maintain the Service, including operational telemetry, debugging, and service health monitoring
• Improve our classifier and risk-scoring models using aggregated and de-identified approval data, action classifications, and denial patterns. We do not use the contents of action descriptions or parameters to train classifiers without your explicit opt-in
• Communicate important updates about your account or the Service

3. Data Storage and Retention

Approval requests, decisions, and audit logs are persisted in PostgreSQL hosted on AWS infrastructure within the EU and US regions. Pending requests are held open for up to five minutes while awaiting your decision. If no decision is received within that window, the request is recorded as timed out and the underlying action is denied.

We retain audit data for 3 years after your last account activity, after which it is automatically deleted unless we are required to retain it for legal reasons (such as an active investigation, dispute, or regulatory obligation). You may request earlier deletion at any time by contacting us, subject to legal retention requirements.

Account information is retained for as long as your account is active and for up to 90 days after deletion to allow for account recovery, after which it is permanently removed.

4. Data Sharing

We do not sell your personal information. We share data only with the following categories of recipients:

• Infrastructure sub-processors:
  • Amazon Web Services (AWS): hosting, compute, and database (US and EU regions)
  • Telegram (Telegram FZ-LLC): delivery of approval requests when you link a Telegram account
  • Browser push services (Apple Push Notification Service, Firebase Cloud Messaging, Web Push): delivery of push notifications to your devices
  • Email providers: transactional email for account notifications and approval alerts when configured
• Legal requirements: when required by law, legal process, or to protect our rights, property, or safety, or the rights, property, or safety of others

A current list of sub-processors is maintained at our contact address. We will notify registered users of material changes to our sub-processor list at least 30 days before the change takes effect, where feasible.

5. Our Role in Processing Your Data

OKed acts as a data controller for account information, billing data, and aggregated service-improvement data.

OKed acts as a data processor for action context (descriptions and parameters of intercepted actions) submitted by you when your agents call our API. You determine what data is included in those payloads. We process this data on your behalf to deliver the approval flow and maintain your audit trail.

If you are using OKed in a business context and require a Data Processing Agreement (DPA) for compliance with GDPR Article 28 or similar regulations, contact us at contact@oked.ai.

6. Security

We implement industry-standard security measures to protect your data, including encrypted connections (TLS), secure credential storage, and separated authentication for service and user access. Invalid device tokens are immediately removed to prevent misdelivery.

7. Your Rights

Subject to applicable law, you have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you
• Rectification: request correction of inaccurate data
• Erasure: request deletion of your account and associated data
• Restriction: request that we limit how we process your data
• Portability: export your approval history via the API or dashboard in a machine-readable format
• Objection: object to processing based on our legitimate interests, including for service improvement
• Withdraw consent: where we rely on your consent, withdraw it at any time
• Revoke device tokens: at any time via the dashboard
• Lodge a complaint: if you are in the EU or UK, with your local data protection authority

To exercise any of these rights, contact us at contact@oked.ai. We will respond within 30 days.

8. International Data Transfers

OKed is operated from Israel, and our infrastructure is hosted on AWS in the United States and European Union regions. If you access the Service from outside these regions, your data will be transferred to and processed in these regions.

Where we transfer personal data of EU or UK residents outside of the EEA or UK, we rely on the European Commission's adequacy decision for Israel and on Standard Contractual Clauses with our sub-processors. Contact us if you would like more detail on the safeguards applicable to your data.

9. Cookies

We use minimal cookies for authentication and theme preferences. We do not use third-party tracking cookies.

10. Changes to This Policy

We may update this policy from time to time. We will notify registered users of material changes via email. Continued use of the Service after changes constitutes acceptance.

11. Children's Data

OKed is not directed to individuals under 16 years of age, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Contact

Questions about this policy? Reach us at contact@oked.ai.