Privacy Policy
Last updated: 2 July 2026 · Version 1.0.0-draft
Working Draft — Pending Legal Review
This document is a placeholder drafted in-house so the plumbing (footer links, checkout consent, indexable pages) works while the reviewed final text is prepared. It is not a substitute for an agreement drafted or reviewed by qualified legal counsel. Do not rely on any specific term below in a dispute. Questions about a specific clause? email us and we will connect you with our counsel.
1. Who we are
This Privacy Policy explains how [Company Legal Name](“Oxolan”, “we”) collects and uses personal data when you install or purchase the Oxolan software or visit oxolan.com.
For the purposes of India’s Digital Personal Data Protection Act 2023 (“DPDP Act”) we act as a Data Fiduciary. For the GDPR (EU/UK visitors) we act as a Data Controller.
2. Our core promise: your files never touch our servers
Oxolan is peer-to-peer. Every file transfer happens inside your local network, directly between your devices. We do not receive, store, log, index, back up, or process the contents of any file you send with Oxolan, and we do not have the technical ability to see them.
3. What we do collect, and why
| Data | Why | Legal basis |
|---|---|---|
| Email address | Send your license, GST invoices, security notices; verify OTP at activation. | Contract / necessary to provide the service. |
| Device hardware ID (HWID) | Bind your license to your PC so plan seat limits are enforced without a login. | Contract; legitimate interest in preventing seat abuse. |
| IP address (activation / heartbeat) | Detect trial abuse, geolocate for currency/tax; not stored longer than needed. | Legitimate interest in fraud prevention. |
| Plan, activation, and revocation events | Enforce seat count, calculate renewals, provide support. | Contract. |
| Payment metadata (order ID, amount, GSTIN) | Issue GST invoices; reconcile accounting. We never see or store card / UPI / bank details — Razorpay does. | Legal obligation (GST); contract. |
| App version and OS reported at heartbeat | Support and update decisions. | Legitimate interest. |
| Support emails and their contents | Answer your questions. | Contract. |
4. What we do NOT collect
- The contents of any file you transfer with Oxolan.
- Filenames, folder structure, or a listing of your shared folder.
- Card numbers, UPI IDs, or bank details.
- Behavioral tracking cookies or analytics beacons on the marketing site (only essential cookies are used).
5. Who we share data with (sub-processors)
We use the following providers to run the service. Each processes personal data on our behalf under written data-processing terms:
- Razorpay — INR payment processing (India). Card and UPI data is captured directly by Razorpay; we receive only the order/payment identifiers.
- Supabase — Postgres database hosting our license records (email, HWID, plan, activation history).
- Vercel — hosts the marketing site and the license-server API endpoints.
- Resend — sends transactional email (license delivery, invoices, security notices).
- GitHub — hosts the installer binaries downloaded by end users.
We do not sell your personal data. We do not share it with advertisers or data brokers.
6. International transfers
Some sub-processors listed above operate outside India. Where we transfer personal data internationally, we rely on the recipient’s compliance with recognized frameworks (e.g. Standard Contractual Clauses for EU/UK personal data). Cross-border transfer under the DPDP Act follows any restrictions notified by the Central Government.
7. How long we keep data
- License records: for the life of your license and up to 1 year after termination, for tax and audit reasons (GST records: retained per Indian statutory requirements).
- Support emails: up to 3 years, unless you ask for earlier deletion.
- Heartbeat IP/UA logs: rotated within 30 days.
- Payment metadata: retained per statutory financial-records requirements.
8. Your rights
Depending on your jurisdiction, you have rights to access, correct, erase, restrict, or receive a portable copy of your personal data, and to withdraw consent where processing relies on it. To exercise any right, email hello@oxolan.com. We will respond within statutory timelines (30 days under the DPDP Act; one month under GDPR).
9. Security
We take reasonable technical and organizational measures to protect your data, including TLS in transit, encryption at rest for the license database, secret management for API keys, and role-based access control on the license server. No system is perfectly secure — if you believe you have discovered a vulnerability, please email hello@oxolan.com.
10. Children
Oxolan is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will delete it.
11. Changes
We will post updates to this Policy on this page and notify licensed customers by email for material changes.
12. Grievance Officer (India — DPDP Act)
In accordance with the DPDP Act 2023, any grievance concerning processing of your personal data may be addressed to our Grievance Officer:
[Grievance Officer Name]
Email: privacy@oxolan.com
[Registered Office Address]
We aim to acknowledge grievances within 3 working days and resolve them within 30 days, in line with the Act.