OLOID and the General Data Protection Regulation (GDPR)
At OLOID, we prioritize the privacy and security of our customers' data. Our Data Processing Agreement (DPA) reflects our commitment to compliance with the General Data Protection Regulation (GDPR), the UK GDPR, and a broad spectrum of global and U.S. data protection laws. As a Data Processor, we process personal information solely on behalf of our customers, who act as Data Controllers.
What are GDPR and Other Data Protection Laws?
The GDPR is a European Union regulation that governs how organizations collect, process, store, and share personal data of individuals in the EU. It grants individuals greater control over their personal information and imposes strict obligations on organizations handling such data.
OLOID also complies with:
- UK GDPR (as enacted via the Data Protection Act 2018)
- California Consumer Privacy Act (CCPA)
- Colorado Privacy Act (CPA)
- Minnesota Consumer Data Privacy Act (effective July 31, 2025)
- Montana Consumer Data Privacy Act (effective October 1, 2024)
- Oregon Consumer Privacy Act (OCPA)
- Utah Consumer Privacy Act (UCPA)
- Illinois Biometric Information Privacy Act (BIPA)
- Washington State Biometric Act
How OLOID Helps You Stay Compliant
Role of OLOID
OLOID acts as a Data Processor under GDPR and other data protection frameworks. We process personal data only in accordance with documented instructions from our customers. We never sell, retain, or disclose data beyond what is necessary to perform our services.Scope of Data Processing
- We process only what is required to fulfill the contracted business purposes.
- We prohibit any use of personal data for cross-context behavioral advertising.
- We ensure full confidentiality and do not disclose personal data without customer authorization.
Security Measures
OLOID applies appropriate technical and organizational safeguards to protect customer data:- Data encryption and access controls
- A maintained Security Incident Response Plan
- Subprocessor agreements with equivalent data protection obligations
Breach Notification
In the event of a data breach:- We notify customers without undue delay and within 72 hours if required.
- We provide relevant details to help meet any regulatory notification requirements.
Supporting Data Subject Rights
We support our customers in responding to requests related to:
- Access, correction, or deletion of data
- Data portability
- Objection or restriction of processing
OLOID does not respond directly to individuals unless instructed by the customer.
Subprocessors
We engage only authorized subprocessors:
- Customers are notified in advance of any new subprocessors.
- We enter into written agreements that reflect the obligations of our DPA.
- Customers may object to a new subprocessor within a 90-day window.
International Data Transfers
For transfers outside the EEA or UK:
- We use Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum.
- We conduct transfer impact assessments as required.
No transfer is executed without prior written authorization from our customers unless required by law.
Data Retention and Deletion
Upon contract termination or customer request:
- We will either return all personal data or securely delete it.
- If retention is required by law, we notify the customer and limit usage to compliance only.
Audit and Transparency
- Customers may audit our systems with 30 days' notice.
- We maintain detailed records of processing activities per GDPR Article 30(2).
- We assist with Data Protection Impact Assessments and regulatory consultations.
We’re Here to Help
Have questions about data privacy, security, or regulatory compliance? Our team is happy to help.
For questions related to compliance or security, contact us at compliance@oloid.ai.
For privacy-related inquiries, reach us at privacy@oloid.ai.