Privacy by design.

Introduction

OEASE Solutions Inc. ("we," "us," or "our") operates the OEASE Organization Management System (OMS) and OCMTY community platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you access or use our services. We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Information We Collect

Information You Provide

• Account and Profile Data: Name, email address, organization name, role titles, profile pictures, and other information you submit when creating or managing your account.
• Membership & Finance Data: Member details (e.g., names, contact information), transaction metadata (amounts, dates, status, fee breakdown), and uploaded receipts or invoices. We do not collect, see, or store full payment card numbers, CVCs, or bank account credentials — those are captured directly by Stripe in your browser and never touch OEASE servers.
• Event Details: Event names, descriptions, dates, attendee lists, and related marketing content when you use our Event Management module.

Information Collected Automatically

• Usage Data: Pageviews, anonymized click events, feature usage metrics, and crash reports — collected via PostHog under data-minimization rules described in Analytics & Telemetry. We do not capture form input values or message bodies.
• Device & Connection Data: Approximate location (country and region) derived from IP address, browser type, operating system, and coarse device identifiers. Full IP addresses are not retained beyond Stripe / PostHog / Cloudflare operational use under their respective policies.
• Cookies & Tracking Technologies: We employ cookies and similar technologies to remember your preferences, authenticate sessions (Auth0), and analyze site usage (PostHog, first-party via k.oease.net and k.oease.app). See Analytics & Telemetry for opt-out.

How We Use Your Information

• Service Delivery: To provide, maintain, and improve our platforms.
• Personalization: To tailor content and notifications based on your organization's usage patterns.
• Communication: To send transactional emails and, where permitted, marketing communications.
• Analytics & Product Development: To analyze trends and develop new features.
• Legal Compliance: To comply with applicable laws and protect our users.

Information Sharing & Disclosure

• Sub-Processors: We share information with a small, named set of third-party service providers (payment processing, authentication, analytics, email delivery, hosting). The authoritative list is published in the Sub-Processors section below.
• Business Transfers: In the event of a merger or acquisition, user information may be transferred as part of the transaction.
• Legal Requirements: We may disclose information to comply with legal obligations or protect our rights.

Payments & Money Custody

All payments made through OEASE (membership dues, event tickets, donations) are processed by Stripe, Inc., our integrated payment processor. OEASE never holds, custodies, or takes possession of any funds. Money flows directly from the buyer's payment method into your organization's Stripe Connected Account and is paid out to your organization's bank account by Stripe on Stripe's schedule.

What this means for your privacy and financial data:

• Card details stay with Stripe: Full card numbers, CVCs, and bank credentials are captured directly by Stripe Elements in your browser. Those values never reach OEASE servers, and we have no way to read them.
• We store only transaction metadata: Order IDs, amounts, fee breakdowns, statuses, timestamps, last-4 digits where Stripe returns them, and the buyer's name and email — used to produce receipts, financial reports, and refund flows.
• Stripe is the data controller for payment instrument data: Stripe's handling of your payment information is governed by Stripe's Privacy Policy.
• OEASE fees are non-refundable: The 1.3% OEASE platform fee (and the additional 3% OEASE event service fee on event ticketing) are retained by OEASE even when a transaction is refunded. See the Terms of Service, Section 9 for the full fee policy.

Analytics & Telemetry

We use PostHog (operated by PostHog Inc., US) as our sole product analytics and telemetry platform across the OEASE marketing website (oease.net), the OEASE application (oease.app), and public surfaces such as Bio Pages and Events. PostHog acts as a data processor on our behalf under a Data Processing Addendum and is hosted on PostHog's US Cloud region.

What PostHog Captures (and What It Does Not)

• Pageviews and navigation events — which URL paths were visited, referrer, and basic device/browser metadata derived from the User-Agent header.
• Anonymous interaction events — element selectors and labels for buttons and links that were clicked. We capture the shape of interaction, never the values typed into form fields.
• Product events we explicitly name — e.g., a member was created, an announcement was published, a finance pocket was added. These events carry only IDs and high-level outcome flags, not personal content.
• Approximate location — country and region derived from the IP address by PostHog for traffic analysis. Full IP addresses are not retained beyond what PostHog uses for fraud and abuse prevention per its own policy.
• Uncaught application errors — Vue component exceptions are forwarded to PostHog so we can diagnose crashes. Stack traces and error messages may incidentally include variable names; we do not intentionally include personal data.
• We do not capture: input field values, passwords, two-factor codes, payment card data, message bodies, file contents, member rosters, financial figures, or chat messages.

First-Party Reverse Proxy

PostHog ingestion is routed through our own reverse-proxy hosts (k.oease.net for the marketing site, k.oease.app for the application) so analytics requests are first-party to our domains. This protects the integrity of our metrics against blocker breakage but does not change the underlying data minimization commitments described above.

Analytics Notice & Opt-Out (Marketing Website)

On your first visit to oease.net we show a brief analytics notice. Analytics are on by default: PostHog begins collecting the anonymized usage data described above, and you can turn it off at any time. Opting out — through the notice or the footer "Manage cookies" link — takes effect immediately without a page reload and persists across visits.

• Opting out is always one click away. The notice offers a clearly labeled "Opt out", and a "Manage cookies" link sits in the site footer on every page — opting out is never hidden behind extra steps.
• Withdraw at any time. Clicking "Manage cookies" re-opens the notice so you can change your mind. Your opt-out is recorded immediately and persists across visits.
• No dark patterns. We do not gate site content behind the notice, repeatedly re-prompt visitors who opted out, or use scroll/timeout as implicit acceptance.
• Strictly necessary cookies excepted. A small number of cookies (theme preference, authentication session on oease.app, CSRF tokens) are loaded regardless because the Service cannot function without them. These do not require consent under GDPR ePrivacy.

