Privacy Policy

1. Introduction

This Privacy Policy explains how Octane Limited ("we," "our," or "us"), a company registered in Jersey (Channel Islands), collects, uses, discloses, and protects your personal data when you use our Meet In The Field service (the "Service").

We are committed to protecting your privacy and ensuring that your personal data is handled in accordance with the Data Protection (Jersey) Law 2018 and, where applicable, the General Data Protection Regulation (EU GDPR) and UK GDPR.

By using our Service, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

The data controller responsible for your personal data is:

3. Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Information You Provide

• Account Information: Name, email address, and authentication credentials when you create an account
• Profile Information: Any additional information you choose to add to your profile
• Communication Content: Messages exchanged during sessions with your partner, encrypted and stored on our servers to enable conversation continuity across devices and sessions
• Payment Information: Billing details processed through our payment provider (Stripe)
• Support Communications: Information you provide when contacting our support team

3.2 Information Collected Automatically

• Usage Data: Information about how you use our Service, including session frequency and feature usage
• Device Information: Device type, operating system, browser type, and unique device identifiers
• Log Data: IP address, access times, pages viewed, and referring URLs
• Cookies and Similar Technologies: Information collected through cookies, pixels, and similar technologies

3.3 Special Category Data

The nature of our Service means that your communications may contain sensitive personal data relating to your relationships, emotions, or personal life. We treat all conversation content with the highest level of confidentiality and security.

4. Legal Basis for Processing

We process your personal data on the following legal bases:

• Contract Performance: Processing necessary to provide you with our Service and fulfil our contractual obligations
• Legitimate Interests: Processing necessary for our legitimate interests, such as improving our Service, preventing fraud, and ensuring security
• Consent: Where you have given explicit consent for specific processing activities
• Legal Obligation: Processing necessary to comply with legal requirements

5. How We Use Your Personal Data

We use your personal data for the following purposes:

• To provide, maintain, and improve our Service
• To process your transactions and manage your subscription
• To communicate with you about your account, updates, and support requests
• To personalise your experience and provide relevant features
• To ensure the security and integrity of our Service
• To analyse usage patterns and improve our Service (using anonymised data)
• To comply with legal obligations

Important: We do NOT use your conversation content to train AI models or for any purpose other than providing you with the Service.

6. Data Sharing and Disclosure

We may share your personal data with the following categories of recipients:

• Service Providers: Third-party companies that help us operate our Service, including:
  • Clerk (authentication services)
  • Stripe (payment processing)
  • Supabase (database hosting)
  • OpenAI (AI processing - conversation context only, not stored)
  • Pusher (real-time communication)
• Legal Requirements: When required by law, regulation, or legal process
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• With Your Consent: When you have given us permission to share your data

We never sell your personal data to third parties.

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside Jersey, the European Economic Area (EEA), and the United Kingdom. When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Transfers to countries with adequacy decisions
• Other legally approved transfer mechanisms

8. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including:

• Account Data: Retained while your account is active and for a reasonable period thereafter
• Conversation Data: Encrypted and stored on our servers. You can delete conversation history at any time using the Clear History feature. Conversations for inactive fields are automatically deleted after 30 days of inactivity
• Payment Records: Retained as required by financial regulations (typically 7 years)
• Log Data: Typically retained for 90 days

When you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law.

8.1 Message Storage and Encryption

Your conversation messages are encrypted using AES-256-GCM encryption before being stored on our servers. Each conversation field uses a unique encryption key derived via HKDF (HMAC-based Key Derivation Function), ensuring cryptographic isolation between conversations.

What is encrypted: The content of your messages is encrypted at the application level before storage. Only you and your partner can access the decrypted content through our Service.

What is not encrypted: Message metadata such as sender name, sender role, and timestamps are stored in plaintext to enable message ordering and display functionality.

Your deletion rights: You can delete your conversation history at any time using the Clear History feature within a session. Deletion is permanent and cannot be reversed.

Automatic deletion: Encrypted message data for inactive conversation fields is automatically deleted after 30 days of inactivity. This deletion is irreversible.

9. Your Rights

Under applicable data protection laws, you have the following rights:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing: Request limitation of how we process your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint: Lodge a complaint with the Jersey Office of the Information Commissioner or other relevant supervisory authority

To exercise any of these rights, please contact us at privacy@meetinthefield.app. We will respond to your request within one month.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS) and at rest (AES-256-GCM for message content, database-level encryption for metadata)
• Per-conversation encryption keys derived via HKDF
• Secure authentication mechanisms
• Regular security assessments and updates
• Access controls limiting who can access personal data
• Employee training on data protection

While we strive to protect your personal data, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Essential Cookies: Required for the Service to function (e.g., authentication)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how you use our Service

You can control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of our Service.

12. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will take steps to delete such information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, or if you wish to exercise your rights, please contact us: