Privacy Policy · Oceras

This Privacy Policy describes how Oceras ("we", "our", "us") collects, uses, and protects information when you use our customer messaging platform, including our web application (admin dashboard), website chat widget, mobile agent apps (iOS and Android), and supporting APIs (collectively, the "Service").

Plain-language summary. We collect only what's needed to operate the messaging platform: agent login details, the conversations you exchange with your customers, and minimal device/usage data to keep things working. We don't sell your data. We don't share it with advertising networks. You can export or delete your data on request.

1. Who we are

Oceras is a customer messaging platform that lets support and sales teams handle conversations from a web chat widget, admin dashboard, and native mobile apps. The Service is operated by the Oceras team. For any privacy-related questions, contact us at privacy@oceras.com.

2. Information we collect

2.1 Information you provide directly (agent accounts)

Account details: name, email address, hashed password, organization name/slug, role (admin, manager, agent).
Profile data: optional avatar URL, availability status (online / away / offline).
Conversation content: messages, internal notes, attachments, and ticket metadata you create while using the Service.

2.2 Information collected from your website visitors (widget)

When you embed the Oceras widget on your site, the following information about visitors who start a chat may be collected and stored on our servers:

Display name and email address if the visitor provides them in the pre-chat form — otherwise a random visitor ID.
Chat messages and attachments exchanged with your agents.
A visitor ID stored in the visitor's browser localStorage to persist the conversation across reloads.
Basic technical data attached to requests (IP address, user-agent) used for rate limiting and abuse prevention.

You, as the operator of the site that embeds the widget, are the data controller for your visitors' data. Oceras acts as a processor. You are responsible for disclosing the use of Oceras in your own privacy policy and for obtaining any consents required by your jurisdiction.

2.3 Information collected automatically

Device tokens: when an agent enables push notifications on a mobile device, an Expo push token is stored so we can deliver notifications.
Connection data: server logs retain IP addresses, request paths, and timestamps for up to 30 days for debugging and security.
Socket session metadata: which organization a connected user belongs to, for correct real-time routing.

3. How we use information

Operate the Service: route messages, display inboxes, update tickets, send push notifications, keep the dashboard in sync.
Authenticate you: verify passwords (bcrypt-hashed), issue short-lived access tokens and refresh tokens.
Protect users: detect abuse, rate-limit suspicious traffic, maintain service integrity.
Improve the Service: diagnose bugs and performance problems using aggregated logs.

We do not use your content for advertising, for profiling, or to train third-party AI models.

4. Legal bases (GDPR)

Contract: processing needed to provide the Service you signed up for.
Legitimate interest: securing the platform, preventing fraud, operational logging.
Consent: for optional features such as push notifications on mobile (you grant this via the OS permission dialog).

5. Sharing and third parties

We share information only with the following categories of providers, strictly to deliver the Service:

Infrastructure: our VPS provider (hosting the Postgres database and application servers).
Push delivery: Expo Push Service (expo.dev) forwards notifications to Apple (APNs) and Google (FCM) for delivery to your device. Only the push token, notification title, body, and data payload are transmitted.
TLS certificates: Let's Encrypt issues certificates for our domains.

We do not sell, rent, or share personal data with advertisers, data brokers, or analytics networks.

6. Data retention

Account data is retained while your account is active. On account deletion, data is erased within 30 days (anonymized backups may persist up to 90 days).
Conversation content is retained as long as the associated organization exists.
Server logs are rotated after 30 days.
Expired push tokens are automatically cleaned up.

7. Your rights

Depending on your jurisdiction, you may have rights including:

Access — request a copy of your personal data.
Rectification — correct inaccurate data.
Erasure — request deletion of your data.
Portability — receive your data in a machine-readable format.
Objection / restriction — object to specific processing activities.
Withdraw consent — revoke push notification permission at any time via your OS settings.

To exercise any of these rights, email privacy@oceras.com. We respond within 30 days.

8. Security

All traffic is served over TLS 1.2+ with HSTS enforced.
Passwords are hashed with bcrypt (cost factor 10) — plain passwords are never stored or logged.
Access tokens expire after 15 minutes; refresh tokens are stored in the mobile OS's secure storage.
Each organization's data is isolated at the query layer — cross-tenant access is not possible via the API.
File uploads pass through short-lived, owner-scoped pre-signed URLs.

9. International transfers

Our servers are located in the European Union. If you access the Service from outside the EU, your data may be transferred to and processed in the EU. We rely on EU adequacy decisions and Standard Contractual Clauses where applicable.

10. Children

The Service is intended for business use by people 18 years or older. We do not knowingly collect personal data from children under 13 (or the equivalent minimum age in your jurisdiction).

11. Cookies & similar technologies

The admin dashboard stores JWT access and refresh tokens in localStorage to keep you signed in.
The chat widget stores a visitor ID and session token in localStorage so returning visitors reconnect to their existing conversation.
We do not use third-party tracking cookies, advertising pixels, or cross-site analytics.

12. Changes to this policy

We may update this policy occasionally to reflect changes in the Service, the law, or best practices. When we do, we'll update the "Last updated" date above. Material changes will be communicated via email to account administrators.

13. Contact

Questions, requests, or complaints? Reach us at privacy@oceras.com. If you're in the EU and unsatisfied with our response, you may lodge a complaint with your local data protection authority.