Privacy Policy

We collect what we need to run your account and your displays, and nothing more. No third-party analytics, no ad tracking, no telemetry from the dashboards you render. You can export or delete your data whenever you want.

• Account: email address, password hash (argon2), organization name, verification and session timestamps.
• Content: dashboards, widgets, backgrounds, and media assets you create or upload.
• Devices: device name, pairing state, last-seen timestamp, assigned dashboard.
• Billing: plan tier, subscription status, and an opaque Paddle customer ID. Card data never touches our servers — it's handled by Paddle (our Merchant of Record).
• Operational logs: request metadata and error traces, retained for up to 30 days to debug and defend the service.

• No telemetry or analytics from rendered dashboards. We don't know what's on your screen.
• No advertising identifiers or ad-network tracking. We don't sell data.
• No persistent storage of the third-party payloads your widgets proxy (calendars, photos, JSON feeds) beyond short caches required to deliver them.

We use a single encrypted session cookie (iron-session) to keep you signed in. No tracking cookies. No cross-site cookies. No third-party cookies are set by our application.

• Paddle: Merchant of Record for payment processing, subscription management, and EU VAT remittance.
• Resend: transactional email (verification, password reset, billing receipts).
• Hetzner: server and storage hosting inside the EU.
• OpenPanel: privacy-friendly, self-hosted analytics (page views, outgoing link clicks). No cross-site tracking. Data stays on EU infrastructure we control.
• Open-Meteo: weather data for the weather widget (requested server-side; no end-user identifiers sent).

Each vendor receives only the minimum data needed to perform its function.

We keep your data for as long as your account is active. When you delete your account, your content is removed from live systems immediately and purged from encrypted backups within 30 days. Billing records are retained for the period required by tax law (typically five to ten years, depending on jurisdiction).

If you're in the EU, UK, or another jurisdiction with similar laws, you have the right to:

• Access the personal data we hold about you.
• Export your data in a portable format.
• Correct inaccurate data.
• Delete your account and associated data.
• Object to or restrict certain processing.
• Lodge a complaint with your local data protection authority.

Email privacy@ocupie.app to exercise any of these rights. We'll respond within 30 days.

Passwords are hashed with argon2id. Sessions ride in encrypted, signed cookies. All traffic is served over TLS. Data at rest lives on encrypted volumes. We practice least-privilege access internally and log administrative actions.

No system is perfectly secure. If you believe you've found a vulnerability, please email security@ocupie.app.

OCUPIE is not directed at children under 13, and we don't knowingly collect data from them. If you believe a child has created an account, contact us and we'll remove it.

We'll update this policy as the service evolves. Material changes will be announced by email or in-app notice before taking effect.

Privacy questions: privacy@ocupie.app.