Privacy Policy

Last updated: March 2026

1. Controller

The controller responsible for data processing on this website is Octily GmbH. See Legal Notice for contact details.

2. Data We Collect

When you use octo.taxi, we collect and process the following personal data:

Account data: Your email address and hashed password, collected during registration to create and manage your account.
HR data: Cornerstone OnDemand data replicated via DEAPI, including employee records, learning data, and performance data that you choose to sync.
Usage data: Basic analytics such as login timestamps, feature usage patterns, and device/browser type, collected via Supabase to improve the service.
AI query data: When you use the AI-powered querying feature, your natural-language questions are sent to our AI processor for analysis (see Section 5).
Payment data: If you subscribe to a paid plan, your payment details are processed directly by Stripe. We store only a reference to your Stripe customer ID and subscription status; we never store your credit card number.

3. Legal Basis for Processing

We process your data based on the following legal grounds under the General Data Protection Regulation (GDPR):

Art. 6(1)(b) GDPR – Performance of a contract: Processing your account data, HR data, AI query data, and payment data is necessary for the performance of the contract between you and Octily GmbH (i.e., providing the octo.taxi service).
Art. 6(1)(f) GDPR – Legitimate interest: We process basic usage analytics to maintain, improve, and secure our service. Our legitimate interest is ensuring a stable, performant, and user-friendly product. You may object to this processing at any time (see Section 7).

4. Minimum Age

You must be at least 16 years of age to use octo.taxi, in accordance with Art. 8 GDPR. The service is designed for use by authorized representatives of organizations and is not directed at children.

5. AI-Assisted Data Processing

When you use the "Ask AI" feature or the marketing chatbot, your natural-language questions are sent to Anthropic PBC (San Francisco, USA), which provides AI processing via the Claude API. Your questions may include employee names or other contextual information from your HR data. Anthropic processes these queries solely to generate responses and does not retain input or output data for model training, in accordance with their API Terms of Service. The legal basis for this processing is Art. 6(1)(b) GDPR (performance of contract). If you prefer not to have your queries processed by Anthropic, you may choose not to use the AI features — all other octo.taxi functionality remains fully available.

6. Third-Party Processors

We share your data with the following third-party service providers who process data on our behalf:

Supabase Inc. – Database hosting, user authentication, and real-time data synchronization. Supabase hosts our data in the European Union (EU).
Anthropic PBC – AI query processing via the Claude API. Anthropic is based in the United States and processes data under a Data Processing Agreement (DPA) with EU Standard Contractual Clauses (SCCs). Anthropic does not retain API inputs or outputs for model training.
Vercel Inc. – Web application hosting, CDN, and edge functions. Vercel processes requests through its global edge network; primary data processing occurs in the EU region. Vercel operates under EU Standard Contractual Clauses (SCCs).
Stripe Inc. – Payment processing for paid subscriptions. Stripe is based in the United States and operates under EU Standard Contractual Clauses (SCCs) to ensure an adequate level of data protection for international transfers.
Cornerstone OnDemand – HR data source. Data is replicated from your Cornerstone portal via their Data Extract API (DEAPI) based on your explicit configuration.

7. Data Retention

Account data is retained for as long as your account is active. When you delete your account, all associated personal data is permanently removed within 30 days.
HR data is retained for as long as your account is active and sync is enabled. You can delete synced data at any time through the application.
AI query data is not retained by Anthropic after processing. Your recent queries are stored locally in your browser (see Section 10) and are never transmitted to our servers.
Usage analytics are retained in aggregated, non-identifiable form and may be kept indefinitely for statistical purposes.
Payment records are retained as required by applicable tax and accounting laws (typically 10 years under German law).

8. Your Rights Under GDPR

As a data subject, you have the following rights:

Right of access (Art. 15 GDPR): You may request confirmation of whether we process your personal data and obtain a copy of that data.
Right to rectification (Art. 16 GDPR): You may request correction of inaccurate personal data.
Right to erasure (Art. 17 GDPR): You may request deletion of your personal data, subject to legal retention obligations.
Right to restriction of processing (Art. 18 GDPR): You may request that we restrict the processing of your data under certain conditions.
Right to data portability (Art. 20 GDPR): You may request to receive your personal data in a structured, commonly used, machine-readable format.
Right to object (Art. 21 GDPR): You may object to the processing of your personal data based on legitimate interest at any time.
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority if you believe your data is being processed unlawfully.

To exercise any of these rights, please contact us at octily@octily.com.

9. Right to Withdraw Consent

Where processing is based on your consent (e.g., non-essential cookies), you have the right to withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal. You can manage your cookie preferences via the cookie consent banner displayed on your first visit. To delete your account and all associated data, please contact us at octily@octily.com.

10. International Data Transfers

Our primary database is hosted by Supabase in the European Union. AI query processing by Anthropic and payment processing by Stripe may involve data transfers to the United States, which are safeguarded by EU Standard Contractual Clauses (SCCs) in accordance with Art. 46(2)(c) GDPR. Vercel processes requests through its global edge network with primary data processing in the EU.

11. Cookies and Local Storage

octo.taxi uses only essential storage mechanisms. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

localStorage – Authentication session token: Stores your Supabase authentication session. Strictly necessary for the functioning of the application.
localStorage – Language preference: Stores your selected display language. Strictly necessary.
localStorage – Chat session ID (octotaxi-chat-session-id): An anonymous UUID used to maintain chatbot conversation continuity. Contains no personal data. Persists until manually cleared.
localStorage – AI query history (octo-taxi-ai-query-history): Stores your last 20 AI queries locally in your browser for convenience. This data never leaves your device and is not transmitted to our servers. You can clear it at any time via your browser settings.
sessionStorage – Chatbot draft (chatbot-draft): Temporarily stores your in-progress chatbot message. Automatically cleared when you submit the message or close the browser tab.
sessionStorage – Trial API credentials: Stores your Cornerstone DEAPI credentials during the free trial. Automatically cleared when you close the browser tab. Never transmitted to our servers.
No tracking cookies: We do not deploy any cookies for marketing, advertising, or cross-site tracking purposes.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will notify you by posting the updated policy on this page with a revised "Last updated" date. We encourage you to review this policy periodically.

13. Contact

For any questions or concerns regarding data protection, or to exercise your rights, please contact us at:

Octily GmbH Email: octily@octily.com

See Legal Notice for full contact details and registered address.