Privacy Policy
Effective March 10, 2026. Oceum is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights regarding that data.
1. Information We Collect
Account Information. When you register, we collect your email address, name, and organization name. If you sign in via Google or Microsoft SSO, we receive your name, email, and profile picture URL from the identity provider.
Agent and Workflow Data. When you use the platform, we store data about your AI agents (names, configurations, status), workflows (definitions, execution logs), and activity logs (events, errors, heartbeats). This data is associated with your organization.
Secure Vault Data. If you or your agents store sensitive data in the Secure Data Vault, it is encrypted at rest using AES-256-GCM. We cannot read vault contents — only your agents with the appropriate access policy can decrypt them.
Chat Interactions. When you use the Orion assistant, your messages are sent to our AI provider to generate responses. Chat history is stored only in your browser session and is not persisted on our servers.
Payment Information. If you subscribe to a paid plan, payment is processed by Stripe. We do not store credit card numbers, bank account details, or other payment credentials. We store only your Stripe customer ID and subscription ID.
2. How We Use Your Information
- Service Delivery. To operate the platform — authenticating you, managing your agents, executing workflows, and displaying your dashboard.
- Security. To detect and prevent unauthorized access, brute-force attacks, and anomalous behavior via automated security audits and rate limiting.
- Billing. To process subscription payments and manage your plan through Stripe.
- Support. To respond to questions or issues you raise via the Orion assistant or email.
We do not use your data for advertising, profiling, or selling to third parties.
3. Third-Party Services
We use the following third-party services to operate Oceum:
- Supabase (database hosting) — stores your account, agent, workflow, and log data in PostgreSQL. Data is hosted in the US East (Virginia) region.
- Anthropic (AI assistant) — processes your Orion chat messages to generate responses. Messages are sent to Anthropic's Claude API. Anthropic does not use your data for model training.
- Stripe (payment processing) — handles subscription billing. Subject to Stripe's Privacy Policy.
- Vercel (hosting) — serves the application and runs serverless functions. Subject to Vercel's Privacy Policy.
- Google / Microsoft (SSO only) — if you choose to sign in via SSO, we receive only your name and email from the identity provider. We do not access your Google or Microsoft account data beyond authentication.
We use Vercel Analytics, a first-party, cookie-free analytics service that collects anonymous page view metrics only. We do not use advertising networks, tracking pixels, or any third-party analytics that track individual users across sites.
4. Data Security
We implement the following security measures:
- All traffic encrypted via HTTPS with HSTS preloading
- Passwords hashed with bcrypt (10 rounds)
- Vault data encrypted with AES-256-GCM, keyed per organization
- JWT authentication with 24-hour expiry
- Rate limiting on login and password change endpoints
- Content Security Policy (CSP) restricting resource origins
- Daily automated security audits monitoring for anomalies
- SSRF protection on workflow HTTP actions
- All API error responses sanitized to prevent information leakage
5. Data Retention
- Account data is retained until you delete your account.
- Activity logs are retained for the duration of your plan (7 days on Free, 90 days on Pro).
- Agent memory entries expire based on their TTL (1 hour to permanent).
- Vault entries expire based on their TTL and can be manually revoked.
- Chat history is stored in your browser session only and cleared when you close the tab.
6. Your Rights
You have the right to:
- Access your data through the dashboard, logs, and settings pages.
- Delete your account and all associated data via Settings → Delete Organization. Deletion is permanent and cascading — all agents, workflows, logs, memory, vault entries, and integrations are removed.
- Export your data by requesting it via hello@oceum.ai.
- Correct your information via the Settings page (name, email, organization name).
- Withdraw consent by deleting your account or disconnecting integrations at any time.
7. Cookies and Local Storage
Oceum uses browser localStorage to store your authentication token (JWT) for session persistence. We use sessionStorage for temporary chat history. We do not use tracking cookies, third-party cookies, or fingerprinting.
8. Children's Privacy
Oceum is a business-to-business platform and is not intended for use by individuals under the age of 16. We do not knowingly collect data from children.
9. International Data Transfers
Your data is stored and processed in the United States. If you are accessing Oceum from outside the US, your data will be transferred to and stored in the US. By using Oceum, you consent to this transfer.
10. Changes to This Policy
We may update this privacy policy from time to time. Changes will be posted on this page with an updated effective date. If changes are material, we will notify you via email or an in-app notification.
11. Contact
If you have questions about this privacy policy or your data, contact us at hello@oceum.ai.