Privacy Policy

1. Overview

Okood ("we," "us," or "our") operates the platform available at okood.app — a professional workspace for creative freelancers to manage contracts, payments, and file deliveries. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights regarding that data.

By creating an account or using Okood in any capacity, you agree to the practices described in this policy. If you do not agree, do not use the platform.

Okood does not sell your personal data. We do not use third-party advertising networks or external analytics trackers on our pages. We rely only on essential infrastructure providers to operate the platform.

2. Data We Collect

We collect data in three ways: data you provide directly, data we generate automatically as you use the platform, and data your clients provide when accessing your project portals.

2.1 Professional Account Data

When you register as a professional user, we collect:

Email address — required for authentication and notifications.
Full name — optional; used to personalize your dashboard and invoices.
Profession / specialization — optional; used to recommend contract templates.
Profile avatar — optional; a URL to your profile image if you choose to set one.
Account role and subscription plan — stored to manage access and enforce plan limits.

2.2 Client Portal Account Data

Your clients access their dedicated project portal via a secure link you share. If a client creates a portal account, we collect:

Email address — used for portal authentication.
Password — stored securely as a one-way hash (we cannot reverse it).
Verification status and timestamp — records whether the account has been email-verified.
Last login timestamp — stored for security purposes.

Client accounts are scoped to a single project and cannot access any other data on the platform.

2.3 Project and Contract Data

When you create and manage projects, we store:

Project name, description, status, and timeline information.
Contract text and clause content.
Electronic signature data — a base64-encoded canvas image of the signature and a timestamp.
Milestone and stage information.
Client name and contact information you add to a project.

2.4 Payment Data

Okood does not process the payments your clients make to you. We track those payment records as part of your project workflow. Specifically, we store:

Payment amounts, currency (AED), and status.
Bank transfer proof files (screenshots or receipts) uploaded by your client.
Payment approval records and timestamps.

For payments between you and your clients, we do not collect, store, or process credit card numbers, bank account numbers, or any financial credentials. That money movement is handled directly between you and your client via your chosen bank. Subscription fees you pay to Okood are handled separately by Stripe — see Section 2.6.

2.5 Uploaded Files

When you upload deliverable files (photos, videos, designs, or any other creative work), those files are stored on Cloudflare R2 and associated with your project. We also store file metadata (filename, size, content type, upload timestamp).

2.6 Subscription and Billing Data

We store:

Your current plan (Trial, Starter, or Pro), billing frequency, and subscription status.
Subscription period dates and renewal dates.
Invoice records including plan, amount, VAT breakdown, and period.
Storage usage (in bytes) relative to your plan quota.
Stripe customer and subscription identifiers used to manage your paid plan.

Paid Starter and Pro subscriptions are billed by card through Stripe, our payment processor. When you subscribe, you enter your card details directly with Stripe via Stripe Checkout, and you can update your payment method or view billing history through the Stripe-hosted billing portal. Stripe collects and stores your card details and billing information under its own privacy policy. Okood does not receive or store your full card number; we store only the Stripe identifiers above and the resulting invoice records.

2.7 Support and Communications

If you contact our support team via the in-app ticket system, we store the content of your messages, their status, and timestamps. Support ticket content may be reviewed by our support agents.

2.8 Technical and Usage Data

We maintain internal logs for platform operation and security, including:

Email delivery logs (whether notifications were sent, failed, or are pending).
Internal analytics events (account creation, project creation, contract signatures) stored in our own database — not shared with third-party analytics providers.
Error logs for debugging purposes. Application errors are also captured by Sentry, our error-monitoring provider, which may receive technical request context (such as the URL, browser information, and IP address) to help us diagnose problems. We redact request bodies and cookies on sensitive routes such as payments, contracts, and webhooks.
IP addresses and request timestamps for rate limiting and security.

3. How We Use Your Data

We use the data we collect to:

Provide the platform: create and manage your projects, contracts, deliverables, and payment records.
Authenticate users: verify your identity when you log in and protect your account.
Send notifications: email you about contract signatures, payment confirmations, delivery reminders, file uploads, and subscription activity. You cannot opt out of transactional notifications tied to your active projects or subscription.
Manage subscriptions: track your plan, enforce storage and project limits, generate invoices, and send renewal reminders.
Provide support: respond to your support tickets and resolve issues.
Operate and improve the platform: internal analytics help us understand which features are used and where problems occur. This data is never shared externally.
Enforce security: rate limiting and error logging protect the platform from abuse.
Meet legal obligations: maintaining audit logs and records required for compliance.

