Privacy Policy

Last updated: 30 March 2026

This Privacy Policy explains how Ostly (“we”, “us”, “our”) collects, uses, stores, and protects your personal information when you use Ostly at ostly.co (“Service”). We are committed to handling your data responsibly and in compliance with applicable privacy laws, including the Protection of Personal Information Act 4 of 2013 (POPIA) and, where applicable, the General Data Protection Regulation (GDPR).

By using the Service, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

1. Who We Are

The responsible party (under POPIA) and data controller (under GDPR) is Ostly, operated from South Africa. You can reach us at hello@ostly.io for any privacy-related matters.

2. What Information We Collect

Information you provide directly

  • Account information: Your name and email address when you register.
  • Content you create: The Opportunity Solution Trees, node titles, descriptions, and workspace names you create within the Service.
  • Communications: Any messages you send us via email or support channels.

Information collected automatically

  • Usage data: Pages visited, features used, and actions taken within the Service, collected to help us understand how the product is being used and to improve it.
  • Technical data: Your IP address, browser type, device type, and operating system, collected automatically when you access the Service.
  • Error data: Crash reports and error logs collected via Sentry to help us identify and fix bugs.

Information from third parties

  • Payment data:We do not store your full payment card details. Payments are handled by Paddle.com Market Limited (“Paddle”), who act as our merchant of record. Paddle provides us with a customer identifier and subscription status. Please review Paddle’s Privacy Policy for how they handle payment data.

3. How We Use Your Information

PurposeInformation usedLawful basis
Provide and operate the ServiceAccount info, content you createContract performance
Process payments and manage subscriptionsEmail, Paddle customer ID, subscription statusContract performance
Send transactional emails (receipts, password resets, trial reminders)Email addressContract performance
Improve the ServiceUsage data, error dataLegitimate interest
Detect and prevent abuse or fraudAccount info, technical dataLegitimate interest
Comply with legal obligationsAs required by applicable lawLegal obligation

We do not sell your personal information. We do not use your content to train AI models. We do not send marketing emails unless you have explicitly opted in.

4. Who We Share Your Information With

We share data only with the third-party service providers necessary to operate the Service. These are:

ProviderPurposeLocation
SupabaseDatabase hosting and user authenticationUnited States (AWS)
VercelApplication hosting and deploymentUnited States / global edge
PaddlePayment processing and subscription managementUnited Kingdom / United States
SentryError tracking and crash reportingUnited States

We do not share your data with any other third parties except where required by law or to protect the rights and safety of users.

5. International Transfers

We are based in South Africa. Our service providers operate primarily in the United States and United Kingdom. By using the Service, you acknowledge that your information may be transferred to and processed in countries other than your own. Where required, we rely on appropriate safeguards (such as standard contractual clauses) to protect your data during these transfers.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. If you close your account:

  • Your content (OSTs, nodes, workspaces) is retained for 30 days to allow for export, then permanently deleted.
  • Your account information (name, email) is deleted within 30 days of account closure, unless we are required to retain it for longer by law.
  • Error logs and anonymised usage data may be retained in aggregated form for up to 12 months.

7. Your Rights

Depending on where you are located, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request that we correct inaccurate or incomplete information.
  • Deletion: Request that we delete your personal information, subject to legal retention obligations.
  • Portability: Request your data in a machine-readable format (where technically feasible).
  • Objection: Object to processing based on legitimate interest.
  • Restriction: Request that we restrict processing in certain circumstances.

To exercise any of these rights, email us at hello@ostly.io. We will respond within 30 days. We may ask you to verify your identity before processing your request.

If you are in South Africa, you have the right to lodge a complaint with the Information Regulator of South Africa. If you are in the EU or UK, you have the right to complain to your local supervisory authority.

8. Security

We use industry-standard security measures to protect your personal information, including encrypted connections (HTTPS/TLS), Row Level Security in our database so users can only access their own data, and access controls limiting who within our organisation can access user data. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

In the event of a personal data breach, we will notify affected users and the relevant supervisory authority as required by applicable law.

9. Cookies

The Service uses a small number of essential cookies required for authentication and session management. We do not use advertising or tracking cookies. We do not use third-party analytics cookies (such as Google Analytics).

You can disable cookies in your browser settings, but doing so may prevent the Service from functioning correctly.

10. Children

The Service is not directed at children under 18 and we do not knowingly collect personal information from anyone under 18. If we become aware that we have collected data from a minor, we will delete it promptly. If you believe a minor has provided us with their data, please contact us at hello@ostly.io.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via a notice in the Service at least 14 days before the changes take effect. The “last updated” date at the top of this page reflects the most recent version.

12. Contact Us

For any questions, requests, or concerns about this Privacy Policy or how we handle your data, please contact us: