Privacy Policy
Last updated: 2026-06-15
1. Who we are
Okton (“Okton”, “we”, “us”, “our”) is a senior software studio based in Prishtina, Kosovo. We operate the website https://okton.app (the “Site”) and are the data controller responsible for the personal data described in this policy.
For any privacy question, or to exercise your rights, contact us at hello@okton.app.
Okton is established outside the European Union / European Economic Area. Where we offer our services to people located in the EU/EEA, the EU General Data Protection Regulation (GDPR) applies to that processing.
2. Scope of this policy
This policy explains how we handle the personal data of visitors to our public website, including people who use our contact form. Our Site is a single public page plus a private, password-protected area (/dashboard) used only by Okton staff to manage client work; that private area is covered briefly in section 6 and is not open to the public.
3. What data we collect, and why
a) Contact form. The contact form is the only place where we actively collect personal data from you. When you submit it, we collect:
- your name;
- your email address;
- the “offer type” you select; and
- the free-text message you write.
We use this data solely to read and respond to your enquiry and to carry out any reasonable follow-up about it. Your submission is delivered to us by email (see section 6).
To protect the form from spam and abuse, we apply a hidden “honeypot” field and a minimum-time check, and we use your IP address transiently and in memory only for short-lived rate-limiting. This IP address is not stored in our application and is discarded after the brief rate-limiting window.
b) Server logs. Like most websites, our hosting provider keeps standard access logs that may include your IP address, browser/user-agent string, and the date and time of requests. These logs are used for security, abuse prevention and operating the Site, and are kept only for a short period (see section 8).
c) What we do not do. We do not use analytics, advertising or marketing pixels, behavioural tracking, or profiling. We do not carry out automated decision-making that produces legal or similarly significant effects. We do not intentionally collect special-category data (such as health, biometric or similar sensitive data) — please do not include such information in your message.
4. Legal bases (GDPR Article 6)
We rely on the following legal bases:
| Processing activity | Legal basis |
|---|---|
| Handling and responding to your contact-form enquiry | Consent (Art. 6(1)(a)) where you voluntarily reach out, and/or legitimate interests (Art. 6(1)(f)) in responding to enquiries about our services and taking steps that may lead to a business relationship. |
| Spam prevention, security and operating the Site (incl. transient IP rate-limiting and server logs) | Legitimate interests (Art. 6(1)(f)) in keeping the Site secure, available and free from abuse. |
Where we rely on consent, you may withdraw it at any time (this does not affect processing already carried out). Where we rely on legitimate interests, you have the right to object (see section 9).
5. Cookies and similar technologies
Our Site uses only strictly-necessary and functional cookies and local storage, and no analytics or marketing technologies. For that reason no opt-in consent banner is required, and we instead show a short informational notice. Full details — including every item we use, its purpose and its duration — are in our Cookie Policy.
6. Recipients and sub-processors
We do not sell your personal data. We share it only with the service providers (“sub-processors”) that help us operate the Site, each acting on our instructions under a data-processing agreement:
| Sub-processor | Role | Region |
|---|---|---|
| Vercel Inc. | Website hosting, CDN and serverless functions | United States company; EU edge network |
| Brevo (Sendinblue SAS) | Transactional email delivery for the contact form | France (EU) |
| Supabase | Database and authentication for our private staff dashboard only | EU (Frankfurt, Germany) |
The private /dashboard area is used solely by Okton staff to manage invoices and offers; any client/business data there is stored with Supabase in the EU and is not part of the public Site experience.
7. International transfers
Okton is established in Kosovo, which is outside the EU/EEA, and some of our processing involves a service provider based in the United States (Vercel). Where personal data is transferred outside the EU/EEA to a country without an EU adequacy decision, we rely on appropriate safeguards — such as the European Commission’s Standard Contractual Clauses — and, where appropriate, additional measures. Data handled by Supabase resides in the EU (Frankfurt).
8. How long we keep your data
- Contact-form data: kept only as long as needed to handle your enquiry and any reasonable follow-up, then deleted or archived in line with our retention practice.
- Server logs: kept for a short period for security and operational purposes, then deleted.
- Transient IP (rate-limiting): held in memory only and discarded after the short rate-limiting window; not stored.
9. Your rights
If the GDPR applies to your data, you have the right to:
- access the personal data we hold about you;
- request rectification of inaccurate or incomplete data;
- request erasure (the “right to be forgotten”);
- request restriction of processing;
- data portability, where processing is based on consent or contract and carried out by automated means;
- object to processing based on our legitimate interests; and
- withdraw consent at any time, where we rely on consent.
To exercise any of these rights, email hello@okton.app. We will respond within the time limits required by law (generally one month under the GDPR, extendable where permitted). We may need to verify your identity before acting on a request.
10. Right to complain to a supervisory authority
If you are in the EU/EEA and believe we have not handled your data lawfully, you have the right to lodge a complaint with your local data protection authority. We would, however, appreciate the chance to address your concern first — please contact us at hello@okton.app.
11. EU representative (GDPR Article 27)
Okton is established outside the EU/EEA. We have assessed our position under Article 27: our public processing is limited, involves no large-scale special-category or criminal-offence data, and is unlikely to result in a high risk to individuals, which may bring us within the Article 27(2) exemption from appointing an EU representative. As this assessment is fact-specific, it is being confirmed with privacy counsel; if an EU representative is required, we will appoint one and publish their contact details here.
12. Children
Our Site and services are intended for businesses and professional clients and are not directed at children. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at hello@okton.app and we will delete it.
13. Changes to this policy
We may update this policy from time to time. When we do, we will revise the “Last updated” date above. Material changes will be made clear on this page.
14. Contact
Questions about this policy or your personal data? Email us at hello@okton.app.