OLOID and the General Data Protection Regulation (GDPR)

At OLOID, we prioritize the privacy and security of our customers' data. Our Data Processing Agreement (DPA) reflects our commitment to compliance with the General Data Protection Regulation (GDPR), the UK GDPR, and a broad spectrum of global and U.S. data protection laws. As a Data Processor, we process personal information solely on behalf of our customers, who act as Data Controllers.

What are GDPR and Other Data Protection Laws?

The GDPR is a European Union regulation that governs how organizations collect, process, store, and share personal data of individuals in the EU. It grants individuals greater control over their personal information and imposes strict obligations on organizations handling such data.
OLOID also complies with:
  • UK GDPR (as enacted via the Data Protection Act 2018)
  • California Consumer Privacy Act (CCPA)
  • Colorado Privacy Act (CPA)
  • Minnesota Consumer Data Privacy Act (effective July 31, 2025)
  • Montana Consumer Data Privacy Act (effective October 1, 2024)
  • Oregon Consumer Privacy Act (OCPA)
  • Utah Consumer Privacy Act (UCPA)
  • Illinois Biometric Information Privacy Act (BIPA)
  • Washington State Biometric Act

How OLOID Helps You Stay Compliant

  1. Role of OLOID

    OLOID acts as a Data Processor under GDPR and other data protection frameworks. We process personal data only in accordance with documented instructions from our customers. We never sell, retain, or disclose data beyond what is necessary to perform our services.
  2. Scope of Data Processing

    • We process only what is required to fulfill the contracted business purposes.
    • We prohibit any use of personal data for cross-context behavioral advertising.
    • We ensure full confidentiality and do not disclose personal data without customer authorization.
  3. Security Measures

    OLOID applies appropriate technical and organizational safeguards to protect customer data:
    • Data encryption and access controls
    • A maintained Security Incident Response Plan
    • Subprocessor agreements with equivalent data protection obligations
  4. Breach Notification

    In the event of a data breach:
    • We notify customers without undue delay and within 72 hours if required.
    • We provide relevant details to help meet any regulatory notification requirements.

Supporting Data Subject Rights

We support our customers in responding to requests related to:
  • Access, correction, or deletion of data
  • Data portability
  • Objection or restriction of processing
OLOID does not respond directly to individuals unless instructed by the customer.

Subprocessors

We engage only authorized subprocessors:
  • Customers are notified in advance of any new subprocessors.
  • We enter into written agreements that reflect the obligations of our DPA.
  • Customers may object to a new subprocessor within a 90-day window.

International Data Transfers

For transfers outside the EEA or UK:
  • We use Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum.
  • We conduct transfer impact assessments as required.
No transfer is executed without prior written authorization from our customers unless required by law.

Data Retention and Deletion

Upon contract termination or customer request:
  • We will either return all personal data or securely delete it.
  • If retention is required by law, we notify the customer and limit usage to compliance only.

Audit and Transparency

  • Customers may audit our systems with 30 days' notice.
  • We maintain detailed records of processing activities per GDPR Article 30(2).
  • We assist with Data Protection Impact Assessments and regulatory consultations.

We’re Here to Help

Have questions about data privacy, security, or regulatory compliance? Our team is happy to help.
For questions related to compliance or security, contact us at compliance@oloid.ai.
For privacy-related inquiries, reach us at privacy@oloid.ai.

Contact Us

OLOID Inc.440
N Wolfe Rd
Sunnyvale, CA 94085