1. Who we are
OctaGoal ("we", "us", "our") is an AI goal-achievement platform. We act as the Data Controller for personal data processed through this service.
Contact: privacy@octagoal.com
2. Data we collect
We collect the following categories of personal data:
- •Account data: Name, email address, profile image (from OAuth providers), encrypted password hash
- •Goal and plan data: Goal descriptions, milestones, tasks, sub-tasks, progress records, WOOP framework data, strategy notes
- •Coaching conversations: AI chat messages, agent responses, routing decisions
- •Daily engagement: Morning/evening check-ins, mood ratings, daily notes, habit streak data
- •Technical data: IP address (for rate limiting), browser type, device type (from User-Agent), session tokens
- •Payment data: Subscription status, plan tier, billing events. Card details are handled exclusively by Stripe — we never see or store your card number.
- •Notification preferences: Push subscription endpoints, preferred notification times, timezone
3. Why we process your data
We process your data on the following legal bases (GDPR Article 6):
- •Contract performance (Art. 6(1)(b)): To provide the OctaGoal service — AI coaching, goal planning, progress tracking
- •Legitimate interests (Art. 6(1)(f)): Security (rate limiting, abuse prevention), fraud detection, service improvement based on aggregate usage patterns
- •Consent (Art. 6(1)(a)): Push notifications (only sent if you opt in)
- •Legal obligation (Art. 6(1)(c)): Financial record-keeping, responding to lawful data access requests
4. AI processing
Your goal text and coaching conversations are sent to OpenRouter (openrouter.ai) to power our AI agents. OpenRouter routes requests to language models (currently Qwen). Your data is processed under OpenRouter's privacy policy and is used solely to generate responses — it is not used to train models without your explicit consent.
We apply input sanitization to remove potentially sensitive prompt patterns before sending data to AI services.
5. Data sharing
We share data with the following third-party processors under appropriate data processing agreements:
- •Stripe: Payment processing, subscription management. Stripe processes card data directly — we receive only subscription status and customer IDs.
- •OpenRouter / AI providers: Goal and coaching data is processed to generate AI responses.
- •Vercel: Hosting and serverless infrastructure. Data is processed in EU/US regions.
- •PostgreSQL database provider: Persistent storage of all account and goal data.
We do not sell your personal data to any third party. We do not use your data for advertising.
6. Data retention
- •Account data: Retained for the lifetime of your account plus 30 days after deletion (for recovery)
- •Goal and coaching data: Retained for the lifetime of your account
- •Payment records: 7 years (legal obligation for financial records)
- •Server logs: 30 days maximum, then automatically purged
7. Your rights (GDPR)
If you are in the European Economic Area (EEA) or UK, you have the following rights:
- •Right of access (Art. 15): Request a copy of all data we hold about you
- •Right to rectification (Art. 16): Correct inaccurate data via your account settings
- •Right to erasure (Art. 17): Delete your account and all data from your account settings page
- •Right to portability (Art. 20): Export all your data as JSON from your account settings page
- •Right to object (Art. 21): Object to processing based on legitimate interests
- •Right to restrict processing (Art. 18): Contact us to restrict specific processing activities
To exercise any of these rights, use the controls in your Account settings or contact privacy@octagoal.com. We respond to requests within 30 days.
You have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK, or your national DPA in the EU).
8. Your rights (CCPA — California)
If you are a California resident, under the California Consumer Privacy Act (CCPA / CPRA) you have the right to:
- Know what personal information we collect and how we use it
- Delete your personal information
- Opt out of the "sale" or "sharing" of personal information — we do not sell or share your personal information
- Non-discrimination for exercising your privacy rights
To exercise CCPA rights, use your account settings or email privacy@octagoal.com.
9. Cookies
We use the following cookies:
- •Session token (essential): Keeps you logged in. httpOnly, Secure, SameSite=Lax. Expires after 30 days of inactivity.
- •CSRF token (essential): Protects against cross-site request forgery. httpOnly, Secure.
- •Consent record: Stores your cookie consent choice. Expires after 1 year.
We do not use third-party tracking cookies or advertising cookies.
10. Security
We implement industry-standard security measures including: bcrypt-hashed passwords (cost factor 12), HTTPS-only transport (HSTS enforced), Content Security Policy headers, rate limiting on all API endpoints, and server-side session validation on every request.
To report a security vulnerability, please email security@octagoal.com.
11. Changes to this policy
We may update this policy as our service evolves. Material changes will be communicated via email or an in-app notification at least 14 days before taking effect. Continued use of OctaGoal after the effective date constitutes acceptance.