GDPR Compliance
oklido is fully compliant with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
Our Commitment
We are committed to protecting your personal data and being transparent about how we use it. We:
- Only collect data necessary for our service
- Process data lawfully, fairly, and transparently
- Keep data secure and confidential
- Respect your data protection rights
Legal Basis for Processing
We process personal data under the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Providing the oklido service | Contract performance |
| Account creation and management | Contract performance |
| Processing payments | Contract performance |
| Customer support | Contract performance |
| Security monitoring | Legitimate interest |
| Product improvement | Legitimate interest |
| Marketing communications | Consent (opt-in) |
| Legal compliance | Legal obligation |
Your Rights
Under GDPR, you have the following rights:
Right to Access (Article 15)
You can request a copy of all personal data we hold about you.
How to exercise: Go to Settings → Data Export → Request Full Data Export
Right to Rectification (Article 16)
You can request correction of inaccurate personal data.
How to exercise: Update your profile in Settings, or contact support
Right to Erasure (Article 17)
You can request deletion of your personal data ("right to be forgotten").
How to exercise: Go to Settings → Account → Delete Account
Right to Data Portability (Article 20)
You can receive your data in a structured, machine-readable format.
How to exercise: Go to Settings → Data Export
Right to Object (Article 21)
You can object to processing based on legitimate interest.
How to exercise: Contact privacy@oklido.com
Right to Restrict Processing (Article 18)
You can request we limit how we use your data.
How to exercise: Contact privacy@oklido.com
Data We Collect
Account Data
- Email address
- Name
- Password (hashed)
- Authentication tokens
Usage Data
- Login times
- Features used
- Documents uploaded (metadata)
- API requests
Documents
- Files you upload
- Document metadata (titles, types)
- AI-extracted information
Technical Data
- IP addresses
- Browser type
- Device information
- Error logs
Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 30 days |
| Documents | Until deleted + 30 days |
| Audit logs | 7 years (legal requirement) |
| Support tickets | 3 years |
| Billing records | 7 years (legal requirement) |
International Transfers
Data Location
All oklido data is stored in the UK (AWS London region).
No International Transfers
We do not transfer personal data outside the UK/EEA unless:
- Required by law
- You explicitly consent
- Adequate safeguards are in place
Subprocessors
Some subprocessors may process data outside the UK/EEA. All have appropriate safeguards:
- Standard Contractual Clauses (SCCs)
- UK International Data Transfer Agreements
Data Protection Officer
While not legally required due to our size, we have designated a privacy lead:
Email: privacy@oklido.com
Data Processing Agreement
Business customers may require a Data Processing Agreement (DPA). Our standard DPA:
- Covers GDPR Article 28 requirements
- Includes Standard Contractual Clauses
- Details security measures
- Outlines subprocessor approval process
Request a DPA: compliance@oklido.com
Supervisory Authority
If you have concerns about our data processing, you can contact:
Information Commissioner's Office (ICO)
- Website: ico.org.uk
- Phone: 0303 123 1113
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
We encourage you to contact us first at privacy@oklido.com.
Updates to This Information
We review this page regularly. Material changes will be communicated via email.
Last updated: January 2026