Privacy Policy
Last updated: January 2026
oklido ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our document management platform.
1. Introduction
This Privacy Policy applies to the oklido service and website. By using oklido, you consent to the practices described in this policy.
Data Controller: oklido Ltd United Kingdom
Contact: privacy@oklido.com
2. Information We Collect
We collect information that you provide directly to us, including:
Account Information
- Name and email address
- Password (stored securely hashed)
- Company or organisation name
- Job title or role
Documents and Content
- Documents and files you upload to the platform
- Document metadata (names, types, dates)
- Information extracted by our AI for classification
Usage Information
- How you interact with the service
- Features you use
- Time and duration of access
Technical Information
- IP address
- Browser type and version
- Device information
- Operating system
Communications
- Support requests and feedback
- Email correspondence with us
3. How We Use Your Information
We use the information we collect to:
| Purpose | Legal Basis |
|---|---|
| Provide and maintain the service | Contract performance |
| Process and manage your documents | Contract performance |
| Send technical notices and updates | Contract performance |
| Respond to your questions and requests | Contract performance |
| Improve and develop the service | Legitimate interest |
| Detect and prevent fraud and abuse | Legitimate interest |
| Comply with legal obligations | Legal obligation |
| Send marketing (with consent) | Consent |
4. Data Security & Encryption
We implement comprehensive security measures to protect your data:
Encryption at Rest
- All documents encrypted using AES-256-GCM
- Per-user key wrapping via AWS KMS
- Database encryption enabled
Encryption in Transit
- TLS 1.3 for all data transmission
- HTTP Strict Transport Security (HSTS)
- Perfect Forward Secrecy enabled
Access Controls
- Role-based access control (RBAC)
- Multi-factor authentication (MFA) support
- Comprehensive audit logging
Key Management
- AWS Key Management Service (KMS)
- Automatic key rotation
- Secure key storage in HSMs
Learn more about our security practices →
5. Data Retention
We retain your personal information for as long as necessary to fulfill the purposes for which it was collected:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 30 days |
| Documents | Until deleted + 30 day recovery period |
| Audit logs | 7 years |
| Billing records | 7 years |
| Support tickets | 3 years |
Configurable Retention
You can configure document retention settings:
- Choose retention period for deleted documents (7-90 days)
- Permanently delete documents immediately
- Export data before deletion
Account Deletion
When you delete your account:
- Personal information deleted within 30 days
- Documents permanently deleted
- Some data retained for legal compliance
6. Your Rights
Under GDPR and UK DPA 2018, you have the following rights:
Right to Access
Request a copy of all personal data we hold about you.
Right to Rectification
Request correction of inaccurate personal data.
Right to Erasure
Request deletion of your personal data ("right to be forgotten").
Right to Data Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interest.
Right to Restrict Processing
Request limitation of how we use your data.
How to Exercise Your Rights
- Self-service: Settings → Data Export
- Email: privacy@oklido.com
- Response time: Within 30 days
7. Cookies and Tracking
We use cookies and similar technologies to:
- Keep you signed in
- Remember your preferences
- Understand how you use the service
- Improve the service
Cookie Types
| Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, security | Session |
| Functional | Preferences, settings | 1 year |
| Analytics | Usage understanding | 1 year |
Managing Cookies
You can control cookies through:
- Browser settings
- Our cookie preferences (when implemented)
8. Third-Party Services
We use third-party services to provide our service:
| Provider | Purpose | Data Shared |
|---|---|---|
| AWS | Hosting, storage | Encrypted documents |
| Auth0 | Authentication | Email, name |
| Stripe | Payments | Billing information |
All providers are bound by data processing agreements and meet our security standards.
9. International Transfers
All primary data processing occurs in the UK (AWS London).
When data is processed outside the UK/EU, we ensure appropriate safeguards:
- Standard Contractual Clauses (SCCs)
- UK International Data Transfer Agreement
- Adequacy decisions where applicable
10. Children's Privacy
oklido is not intended for children under 16. We do not knowingly collect personal information from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on this page
- Updating the "Last updated" date
- Sending an email notification for significant changes
12. Contact Us
If you have questions about this Privacy Policy:
- Email: privacy@oklido.com
- Address: oklido Ltd, United Kingdom
Supervisory Authority
You have the right to lodge a complaint with a supervisory authority:
Information Commissioner's Office (ICO)
- Website: ico.org.uk
- Phone: 0303 123 1113
Last updated: January 2026