Privacy Policy

Oracium Systems Ltd. ("Oracium", "we", "our", "us"), a company registered in the Turkish Republic of Northern Cyprus with registered office in Kyrenia, Northern Cyprus, is the controller of personal data processed in connection with our website, dashboard, API, and related services (together, the "Services"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and the rights you have in relation to it.

1. Scope

This policy applies to individuals who visit our website, sign up for an account, use the Services, contact us, or otherwise interact with Oracium. It does not apply to third-party websites or services that may be linked from our site; please consult those providers' privacy policies. Where Oracium processes personal data on behalf of a customer (for example, content submitted through the API), we act as a processor and the customer is the controller; in those cases the customer's privacy notice applies and we will process such data in accordance with the Data Processing Addendum incorporated into our Terms of Service.

2. Personal data we collect

• Account data: name, email address, organisation, role, country, and authentication identifiers (including hashed passwords or OAuth subject identifiers).
• Billing data: billing address, tax identifiers, and the last four digits and brand of the payment instrument. Full card details are processed directly by our payment processors and are never stored by Oracium.
• Usage and telemetry: API request metadata (timestamps, endpoints, response codes, latency, request size, region), IP address, user-agent, device and browser information, and interaction events within the dashboard.
• Customer Content: prompts, configuration parameters, and any media uploaded by you or your end users for processing by the Services, together with the resulting Output.
• Communications: the content of emails, support tickets, and any recordings of voluntarily scheduled video calls with our team.
• Cookies and similar technologies: strictly necessary cookies for authentication and security, plus optional analytics cookies that you can decline via our cookie banner.

3. How we use personal data

• to provide, operate, secure, and support the Services;
• to authenticate users, prevent fraud and abuse, and enforce our Terms;
• to invoice, collect payment, and manage tax obligations;
• to monitor performance, debug issues, and improve reliability and quality;
• to communicate with you about service updates, security advisories, and changes to legal terms;
• to send marketing communications where you have opted in (you can unsubscribe at any time);
• to comply with applicable law and respond to lawful requests from public authorities.

We do not use Customer Content or Output to train foundation models. We do not sell personal data and do not engage in cross-context behavioural advertising.

4. Legal bases for processing

Where data-protection law applies, we rely on the following legal bases: (a) performance of a contract with you (Article 6(1)(b) GDPR) to provide the Services; (b) compliance with legal obligations (Article 6(1)(c) GDPR) such as tax and accounting; (c) our legitimate interests (Article 6(1)(f) GDPR) in operating, securing, and improving the Services and protecting against fraud; and (d) your consent (Article 6(1)(a) GDPR) for optional cookies and marketing communications, which you may withdraw at any time without affecting the lawfulness of prior processing.

5. Sharing of personal data

We share personal data only with the following categories of recipients:

• Sub-processors who provide infrastructure (cloud hosting, content delivery), Model inference, payment processing, email delivery, error monitoring, and customer support, each bound by written contracts that include confidentiality and security obligations equivalent to those in this policy. A current list is available on request from privacy@oracium.io.
• Professional advisers such as auditors, lawyers, and accountants where necessary for the establishment, exercise, or defence of legal claims.
• Public authorities where disclosure is required by law or necessary to protect the vital interests of any person.
• Successors in connection with a merger, acquisition, reorganisation, or sale of all or part of our business, subject to confidentiality.

6. International transfers

Oracium operates globally and may transfer personal data to countries outside your country of residence, including the European Economic Area, the United Kingdom, Türkiye, and the United States. Where we transfer personal data subject to the GDPR or UK GDPR to a country not recognised as providing an adequate level of protection, we rely on the European Commission's Standard Contractual Clauses (or the UK International Data Transfer Addendum) and implement supplementary technical and organisational measures as appropriate.

7. Retention

We retain personal data only for as long as necessary for the purposes set out in this policy. Account data is retained for the life of the account and for up to twelve (12) months after closure, unless a longer retention period is required by law. Customer Content and Output are retained for thirty (30) days by default and then permanently deleted from primary storage; backup copies are purged within a further thirty (30) days. Billing records are retained for up to ten (10) years to satisfy accounting obligations. Telemetry is retained in identifiable form for up to thirteen (13) months and thereafter only in aggregated form.

8. Security

We maintain a documented information-security programme that includes: encryption in transit (TLS 1.2+) and at rest (AES-256); least-privilege access controls with mandatory multi-factor authentication for all personnel; network segmentation; centralised logging and intrusion detection; vendor risk reviews; secure software-development practices including code review and dependency scanning; and an incident-response plan with defined roles and escalation paths. Despite these measures, no system is completely secure; you are responsible for protecting your account credentials and API keys.

9. Your rights

Depending on your jurisdiction, you may have the right to:

• access the personal data we hold about you and obtain a copy;
• request correction of inaccurate or incomplete data;
• request erasure of your personal data ("right to be forgotten");
• restrict or object to certain processing, including direct marketing;
• request portability of personal data you have provided to us;
• withdraw consent at any time where processing is based on consent;
• lodge a complaint with the data-protection authority of your jurisdiction.

To exercise any of these rights, email privacy@oracium.io. We will respond within thirty (30) days. We may need to verify your identity before fulfilling your request.

10. Children

The Services are not directed to children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

11. Automated decision-making

We do not use personal data to make decisions that produce legal or similarly significant effects on you without human involvement. Output produced by the Services should not be relied on as the sole basis for any decision with legal or similarly significant effects without appropriate human review.

12. Changes to this policy

We may update this Privacy Policy from time to time. The "Effective date" at the top reflects the latest revision. Where changes are material, we will provide reasonable advance notice by email or in-product notice.

13. Contact

Oracium Systems Ltd.
Kyrenia, Turkish Republic of Northern Cyprus
Privacy enquiries: privacy@oracium.io
Security enquiries: security@oracium.io