Lawful Basis (GDPR Art. 6) & Opt-Out Summary

For the marketing website, our lawful basis for analytics is our legitimate interest (GDPR Art. 6(1)(f)) in measuring and improving the website, balanced against your privacy through anonymization, the data-minimization commitments above, and an always-available opt-out. For the OEASE application, we rely on contract performance (Art. 6(1)(b)) for the strictly necessary telemetry that keeps the Service running, and legitimate interest (Art. 6(1)(f)) for product quality, fraud prevention, and error diagnostics — all subject to the data-minimization commitments above.

You can opt out of analytics at any time through any of these channels:

• Marketing website: Click "Opt out" in the notice, or "Manage cookies" in the footer. PostHog stops immediately.
• Tracker blockers: We will not attempt to evade or override your blocker, even though our telemetry is first-party.
• Email [email protected] to request an opt-out flag tied to your account, deletion of historical analytics data linked to your identifiers, or a copy of our PostHog DPA.

PII Reduction & Data Minimization

We treat data minimization as a design constraint, not a checkbox. The goal is to collect, transmit, and retain the smallest amount of personal information that still lets the Service work. The following commitments apply across all OEASE surfaces and inform how we configure third-party tools, including PostHog, Auth0, Stripe, and Resend.

• Pseudonymous identifiers by default: Where a unique identifier is needed for analytics or product telemetry, we use an opaque internal user ID (e.g., the Auth0 sub) rather than email, name, or any other directly identifying attribute. Email and name are never sent as analytics properties.
• No input value capture: Form fields, text areas, contenteditable elements, and rich-text editors are excluded from autocapture. We never see the contents you type unless you explicitly submit them to the Service as part of normal product use.
• Payment data never touches our servers: Card numbers, CVCs, and bank credentials are captured by Stripe Elements directly in your browser and tokenized before they reach us. See the Terms of Service, Section 9 for the full custody story.
• Sensitive content masking: Member rosters, financial figures, messages, and uploaded files are not relayed to analytics or error-tracking systems. Stack traces include only error metadata, not application state.
• Encryption in transit: All client-server traffic is served over TLS 1.2+. Connections to sub-processors (Stripe, PostHog, Auth0, Resend) use HTTPS exclusively. We do not accept plaintext HTTP for any data-bearing endpoint.
• Encryption at rest: Primary databases, object storage, and backups are encrypted at rest using the encryption capabilities of our hosting provider.
• Least-privilege access: Production data access is restricted to the small set of engineers operationally required, behind unique accounts and 2FA. Access is logged.
• Retention limits: Analytics events default to a rolling 12-month retention. Application logs are retained for 30 days for operational debugging. Financial transaction records may be retained up to 7 years where required by tax and audit law. See "Data Retention" below.
• Multi-tenant isolation: Every organization's records are scoped by org_id at the application layer, and cross-organization reads are categorically rejected by middleware. No organization can see another organization's data.

Compliance Posture

We engineer toward the GDPR (EU/UK), CCPA/CPRA (California), and SOC 2 Type II Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). Our internal controls — change management, access reviews, vendor due diligence, incident response, and the data minimization practices above — are modeled on these frameworks.

We are not currently SOC 2 Type II audited or certified. Stating otherwise would be inaccurate; what we can honestly commit to is the control posture, the sub-processor transparency in this document, and that we engineer with these frameworks as the target. If you require a DPA, sub-processor list export, security questionnaire response, or evidence of specific controls for your own compliance program, contact [email protected].

Sub-Processors

We use a small, carefully selected set of third-party services ("sub-processors") to deliver the Service. Each one has its own data protection terms; we contractually require equivalent protections to those in this policy. The table below is the authoritative list for OEASE. We will update it at least 30 days before adding a new sub-processor that processes personal data on a meaningful scale.

Need our full sub-processor disclosure (including supporting infrastructure providers not enumerated above) or a signed DPA? Email [email protected].

Data Security

We implement administrative, technical, and physical safeguards to protect your data against unauthorized access, disclosure, alteration, and destruction. Our multi-tenant architecture ensures each organization's data is isolated, enhancing data security and ownership.

Data Retention

We retain your personal information only as long as necessary to fulfill the purposes outlined in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Afterward, data is securely deleted or anonymized.

Your Rights & Choices

Depending on your jurisdiction, you may have the right to:

• Access or Portability: Request a copy of your personal data in a structured, machine-readable format.
• Correction: Update or rectify inaccurate or incomplete data.
• Deletion: Request erasure of your personal data, subject to certain exceptions.
• Restriction or Objection: Limit or object to processing under certain circumstances.
• Cookie Preferences: Manage or withdraw consent for cookies through your browser settings.

To exercise these rights, please reach out to us through our Discord community or contact channels.

International Data Transfers

Your information may be processed or stored outside your country of residence. Where required by law, we ensure appropriate safeguards (e.g., standard contractual clauses) are in place to protect your data.

Children's Privacy

Our services are not directed to children under 16, and we do not knowingly collect personal information from minors. If you believe we have collected such information, please contact us to request deletion.

Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will post the revised version with a new "Last Updated" date and, where appropriate, notify you via in-product notification.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy, please reach out through our Discord community or by mail: