As we are based in Spain, which is in the European Union, we are regulated by the EU General Data Protection Regulation (GDPR). We are fully compliant with the GDPR.

Data Processor and Data Controller Roles

When we process personal data that you and your users provide to us when using OYA we are your data processor and you are our data controller. Our Data Processing Agreement (pdf) will govern the roles and responsibilities of each party when processing personal data.

When any individual uses our website, diagnostic or learning chat system, we will be collecting some personal data from them for our own purposes and will be a data controller in relation to this data collected. For example: when we use your email address to inform users of updates to our services or website. We will be acting a data controller in relation to users and the terms of our Privacy Policy will apply to our use of such personal data as a controller.

Summary of Processing as a Data Processor

1. We use data from your users solely for reasons directly related to providing the core features of OYA. We do not use any personal data from your users for marketing, profiling or similar purposes. Data collected is limited to email address, full name, company, role, browser user agent string, and HTTP referrer. IP address, browser user agent string, and HTTP referrer are used solely as a technical aid to help prevent spam and service misuse.

2. OYA has “right to be forgotten” procedures in place. We automatically and fully delete a user’s data upon request.

3. When a customer’s data is deleted, all interactions, comments, email addresses, names, and metadata are deleted. The only customer data we keep long term after cancellation is the data to meet our legal requirements such as a record of all invoices and payments.

4. We take all reasonable steps to ensure the reliability of any personnel who have access to personal data. We have in place all reasonable technical and organisational measures to keep all personal data confidential and secure and to protect personal data against accidental loss or unlawful destruction, alteration, disclosure or access.

5. OYA is primarily hosted on Digital Ocean’s cloud infrastructure. We regularly perform audits to ensure we are following recommended security guidelines for data protection. Digital Ocean Privacy Policy.

6. We store production data solely within the European Union.

Summary of Data Collection and Processing as a Data Controller

Data collected on our public website (“marketing site”)

On our website we use Google Analytics to help us understand, in anonymised form, how the site is being used. Google Privacy Compliance Policy

Our public website is hosted on SquareSpace. SquareSpace Privacy Policy

Our support emails are managed by Google Workspace (formerly called Google G Suite). Google Workspace Privacy FAQ

Data collected from users of our application

When you create an account on OYA we store your IP address, browser user agent string, and HTTP referrer. We do this so we can detect when people try to abuse the service. This information is stored in our database, which is hosted on AWS, using the Ireland data region, and is not shared with other services.

We send transactional emails to registered users of OYA via the email delivery service Postmark, which is operated by Wildbit LLC. Wildbit Privacy Policy

When you opt in to our newsletter, we supply your email address to the email newsletter service MailerLite. MailerLite Privacy Policy

OYA offers several optional integrations. When you enable an integration, your data will be shared with the integrated service only to the minimum extent necessary to provide the functioning integration.

Data collected from your users on our application

When your users interact with OYA, we store your user’s name, email address, associated company and slack ID. This data is used to perform the functions of OYA’s service, including preventing spam and service misuse.

Diagnostic responses are collected and stored within SurveyMonkey.com. SurveyMonkey privacy policy.

User information is stored in our database, which is hosted on Digital Ocean within Europe.

Financial transaction information collected

If you become a paying customer, you will need to provide us and Stripe, our payment partner with valid billing information. We will be able to see your name, billing address, email address, and VAT number (if you have provided one). We are not able to see your credit card number.

As you would expect of any business, we share transaction data with our accountants and with the relevant tax authorities when we pay VAT and file our annual tax return.

In addition, we use the business analytics service ChartMogul for internal business analysis. They also have details of customer purchasing history.

• Stripe’s privacy policy

• ChartMogul’s privacy policy

Need more information about OYA and the GDPR? Write to info@oya.team.