OIKON (“we”, “our”) operates Cosmo, a personal AI operator for Saudi business workflows. This policy explains what personal data we collect, why, where it goes, and your rights under the Saudi Personal Data Protection Law (PDPL).

1. Who we are

Controller: OIKON
Contact: privacy@oikon.io
Data Protection Officer: Pending appointment. Until a DPO is named, the founder is the responsible point of contact.
Competent Authority: Saudi Data & AI Authority (SDAIA) / National Data Management Office. You may contact us or contact the Authority directly under PDPL Article 34.

2. What personal data we collect

2.1 Account data — name, email, phone, password (salted bcrypt hash, never the original), preferred language, organization name. OAuth tokens for connected services are AES-encrypted at rest.

2.2 Conversation data — messages, files you upload, drafts and documents Cosmo creates, calendar / contacts / sheets / inbox metadata pulled at your direction via OAuth, and long-term memories Cosmo builds about you. Stored under your user_id and your organization_id.

2.3 Processing telemetry — per-tool execution records (which skill ran, status, duration, no content) and per-LLM-call usage records (model, tokens, latency, cost). Used for billing, reliability, and Article 31 records-of-processing.

3. Why we process it (legal basis)

Run the service you signed up for — consent + performance of contract (Article 6.2)
Bill you and provide receipts — legal obligation (Saudi accounting law, 10y retention)
Detect security incidents (cross-tenant access, exfiltration patterns, brute force) — legitimate interest (Article 6.4)
Send transactional emails (receipts, security alerts, important notices) — performance of contract (Article 6.2)
Send marketing or awareness emails — explicit prior consent (Article 25), opt-in only, opt-out always available

We do not sell your personal data. We do not use it to train shared models — see § 7.

4. How we collect it

Directly from you — in chat or in the portal UI. Or, with your explicit permission, via OAuth (Google, Microsoft). The scope of access is listed on the consent screen at the moment of connection. We do not scrape public sources for personal data about you.

5. Who else sees it (processors)

We share personal data only with Processors acting on our behalf under contractual safeguards (Article 8):

AWS Bedrock — LLM inference (Cosmo’s brain). eu-central-1 (Frankfurt, EU) default; me-south-1 for Dedicated Instance customers. AWS DPA + SCCs + region pinning.
Anthropic — LLM inference fallback (US). Anthropic DPA; Anthropic does not use API data to train its models.
Cohere (via AWS Bedrock) — embeddings used to pick which tools to expose to the LLM per turn. Same region as Bedrock.
Google — Gmail / Calendar / Sheets / Drive operations that you initiate via OAuth.
Microsoft — Outlook / Teams / OneDrive operations that you initiate via OAuth.
HyperPay (KSA) — payment processing. PCI DSS, processor’s DPA.
Sentry — error monitoring. PII redacted at the SDK layer. EU.
Resend — transactional email delivery. EU + US, Resend DPA.

The current matrix with DPAs and review dates is maintained at docs/PROCESSORS.md in our repository. We do not transfer your data to anyone else without your specific consent or a clear legal basis.

6. International transfers (Article 29)

Your data may leave the Kingdom for the limited purpose of LLM inference (when not on a Dedicated Instance pinned to me-south-1), email/calendar syncing through Google or Microsoft, payment processing, and error monitoring. Each transfer has a contractual safeguard (DPA + Standard Contractual Clauses where applicable) and the minimum data needed for the purpose (Article 29.2.c).

Customers who require KSA-only data residency can use the Dedicated Instance add-on, which routes inference exclusively through AWS Bedrock me-south-1 with a zero-retention header on every request.

6.5 Google API Services — Limited Use

When you connect a Google account to Cosmo, OIKON’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Scopes we request and why

openid + userinfo.email — identify the connected account so we route Cosmo’s actions to the right Google identity.
gmail.send — send emails composed by you in chat (“email Sarah and tell her the contract is signed”). No inbox read, no search, no draft listing.
calendar — schedule, check, and reschedule meetings you ask Cosmo to manage.
contacts — look up recipient email addresses when you reference contacts by name (“email Ahmed”).
drive.file — create files Cosmo generates for you. This scope only sees files Cosmo itself created — never your existing Drive contents.
documents / spreadsheets / presentations — format and edit the Docs / Sheets / Slides Cosmo creates at your instruction.
tasks — manage Google Tasks you add via Cosmo so reminders flow back to Gmail / Calendar / Assistant.

