Privacy Policy

Introduction

We collect only what we need to deliver your study. We do not sell your data. All survey data and study content is 100% encrypted at rest and in transit.

This Privacy Policy (“Policy”) describes how OLLOMA (“we,” “us,” or “our”) collects, uses, stores, and protects your personal information when you use our website at olloma.com and all related services (the “Platform”). By using the Platform, you acknowledge that you have read and understood this Policy.

This Policy applies to all users worldwide and is designed to comply with the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

Data Controller

OLLOMA is the data controller responsible for your personal information. For the purposes of the GDPR and other applicable data protection laws, our contact details are:

OLLOMA
Email: [email protected]

Information We Collect

We collect information in two ways:

Information you provide directly

Email address — for authentication, study delivery, and transactional communications
Survey and wizard responses — business descriptions, industry data, and strategic inputs used exclusively to generate your study
Payment information — processed entirely by Paddle (our Merchant of Record); we never store credit card numbers or banking details

Information collected automatically

Session cookies — essential only, for authentication and preferences
Basic usage data — page views and interaction patterns to improve the Platform
Device and browser information — IP address, browser type, and operating system for security and diagnostics

Legal Basis for Processing

Under the GDPR and other applicable data protection laws, we process your personal data on the following legal bases:

1

Contract Performance

Processing necessary to deliver the services you have purchased or requested, including generating and delivering your study.

2

Legitimate Interests

Processing necessary for our legitimate business interests, such as improving the Platform, preventing fraud, and ensuring security, provided these interests do not override your fundamental rights.

3

Legal Obligation

Processing required to comply with applicable laws, regulations, or legal proceedings.

4

Consent

Where required by law, we rely on your explicit consent, which you may withdraw at any time by contacting us.

How We Use Your Information

Generate, deliver, and store your AI-powered market study
Authenticate you via passwordless magic links
Process payments securely through Paddle (Merchant of Record)
Send transactional emails (study delivery, order confirmations, account notifications)
Improve the Platform, fix technical issues, and prevent abuse
Comply with legal obligations and enforce our Terms of Service

We do not use your information for marketing emails, third-party advertising, behavioral profiling, or sale to data brokers. We will never sell, rent, or trade your personal data.

Encryption & Data Security

All survey data, wizard responses, and generated study content is 100% encrypted — both at rest (stored on our servers) and in transit (between your browser and our servers).

We implement comprehensive security measures to protect your information:

TLS/HTTPS encryption for all data transmitted between your device and our servers
AES-256 encryption at rest for all survey data, business descriptions, and generated study content stored in our databases
Secure, authenticated access — your studies and data are accessible only through your authenticated account
Restricted internal access — personal data is accessible only to authorized personnel on a need-to-know basis
Regular security reviews and monitoring of our infrastructure and access patterns

While we employ industry-standard security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the highest practicable standard.

Third-Party Services

We work with a limited number of trusted third-party service providers to operate the Platform. Each provider is contractually bound to protect your data:

P

Paddle (Merchant of Record)

Handles all payment processing, billing, tax compliance, and invoicing. Paddle collects and processes payment information directly — OLLOMA never has access to your credit card or banking details. See Paddle’s privacy policy.

AI

AI Providers

Your survey responses are sent to AI providers via commercial API plans to generate your study. We use enterprise-grade API agreements where your data is not used for model training. We never share your email, name, or personal identity with AI providers.

@

Email Delivery

We use transactional email services to deliver your study, magic-link authentication, and order confirmations. These providers process your email address solely for delivery purposes.

H

Hosting & Infrastructure

Our Platform is hosted on secure, encrypted servers provided by reputable cloud infrastructure providers that maintain industry-standard security certifications.

We do not sell, rent, or share your personal data with any other third parties for marketing, advertising, or any purpose unrelated to delivering the Platform.

International Data Transfers

OLLOMA operates from Portugal and the European Economic Area (EEA). Your data may be transferred to and processed in countries outside your country of residence, including countries outside the EEA, in connection with the services provided by our third-party providers (such as AI providers and infrastructure services).

Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with the GDPR, including:

Transfers to countries recognized by the European Commission as providing an adequate level of data protection
Standard Contractual Clauses (SCCs) approved by the European Commission
Other legally recognized transfer mechanisms as applicable

Cookies

We use a minimal number of cookies, all of which are essential for the Platform to function:

Cookie	Purpose	Duration
Session	Maintains your authenticated session	Session
CSRF Token	Protects against cross-site request forgery attacks	Session
Cookie Consent	Remembers your cookie consent preference	1 year
Returning Visitor	Displays a helpful banner if you have an existing study	30 days

We do not use third-party tracking cookies, advertising pixels, or any form of cross-site tracking technology.

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

Account data and studies — retained for as long as your account is active, so you can access your studies from your dashboard at any time
Transaction records — retained as required by applicable tax and accounting laws
Server logs — retained for up to 90 days for security and diagnostic purposes

If you request deletion of your data, we will remove your personal information, survey responses, and generated studies within 30 days, except where retention is required by law.

Your Rights

Under the GDPR, CCPA, and other applicable data protection laws, you have the following rights regarding your personal data:

Right of Access — request a copy of the personal data we hold about you
Right to Rectification — correct inaccurate or incomplete personal data
Right to Erasure — request deletion of your personal data (“right to be forgotten”)
Right to Data Portability — receive your data in a structured, machine-readable format
Right to Restrict Processing — request limitation of processing under certain circumstances
Right to Object — object to processing based on legitimate interests
Right to Withdraw Consent — where processing is based on consent, withdraw it at any time

For California residents (CCPA): You have the right to know what personal information is collected, request its deletion, and opt out of its sale. OLLOMA does not sell personal information.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days (or sooner, as required by applicable law). You also have the right to lodge a complaint with your local data protection authority.

Children’s Privacy

The Platform is not directed at individuals under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately at [email protected] and we will promptly delete it.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law. If we make material changes, we will update the effective date at the top of this page and, where required by law, provide notice through the Platform or via email. Your continued use of the Platform after revised terms become effective constitutes your acceptance of those changes.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us at:

OLLOMA — Privacy
Email: [email protected]
General: [email protected]