We do not use your data for advertising, profiling, or sale to any third party.

4. Third-Party Services

We rely on the following infrastructure providers to operate the platform. Each acts as a data processor on our behalf and is bound by appropriate data processing terms.

Supabase

supabase.com

Purpose: Database hosting, user authentication, and Row Level Security enforcement.

Data shared: All structured data (profiles, projects, contracts, payments, subscriptions, logs).

Cloudflare R2

cloudflare.com

Purpose: Object file storage for deliverable files and payment proof uploads.

Data shared: Creative files you upload and bank transfer screenshots uploaded by your clients.

Resend

resend.com

Purpose: Transactional email delivery for all platform notifications.

Data shared: Recipient email address, notification type, and the HTML email content sent.

Stripe

stripe.com

Purpose: Card payment processing and subscription billing for paid plans (checkout, renewals, refunds, and the billing portal).

Data shared: Your email, card and billing details (entered directly with Stripe), and subscription and invoice records.

Sentry

sentry.io

Purpose: Application error monitoring and performance diagnostics.

Data shared: Error reports with technical request context such as URL, browser information, and IP address. Request bodies and cookies are redacted on sensitive routes.

Vercel

vercel.com

Purpose: Application hosting and deployment.

Data shared: Incoming request data processed for server-side rendering.

We do not use advertising networks, social media trackers, or external analytics platforms. We rely on essential infrastructure providers to operate the platform.

5. Storage & Security

Structured data is stored in a secure database with access controls at the database and application layers so that records are only accessible to the appropriate authenticated user.

Files are stored in Cloudflare R2 with access controlled by time-limited download links. Deliverable files are only accessible to the professional who uploaded them and to the client associated with that specific project, after payment approval.

Client and professional sessions are protected using secure session mechanisms that help prevent unauthorized access from client-side scripts.

We use rate limiting and secure password hashing to reduce brute-force attacks and help protect accounts.

While we implement industry-standard security measures, no system is 100% secure. We cannot guarantee absolute security of your data.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the service. Specific retention rules are:

Active accounts: all data is retained for the duration of your account.
Subscription cancellation: upon cancellation, your account enters a 30-day grace period during which all data remains intact and the platform is read-only. You can re-subscribe at any time during this period.
After grace period expires: your account and all associated user data — projects, contracts, deliverables, payment records, invoices, and files stored in Cloudflare R2 — are permanently deleted. This deletion is irreversible, except for records we are required to retain for legal, security, or compliance purposes.
Account deletion by admin: if an account is deleted by an Okood administrator (e.g., for Terms of Service violations), all associated data is permanently deleted in the same cascade.
Audit logs: certain security and admin audit logs may be retained for up to 12 months, or longer where required by law, for security and compliance purposes.

We will send you email reminders as your grace period approaches expiry so you have the opportunity to export important documents before deletion.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: request a copy of the personal data we hold about you.
Correction: update your profile information directly in your account settings at any time.
Deletion: you can schedule deletion of your account and all associated data yourself from your account settings (a 30-day window applies, which you can cancel before it elapses), or contact us at support@okood.app. Note that deletion of your account is permanent and irreversible once it completes, subject to any records we must retain for legal, security, or compliance reasons.
Data portability: export your contracts (as PDF) and project data at any time from your dashboard before account deletion.
Objection: object to certain processing of your data by contacting us.

To exercise any of these rights, contact us at support@okood.app. We will respond within 30 days.

8. Cookies & Sessions

Okood uses cookies strictly for authentication and session management. We do not use tracking cookies, advertising cookies, or any third-party cookies.

Professional session cookie (okood_session): set by Supabase to maintain your authenticated professional session. This is an HttpOnly, secure cookie.
Client portal session cookie (okood_client_session): set when a client signs in to their portal account, granting access to their project portal for 7 days. This is an HttpOnly, secure JWT cookie scoped to the specific project.

These cookies are necessary for the platform to function. You may clear them at any time by logging out or clearing your browser cookies, which will end your session.

9. Age Restrictions

Okood is intended for professional use by individuals aged 18 and over. We do not knowingly collect personal data from anyone under 18 years of age. If you believe a minor has created an account, please contact us at support@okood.app and we will delete the account promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. Continued use of Okood after changes take effect constitutes your acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Okood Support

support@okood.app