Privacy Policy

Short version We collect what we need to run the product (your account, your site's public crawl data, bot-event logs), we don't sell anything to anyone, we encrypt data in transit and at rest, and you can export or delete your data at any time by emailing hello@ooky.ai.

1. Who we are

Ooky is a product of CloudWeld LLC ("CloudWeld", "we", "us"). We operate the ooky.ai marketing site, the Ooky web application, and the edge infrastructure that serves structured brand intelligence to AI bots.

For privacy questions, the data controller of record is CloudWeld LLC. Reach us at hello@ooky.ai.

2. What we collect

Account and billing data

When you create an account we store:

Your name, work email, and (via Firebase Authentication) a password hash or federated identity token.
Your organization name, role, and team membership.
Billing contact details and subscription status. Payment card data is handled by our payments processor — we never see or store it.

Product usage data

Domains you connect, crawl settings, declared facts, and generated brand intelligence.
Crawled pages from domains you explicitly add — public content only, fetched with a standard user agent, respecting robots.txt.
Audit logs of actions inside your workspace.

Edge / bot-event data

The Ooky Cloudflare Worker sits on your domain and logs requests from AI bots (GPTBot, ClaudeBot, PerplexityBot, Google-Extended, etc.). For each bot request we record:

Timestamp, path requested, user agent, and the response Ooky served.
A hashed IP prefix for abuse detection. We do not store full IPs.
No human traffic is logged by Ooky — the worker passes human requests through to your origin unchanged.

Marketing-site data

When you visit ooky.ai we collect standard analytics events and basic device info (browser, OS, referrer). If you submit a form (contact, demo, newsletter) we collect the fields you fill in. See Sub-processors for the exact tools.

3. How we use it

Run the product — authenticate you, generate and serve intelligence, operate the edge.
Bill you — process subscriptions, issue invoices, prevent fraud.
Support you — respond to questions, debug issues, send service-related emails.
Improve the product — aggregated usage metrics to prioritize features.
Comply with law — meet tax, accounting, and legal-request obligations.

We do not sell personal data, share it with data brokers, or use your declared intelligence or crawl data to train third-party AI models.

4. Legal basis (GDPR)

If you're in the EU or UK, we rely on the following legal bases:

Contract — to deliver the service you signed up for.
Legitimate interests — to secure our systems, prevent abuse, and improve the product.
Consent — for non-essential analytics, marketing cookies, and marketing email. You can withdraw consent at any time.
Legal obligation — to comply with tax, accounting, and law-enforcement requirements.

5. Sub-processors and third parties

We use the following service providers to run Ooky. Each is contractually bound to process data only on our instructions and to industry-standard security terms.

Provider	Purpose	Data handled	Region
Google Cloud Platform	Application hosting, managed Postgres, object storage, Vertex AI / Gemini for intelligence generation.	Account data, crawl data, generated intelligence.	US / EU
Firebase (Google)	Authentication (sign-up, sign-in, password reset, SSO).	Email, password hash or federated token, sign-in metadata.	US
Cloudflare	Edge Worker, R2 object storage, KV, CDN, DDoS and bot-abuse protection, WAF, form spam prevention (Turnstile).	Request metadata, hashed IP prefixes, served intelligence payloads.	Global edge
Stripe	Subscription billing, payment processing, invoicing.	Billing contact, payment-method token, invoice history. Card data stays with Stripe.	US / EU
HubSpot	CRM, sales and marketing communications, contact and demo form handling.	Name, work email, company, message content, marketing-consent state.	US / EU
Google Analytics 4 & Google Tag Manager	Marketing-site traffic analytics and conversion measurement.	Pseudonymous visitor IDs, page views, referrer, device metadata.	US
Transactional email provider	Verification, password-reset, billing receipts, service notifications.	Email address and message content.	US / EU

A current list lives at ooky.ai/subprocessors (coming soon). We notify customers in advance when we add or change a sub-processor that touches customer data.

6. Cookies and tracking

Ooky uses three categories of cookies and similar technologies:

Strictly necessary — authentication session, CSRF tokens, Cloudflare security cookies. These are set without consent because the product can't work without them.
Analytics — Google Analytics 4 and Google Tag Manager, on the marketing site only. Loaded only after you accept in the cookie banner.
Marketing — HubSpot tracking for attribution on demo and contact forms. Loaded only after you accept in the cookie banner.

You can change or withdraw your cookie choices at any time by clicking "Cookie preferences" in the footer.

We honor the Global Privacy Control (GPC) signal: if your browser sends it, we treat it as an opt-out of sale/sharing under CCPA and as a rejection of non-essential cookies.

7. Security

TLS 1.2+ everywhere. No plaintext traffic.
Data at rest encrypted with provider-managed keys (GCP CMEK, Cloudflare R2 SSE).
Least-privilege access; admin actions logged and reviewed.
Secrets managed via Google Secret Manager and Cloudflare secret bindings, rotated on incident.
Payment data never touches our servers — it goes directly to Stripe via their hosted forms.

Report a security issue to security@ooky.ai. We appreciate coordinated disclosure.

8. Data retention

Account data — retained for the life of your account, plus 90 days after deletion for recovery purposes.
Crawled pages and generated intelligence — retained while your domain is active; removed within 30 days of domain disconnection.
Bot-event logs — retained 13 months for trend analytics, then aggregated.
Invoices and tax records — retained 7 years, as required by law.
Marketing-site analytics — GA4 default of 14 months; HubSpot per your cookie choices.

9. Your rights

Under GDPR, UK GDPR, CCPA, and similar laws, you may have the right to:

Access the personal data we hold about you.
Correct inaccurate data.
Delete your data ("right to be forgotten").
Export your data in a portable format.
Object to or restrict certain processing.
Opt out of sale/sharing (we don't sell, but you may opt out of marketing tools).
Lodge a complaint with a supervisory authority.

To exercise any of these, email hello@ooky.ai. We respond within 30 days.

10. International transfers

Our systems are hosted in the United States and the European Union, with edge processing on Cloudflare's global network. When we transfer personal data out of the EU/UK, we rely on the EU Standard Contractual Clauses (and the UK addendum) and the EU-US Data Privacy Framework where applicable.

11. Children's privacy

Ooky is a B2B product not directed at children. We don't knowingly collect personal data from anyone under 16. If we learn we have, we'll delete it.

12. Changes to this policy

We'll post any changes here with a new "Last updated" date. If the change is material, we'll also email account holders at least 30 days before it takes effect.

13. Contact

Privacy questions, data requests, complaints: hello@ooky.ai.

CloudWeld LLC — mailing address on request.