Limited Use commitments

Use: data received from Google APIs is used only to provide and improve the user-facing features you explicitly invoked in chat.
No transfer: we do not transfer Google user data except as necessary to provide or improve those features, comply with applicable law, or as part of a merger / acquisition / sale where users receive prior notice.
No advertising: Google user data is never used for advertising, retargeting, or profiling.
No model training: Google user data is never used to train, fine-tune, or develop generalized AI / ML models. See § 5 (neither AWS Bedrock nor Anthropic uses OIKON inference data to train models; the Dedicated Instance add-on adds a zero-retention header).
No human reading: no employee or contractor reads Google user data except (i) with your explicit permission, (ii) for security investigation, or (iii) to comply with applicable law.

Storage of Google credentials

OAuth refresh and access tokens are encrypted at rest with AES-256-GCM. The key is derived per-purpose from a master key held outside the database.
Every decrypt is logged to credential_access_log. Reviewable on request.
Tokens are never transmitted in plaintext. All API calls use HTTPS / TLS 1.2+.
When you disconnect Google (in Settings → Connections or POST /auth/google/disconnect) we (1) call Google’s token-revocation endpoint, (2) NULL out the token columns in our database, and (3) write the deletion to the audit log.

Cross-Account Protection

OIKON participates in Google’s Cross-Account Protection (RISC) program. If Google notifies us that your Google account has been compromised, hijacked, disabled, or that its tokens have been revoked, we automatically destroy the corresponding tokens on our side and revoke the Google connection. You will need to reconnect Google before Cosmo can resume Google-side actions.

Revoking access

You can revoke OIKON’s access to your Google account at any time:

Inside Cosmo: Settings → Connections → Disconnect Google.
From Google directly: myaccount.google.com/permissions → OIKON / Cosmo → Remove access.

Either path triggers token deletion on our side within seconds (RISC handles the Google-initiated case; our disconnect endpoint handles the in-app case).

7. Retention (Article 18)

Account data — while your account is active
Chat (private mode) — 24 hours hard TTL, then erased
Chat (regular) — until you delete or close the account
Long-term memories — until you delete via memory_forget or close the account
Records of processing — 90 days, then anonymized
Payment records — 10 years (Saudi accounting law)
Security incident records — 1 year

Crypto-shred erasure. Your long-term memories are encrypted with a Data Encryption Key unique to you. When you delete your account we destroy your wrapped key first — every encrypted memory becomes mathematically unrecoverable, even from backups, even if our master key later leaks. Right-to-destroy under Article 18 is provable destruction, not best-effort row delete.

8. Your rights (Article 4)

You can exercise every PDPL Article 4 right from inside the app:

Access — GET /me/data-rights/export returns every table holding your data, downloadable JSON
Portability — same endpoint, readable JSON, no proprietary lock-in
Correct — PATCH /me + in-app settings
Destroy — POST /me/data-rights/delete, full erasure (except payment records, retained under accounting law)
Records of processing — GET /me/data-rights/processing-records
Withdraw consent — POST /me/consent with { scope, consent: false }
Complain to the Authority — SDAIA / NDMO (see § 1)

9. Security (Article 19)

TLS 1.2+ everywhere external-facing
JWT HS256 with JTI revocation, 24h sessions, password-confirmation on destructive operations
AES-256-GCM encryption at rest for OAuth tokens, chat messages, and your long-term memories
Per-user Data Encryption Keys with crypto-shred (see § 7)
Row-level access controls — every query scoped by user_id and organization_id; cross-tenant access blocked at the trust boundary, regression-tested
Surface-aware circuit breaker so a flaky background pipeline cannot degrade your interactive chat
Continuous quality gate: tools below a 90% pass rate auto-drop from the public catalog
Single audit chokepoint: every tool execution writes to skill_executions with input + output excerpts (truncated; no PII content)
PDPL incident detection with a documented decision runbook

10. Breach notification (Article 20)

If we know of a breach, damage, or illegal access affecting your data we will notify the Competent Authority upon knowing, and we will notify you if the incident would prejudice your rights or interests — using the email on your account, in plain language, with what happened, what data was involved, what we did, and what you can do.

11. Children

Cosmo is built for adults running businesses. We do not knowingly process the personal data of minors. If you believe a minor has signed up, contact us and we will erase the account.

12. Health / Credit / Sensitive Data

We do not currently process Health Data (Article 23), Credit Data (Article 24), or other Sensitive Data (Article 1.11) as a primary purpose. If a future feature does, we will publish updated controls before turning it on, including the additional safeguards Articles 23 and 24 require.

13. Changes to this policy

We will notify you of material changes via the email on your account at least 30 days before they take effect. Editorial changes (typo fixes, clarifications) ship without notice but appear in this document’s git history.

14. Contact

Email: privacy@oikon.io
Authority: SDAIA / NDMO — https://sdaia.gov.sa/

Privacy Policy