Privacy Policy

1. Who we are

Oleno is a product of:

SalesMVP Lab Inc.
346 Town Rd
Falmouth, Nova Scotia, Canada
B0P 1P0

We act as the "controller" of your personal data when you use Oleno directly. If you use Oleno through an employer or agency, they are also a controller.

2. What we collect

We collect different types of data depending on how you interact with us.

2.1 Account and organization data

When you sign up or are added to an organization, we collect:

• Name (if provided).
• Email address.
• Password (hashed by Supabase Auth; we never see it in plain text).
• Organization name and domain.
• Roles and permissions (admin, editor, viewer).

2.2 Website and configuration data

When you set up a site in Oleno, we collect:

• Website name and domain.
• Timezone and publishing settings.
• CMS connector type and configuration (for example, Webflow, WordPress, Framer, Storyblok, HubSpot, Wix, Tina, Google Sheets, custom webhook, Zapier).

Connector secrets (API keys, tokens) are encrypted and stored in Supabase Vault. They are not shown in plain text after saving.

2.3 Governance and content data

To generate content, we process:

• Files you upload (PDF, DOCX, markdown, text, etc.).
• Content we scrape from your website, if you enable it.
• The embeddings (vector representations) used for semantic search.
• Governance Studio data you configure (brand voice, marketing positioning, product features and boundaries, design guidelines, audience/persona/use case definitions).

We also store:

• Article briefs, drafts, and final versions.
• Social content generated from articles.
• SEO metadata and FAQs.
• Quality scores and QA logs.

2.4 Usage and operational data

We log how the system runs so we can debug and improve reliability:

• Job status (queued, running, completed, failed).
• Step timings and error messages.
• Connector calls and responses (status codes, not full payloads where possible).
• Token usage and internal cost estimates (for our own transparency, not billing you).
• Audit logs for sensitive actions (login, connector changes, plan changes, admin actions).

We do not use this data to profile individual users for marketing.

2.5 Marketing website data

On the public marketing site (for example, oleno.ai), we use:

• Google Analytics to understand page views and traffic patterns.
• Standard web server logs (IP address, user-agent, referrer, basic request data).

We do not run Google Analytics inside the authenticated Oleno app. Inside the app, we only track operational telemetry and audit logs, as described above.

3. How we use your data

We use your data to:

Provide the service

• Authenticate you and keep your session active.
• Generate, QA, and publish content for your sites.
• Store and apply your brand and KB settings.

Keep the service secure and reliable

• Enforce row-level security and access controls.
• Prevent unauthorized access and abuse.
• Monitor system health and fix errors.

Bill you and manage subscriptions

• Process payments through Stripe.
• Track plan tiers and renewal dates.

Support you

• Respond to support requests.
• Communicate about outages, changes, or important updates.

Improve Oleno

• Analyze anonymized or aggregated usage patterns.
• Improve reliability, UX, and quality of generated content.

We do not use your content or personal data to build public datasets or train models that are unrelated to providing Oleno.

4. How we use AI and research providers

4.1 OpenAI

Oleno uses OpenAI's API to:

• Generate topics, briefs, and drafts.
• Analyze knowledge base excerpts.
• Evaluate and score content quality.

We send OpenAI:

• Topics and keywords.
• Brand voice descriptions.
• Selected knowledge base chunks (only what's needed for each call).
• Drafts for QA, evaluation, and enhancement.

We do not send your full KB or full database in one shot.

According to OpenAI's enterprise terms, data sent via the API is not used to train or improve OpenAI's models for other customers. We rely on those terms and our own controls to protect your data.

4.2 Perplexity

Oleno uses the Perplexity API for competitive research:

• Researching competitor products, pricing, and positioning.
• Gathering publicly available market information.

We send Perplexity search queries related to your competitors and market. No customer personal data is sent to Perplexity.

4.3 Ayrshare

Oleno uses Ayrshare for social media distribution:

• Publishing approved social content to connected social media accounts.
• Managing social posting schedules.

We send Ayrshare the social content you approve for distribution and your connected social account credentials (managed via encrypted API keys).

5. Legal bases (for GDPR/EEA/UK users)

If you are in the EEA, UK, or a similar region, we process your data on these legal bases:

• Contract – to provide Oleno under our Terms (account, content generation, connectors).
• Legitimate interests – to secure and improve Oleno, prevent abuse, and understand high-level usage.
• Consent – where required, for optional marketing or analytics (for example, cookie consent on the marketing site).
• Legal obligation – to comply with law, tax, or regulatory requests where applicable.

You can object to some processing based on legitimate interests, as described in the "Your rights" section.

6. Where data is stored and processed

We use Supabase (PostgreSQL + edge functions) as our main backend. Data is stored in data centers located in the United States (US East) region.

We may process data in other locations indirectly through our sub-processors (for example, OpenAI, Stripe, Google Analytics), depending on their infrastructure.

When data is transferred across borders, we rely on appropriate safeguards (for example, standard contractual clauses) where required.

7. How long we keep data

We keep data for as long as needed to provide Oleno, or as long as required by law. In general:

• User account data: kept while your account is active.
• Articles, KB, brand settings: kept while your account and sites are active, unless you delete them.
• Keyword research reports: auto-deleted after 30 days, while resulting topics stay.
• Article images (temporary cache): up to 90 days if not pushed to your CMS.
• Audit logs: kept for at least 90 days after account deletion for security and compliance.

When you request account deletion:

• We delete your websites, articles, KB docs, brand settings, and connector credentials within about 30 days.
• We keep audit logs and some minimal billing records for a limited time where law or fraud-prevention requires it.

8. Cookies and tracking

We use cookies and similar technologies in two places:

Marketing site

• Cookies for Google Analytics (unless you block them).
• Basic cookies to remember preferences (for example, cookie banner choices).

Oleno app

• Essential cookies or storage to keep you logged in and secure sessions.
• No third-party analytics, ads, or tracking pixels inside the app.

You can control cookies in your browser settings. Blocking essential cookies may break your ability to log in or use Oleno.

9. How we share data

We share data with third parties only when needed to run Oleno or when required by law. Typical recipients:

• Supabase – hosting, database, authentication, vault.
• OpenAI – AI processing for generation and QA.
• Perplexity – competitive and market research queries.
• Ayrshare – social media content distribution.
• Stripe – payments and billing.
• Google Analytics – analytics on the public marketing site only.
• Your CMS – content, metadata, and optional images are pushed to your CMS as configured.

We do not:

• Sell your personal data.
• Share your data with data brokers.
• Use third-party advertising networks in the app.

We may disclose data if required by law, subpoena, or valid legal process, or to protect our rights, safety, or property.

10. Security

We take security seriously and use several layers of protection:

• Encryption at rest (database) and in transit (HTTPS/TLS).
• Row-Level Security (RLS) so each organization can only see its own data.
• Supabase Vault for connector secrets, encrypted and not shown in plain text.
• Role-based access control (admin, editor, viewer).
• Audit logs for important actions and service-role operations.

No system is perfectly secure. We cannot guarantee absolute security, but we act quickly on vulnerabilities and incidents.

If we learn of a data breach that affects you, we will notify you as required by law.

11. Your rights

Depending on where you live, you may have rights over your personal data, such as:

• Access – ask what data we hold about you.
• Correction – ask us to fix inaccurate data.
• Deletion – ask us to delete your data, where allowed.
• Portability – ask for a copy of your data in a common format.
• Restriction or objection – ask us to limit some processing or object to it.

You can exercise many of these rights directly:

• Update your profile in the app.
• Delete sites, KB docs, and articles.
• Ask your org admin to remove you.

For anything else, contact us using the details at the end of this policy. We may need to verify your identity before acting.

If you are in the EEA or UK and are unhappy with our response, you can complain to your local data protection authority.

12. Children's privacy

Oleno is not for children.

We do not knowingly collect personal data from anyone under 18. If we learn that we have such data, we will delete it.

If you believe a minor has used Oleno, please contact us.

13. Third-party sites

Our site or documentation may link to other websites or services.

We are not responsible for those sites or their privacy practices. You should review their policies separately.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

If we make important changes, we will:

• Post the new version on our website, and/or
• Show a notice in the app, and/or
• Contact you by email.

If you keep using Oleno after changes take effect, you agree to the updated policy.