Privacy & Security Policy

Welcome to Octer.ai! Protecting your privacy and data security is a core principle of Octer.ai (“we,” “us,” or “our”). This Privacy & Security Policy is designed to provide transparency regarding how we collect, use, store, share, and protect your personal information when you use our website, applications, Agent native interface, and Auto-Task (automation) features.

1Information We Collect

We adhere to the principle of “Data Minimization”:

Account & Identity Information: Email address, encrypted password, and basic profile data.
AI Interaction Data: Prompts you input, uploaded files, Auto-Task context, conversation history, and generated outputs.
Integration & Authorization Data (Sensitive): When you authorize Octer.ai to connect with third-party applications (e.g., GitHub, Notion), we collect and securely store API Access Tokens or authorization credentials.
Technical & Log Data: IP address, device identifiers, browser type, and interaction logs.

2How We Use Your Information

Core Service Operation: To parse instructions, coordinate multi-agent workflows, and execute long-running Auto-Tasks.
AI Model Training & Optimization (Regional Strategy):
- EEA, UK, and Switzerland Users: By default, your data is NOT used for training. We will only use your data for model improvement if you explicitly Opt-in via settings.
- Other Regions: We may use de-identified data, protected by Differential Privacy mechanisms, to fine-tune our models. You may Opt-out of this at any time in your Privacy Settings.
Security & Anti-Fraud: To monitor for anomalous API activity and protect against Prompt Injection attacks.

3Data Sharing & Sub-processors

We do not sell your personal data. We only share information with trusted parties under strict confidentiality:

LLM Providers: Such as OpenAI, Inc. or Anthropic, PBC. We utilize Zero Data Retention (ZDR) configurations through enterprise-grade Data Processing Agreements (DPA) to ensure these providers do not use your data to train their own models. For a full list, please see our Sub-processor Disclosure List.
Cloud Infrastructure: Data is hosted on secure cloud platforms encrypted with TLS/SSL (in-transit) and AES-256 (at-rest).

4Data Security & Technical Safeguards

Confidential Computing: For highly sensitive credentials (API Tokens), we utilize hardware-level isolation (e.g., TEE or HSM-backed KMS) for key management.
Task-Bound Tokens: During Auto-Task execution, we implement short-lived, scoped credentials to limit the “blast radius” of any session.
Data Retention & Deletion:
- Account Deletion: Upon account deletion, all personal data will be physically purged from our active databases and backup systems within 30 days.
- Granular Deletion: You may delete specific task histories; associated vector indices will be rendered inaccessible and eventually overwritten.

5Your Global Privacy Rights

Regardless of your location, we respect your rights to Access, Rectify, Delete, Restrict Processing, and Data Portability.

6Regional Addenda

6.1 Mainland China (Applicable under PIPL)

Separate Consent: For the processing of sensitive personal information (e.g., API Tokens) and cross-border data transfers, we will obtain your Separate Consent via distinct interface pop-ups.
Next-of-Kin Rights: In the event of a user’s death, their next-of-kin may exercise the rights to access, copy, rectify, or delete the deceased user’s data for their own legitimate interests by contacting [email protected], unless otherwise arranged by the user before death.

6.2 European Economic Area (EEA) and UK (Applicable under GDPR)

Legal Basis: We process data based on “Performance of a Contract” and “Legitimate Interests.” Training is based strictly on “Consent.”

6.3 South Korea (Applicable under PIPA)

Immediate Destruction: We guarantee the destruction of personal data within 5 business days of the retention period expiring or the fulfillment of the processing purpose.

6.4 Japan (Applicable under APPI)

Cross-border Transfer Disclosure: We ensure that any overseas third party receiving personal data maintains a system for personal information protection that meets APPI standards.

7Third-Party Platform SDKs

To power Auto-Task automations across social platforms, Octer.ai integrates with official SDKs and APIs provided by Instagram, Facebook, TikTok, and X (formerly Twitter). These integrations are activated only when you explicitly authorize a given platform via OAuth, and you may revoke access at any time from the platform’s connected-apps settings or from your Octer.ai Integrations panel.

7.1 Instagram (Instagram Graph API / Meta Business SDK)

Purpose: Publishing posts, Reels, and Stories; reading insights and comments for connected Instagram Business or Creator accounts.
Data Exchanged: OAuth access tokens, account ID and handle, media assets you instruct Octer.ai to publish, and aggregated engagement metrics returned by Meta.
Retention: Access tokens are stored inside our HSM-backed KMS and refreshed per Meta’s token lifecycle. Revocation propagates within 24 hours.
Reference: Instagram Privacy Policy.

7.2 Facebook (Facebook Graph API / Meta Business SDK)

Purpose: Managing Pages you administer — scheduling posts, reading comments and messages, and retrieving Page-level analytics.
Data Exchanged: OAuth tokens scoped to the permissions you grant (e.g., pages_manage_posts, pages_read_engagement), Page IDs, post content you author, and insight data returned by Meta.
Use Limitations: We comply with the Meta Platform Terms and Developer Data Use Policy. We do not sell Meta Platform Data, nor use it for advertising or profiling outside of the features you activate.
Reference: Meta Privacy Policy.

7.3 TikTok (TikTok for Developers / Content Posting API)

Purpose: Uploading videos to your connected TikTok account, reading basic profile data, and retrieving post-level analytics where authorized.
Data Exchanged: OAuth tokens, open_id and union_id, display name and avatar, video files and captions you submit, and returned performance metrics.
Regional Handling: TikTok processes content subject to its own regional data residency (e.g., Project Clover for EEA users, Project Texas for US users). Octer.ai does not control TikTok’s downstream storage.
Reference: TikTok Privacy Policy.

7.4 X (X API v2, formerly Twitter)

Purpose: Posting Tweets, reading your timeline and mentions, and pulling engagement data for accounts you connect.
Data Exchanged: OAuth 2.0 tokens with PKCE, user ID and handle, Tweet content you publish, and response payloads from the X API.
Use Limitations: We adhere to the X Developer Agreement and Policy, including restrictions on off-X matching and redistribution of X Content.
Reference: X Privacy Policy.

Your Control: At any time you may disconnect a platform from your Octer.ai Integrations panel. Upon disconnection, we immediately revoke the stored token, purge associated task state, and stop all outbound calls to that platform on your behalf.

8Policy Changes

For material changes affecting your rights or data sharing practices, we will provide at least 30 days’ notice via email or prominent in-app notification. Continued use after the effective date constitutes acceptance of the revised policy.

9Contact Us

For questions regarding this policy, your rights, or AI data boundaries:

[email protected]

Acknowledgement: By registering, logging in, or using Octer.ai services, you acknowledge that you have read and understood this Privacy & Security Policy. For specific sensitive integrations, additional confirmation will be requested at the time of activation.