Privacy Policy

Last updated: 28 March 2026

1. Introduction

Curble Pty Ltd, operating as Octti AI ("Company", "we", "us"), operates the Octti AI platform ("Service"). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Australian Privacy Act 1988.

2. Data We Collect

2.1 Account Information

When you create an account, we collect your email address, display name, and authentication credentials (hashed passwords or OAuth tokens). This data is necessary to provide the Service.

2.2 API Keys

If you use the Bring Your Own Key (BYOK) model, you provide API keys for third-party AI providers. These keys are encrypted at rest using AES-256 encryption. Keys are decrypted only at the moment of a provider API call and are never logged, displayed in full, or shared with any third party.

2.3 Agent Interaction Data

We store agent configurations, conversation histories, task logs, workflow definitions, and activity records that you create through the Service. This data is necessary to provide agent orchestration functionality.

2.4 Usage Data

We collect anonymised usage metrics including page views, feature usage patterns, error rates, and performance data. This data does not identify individual users and is used solely to improve the Service.

2.5 Payment Data

Payment processing is handled entirely by Stripe. We do not store credit card numbers, bank account details, or other financial instrument data on our servers. We receive and store only: your Stripe customer ID, subscription status, and billing history (invoice amounts and dates).

3. How We Use Your Data

  • To provide, maintain, and improve the Service
  • To authenticate your identity and secure your account
  • To process payments and manage subscriptions
  • To send transactional communications (account verification, password resets, billing receipts)
  • To provide customer support
  • To detect and prevent fraud, abuse, or security incidents
  • To comply with legal obligations

We do not sell your personal data to third parties. We do not use your data for advertising. We do not train AI models on your conversations or agent data.

4. API Key Security

Your API keys receive special handling:

  • Encrypted at rest with AES-256 in our database
  • Transmitted to AI providers over TLS 1.3 encrypted connections
  • Never logged in application logs, error reports, or monitoring systems
  • Never displayed in full in the user interface (only last 4 characters shown)
  • Automatically purged from memory after each API request completes
  • You may revoke or rotate keys at any time through your dashboard

5. Third-Party Services

We share data with the following categories of third-party service providers, only to the extent necessary:

5.1 AI Providers

When you send requests through the Service, your prompts and conversation content are transmitted to the AI provider you have configured (e.g. Anthropic, OpenAI, Google). Each provider has its own privacy policy and data retention practices. Your API keys are used for authentication with these providers.

5.2 Stripe (Payments)

Stripe processes all payments. Stripe's privacy policy governs how your payment data is handled. We receive only the data described in section 2.5.

5.3 AWS (Infrastructure)

Our Service runs on Amazon Web Services infrastructure. All data is stored in encrypted volumes. AWS processes data on our behalf in accordance with their Data Processing Addendum.

6. Cloud vs Self-Hosted

If you use the cloud-hosted Service, your data is stored on our infrastructure as described in this policy. If you use the self-hosted version, your data remains entirely on your own infrastructure. We have no access to data in self-hosted deployments. This Privacy Policy applies only to the cloud-hosted Service.

7. Cookies

We use only essential cookies necessary for the Service to function:

  • Session cookie: Maintains your authenticated session
  • Preference cookie: Stores your theme and UI preferences

We do not use analytics cookies, advertising cookies, or third-party tracking cookies. We do not participate in cross-site tracking.

8. Data Retention

  • Account data: Retained while your account is active, deleted 30 days after account deletion
  • Conversation and agent data: Retained while your account is active, deleted 30 days after account deletion
  • API keys: Deleted immediately upon removal by the user or upon account deletion
  • Usage analytics: Anonymised data retained for up to 24 months
  • Payment records: Retained for 7 years as required by tax and accounting regulations
  • Server logs: Automatically purged after 90 days

9. Your Rights

Under the UK GDPR, EU GDPR, and applicable data protection laws, you have the right to:

  • Access: Request a copy of all personal data we hold about you
  • Rectification: Request correction of inaccurate personal data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Portability: Request your data in a structured, machine-readable format (JSON export)
  • Restriction: Request that we limit processing of your personal data
  • Objection: Object to processing of your personal data for specific purposes
  • Withdraw consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at privacy@octti.ai. We will respond to requests within 30 days.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Role-based access controls for all internal systems
  • Regular security audits and vulnerability assessments
  • Automated intrusion detection and monitoring
  • Secure development practices and code review

No system is perfectly secure. In the event of a data breach that affects your personal data, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR.

11. International Transfers

Our infrastructure is hosted in AWS regions. If your data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission or the UK Information Commissioner's Office.

12. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete that data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice on the Service. The "Last updated" date at the top indicates the most recent revision.

14. Contact Us

For privacy-related questions or to exercise your data rights, contact us at:

Curble Pty Ltd, operating as Octti AI
Email: privacy@octti.ai

You also have the right to lodge a complaint with your local data protection supervisory authority.