1. Introduction

Oathe ("we", "us", or "our") operates the oathe.ai website and the Oathe behavioral security platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

If you have questions about this policy, contact us at [email protected].

2. Information We Collect

Account Information via Google OAuth

When you sign in with Google, we receive your:

  • Name — used to personalize your dashboard
  • Email address — used as your account identifier and for service communications

We do not request access to your Google Drive, Gmail, contacts, or any other Google services beyond basic profile information.

Usage Data

We collect information about how you interact with the service, including pages visited, features used, and timestamps of actions.

Audit Data

When you submit an AI agent for security scanning, we process the agent's behavioral data (e.g., filesystem events, network activity, tool calls) to generate audit results. This data is associated with your account.

3. How We Use Your Information

  • Authentication — to verify your identity and maintain your session
  • Service delivery — to run security audits, display results, and manage your account
  • Communication — to send service-related notices (e.g., scan completions, policy updates)
  • Improvement — to analyze aggregate usage patterns and improve the platform

4. Google User Data

Oathe accesses the following Google user data through the Google OAuth 2.0 API:

  • Name — displayed on your dashboard and used for personalization
  • Email address — used as your unique account identifier, for authentication, and for service communications

This data is stored in our database alongside your account record. We do not sell, share, or use your Google user data for advertising purposes. Access to this data within our systems is restricted to authentication and account management functions.

Oathe's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

5. Third-Party Services

We use the following third-party services to operate the platform:

  • Google OAuth — authentication provider
  • Anthropic / OpenRouter — AI model providers for behavioral analysis during audits
  • Hetzner — server hosting and data storage
  • Cloudflare — CDN, DNS, and DDoS protection

These services process data only as necessary to provide their respective functions. We do not sell your personal data to any third party.

6. Data Storage and Security

Your data is stored in a SQLite database on our Hetzner-hosted server in Germany. Backups are continuously replicated using Litestream to Hetzner Object Storage. All data in transit is encrypted via HTTPS/TLS.

We implement reasonable technical and organizational measures to protect your data, including encrypted connections, access controls, and regular backups. However, no method of electronic storage is 100% secure.

7. Data Retention and Deletion

We retain your account data and audit results for as long as your account is active. You may request deletion of your account and all associated data by emailing [email protected]. We will process deletion requests within 30 days.

Audit result data that has been anonymized and aggregated for research purposes may be retained after account deletion.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — request a copy of the data we hold about you
  • Correction — request correction of inaccurate data
  • Deletion — request deletion of your data
  • Portability — request your data in a portable format

For EU/EEA Users (GDPR)

You have additional rights under the General Data Protection Regulation, including the right to restrict processing, object to processing, and lodge a complaint with a supervisory authority. Our legal basis for processing is legitimate interest (providing the service you signed up for) and consent (Google OAuth sign-in).

For California Users (CCPA)

You have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information.

To exercise any of these rights, contact us at [email protected].

9. Cookies

We use session cookies to maintain your authentication state after signing in with Google. These cookies are essential for the service to function and are not used for tracking or advertising.

10. Children's Privacy

Oathe is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us at [email protected] and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the service after changes constitutes acceptance of the revised policy.

12. Contact

If you have questions or concerns about this Privacy Policy, contact us at:

[email protected]