OXYGENOXYGEN

Privacy Policy

Last Updated: June 1, 2026

1. About OXYGEN

OXYGEN is operated by OXYGEN GTM Inc., a Delaware corporation.Legal notice and business correspondence address: 2810 N Church St STE 88810, Wilmington, DE 19802, United States. Contact: philipp@oxygen-agent.com.

This Privacy Policy explains how we collect, use, disclose, retain, and protect personal data when you visit our website, create an account, use the OXYGEN platform, connect integrations, run workflows, use the OXYGEN CLI/MCP/API, or purchase done-for-you services.

2. Data Roles

For website, account, billing, security, support, product-administration, and marketing data, OXYGEN is an independent controller.

For customer-submitted workspace data, lead/contact data, campaign data, messages, table rows, workflow inputs, integration payloads, and provider outputs processed to provide the Service, Customer is the controller and OXYGEN acts as processor or service provider under the Data Processing Agreement.

Customer determines the purposes and means of outbound campaigns, including recipient selection, legal basis, consent evidence, suppression handling, and message content. OXYGEN processes that data to provide customer-directed software and operational assistance.

3. Information We Collect

  • Account data: name, business email, organization, role, authentication identifiers.
  • Billing data: plan, invoices, payment status, billing identifiers handled with Stripe.
  • Usage and log data: product interactions, IP address, device/browser data, timestamps, diagnostics.
  • Support and communication data: emails, messages, tickets, call notes, and related metadata.
  • Customer content: tables, rows, columns, prompts, workflows, files, contacts, leads, messages, approvals, and run logs.
  • Integration data: CRM, email, LinkedIn, enrichment, calendar, provider, and AI-model inputs and outputs you authorize.
  • Outbound compliance data: legal-basis fields, consent/source evidence, unsubscribe and suppression data, campaign approvals, spend caps, and provenance.
  • Cookie and analytics preferences for the public website.

4. Sources

We collect data from you and your organization, from your authorized users and agents, automatically through the Service, from connected integrations you authorize, from service providers and subprocessors, from public business sources where lawful, and from providers you or OXYGEN use under your instructions.

5. How We Use Information

  • Provide, operate, secure, maintain, and support the Service.
  • Authenticate users, manage organizations, issue API tokens, and enforce permissions.
  • Run customer-directed tables, workflows, enrichments, AI columns, provider calls, and done-for-you operations.
  • Record approvals, provenance, logs, errors, cost, credits, suppression state, and run history.
  • Process payments, invoices, taxes, subscriptions, and credits.
  • Detect abuse, prevent fraud, enforce policies, and protect users and recipients.
  • Improve the Service using sanitized product telemetry and aggregate analytics.
  • Send service notices, security notices, support replies, and marketing where permitted.
  • Comply with law, preserve rights, and respond to valid legal process.

6. Legal Bases

Where GDPR or similar law applies to OXYGEN as controller, we rely on:

  • contract necessity for account, billing, support, and Service delivery;
  • legitimate interests for security, abuse prevention, service improvement, diagnostics, and legal defense;
  • consent for optional analytics cookies and marketing where required;
  • legal obligation for tax, accounting, compliance, and valid legal process.

Where OXYGEN acts as processor, Customer is responsible for selecting and documenting the lawful basis for customer data and outbound processing.

7. Sharing & Subprocessors

We share information with:

  • service providers and subprocessors for hosting, databases, identity, billing, analytics, logging, AI, enrichment, communication, and integrations;
  • third-party platforms and providers you connect or instruct us to use;
  • payment processors acting as independent controllers for payment processing;
  • legal authorities or third parties where required by law or necessary to protect rights;
  • successors in a merger, acquisition, financing, reorganization, or asset sale.

See the Subprocessor page for the current public list.

8. International Transfers

OXYGEN is a Delaware corporation and uses global service providers. Data may be transferred to the United States and other countries. Where required, we use appropriate safeguards such as EU Standard Contractual Clauses, the UK Addendum or IDTA, transfer assessments, encryption, access controls, and contractual subprocessor obligations.

9. Retention

  • Account and billing data: contract term plus applicable tax/accounting retention periods.
  • Security, diagnostic, and operation logs: typically 90 to 180 days unless needed longer for security, billing, legal, or abuse review.
  • Customer content and contact data: contract term plus deletion/export windows under the DPA or workspace controls.
  • Provider events, run provenance, approvals, and credit records: retained as needed for observability, billing reconciliation, compliance evidence, and dispute handling.
  • Support records: typically up to 24 months unless needed longer for legal or business reasons.

10. Security

We use technical and organizational measures designed to protect data, including TLS, encryption at rest where supported, role-based access, audit logging, least-privilege controls, credential encryption, vendor review, backups, and incident-response processes. No system is completely secure.

11. Your Rights

Depending on your location and role, you may have rights to access, correct, delete, export, restrict, or object to processing of personal data, and to withdraw consent where processing relies on consent. To exercise rights, contact philipp@oxygen-agent.com.

For customer workspace data, we may direct you to the Customer organization that controls the data or assist the Customer under the DPA.

Where GDPR or UK GDPR applies, you also have the right to lodge a complaint with a supervisory authority, in particular in the EU member state or UK jurisdiction of your habitual residence, place of work, or the place of an alleged infringement.

12. Automated Decision-Making

OXYGEN provides AI and workflow tools for customers to evaluate leads, write copy, enrich data, and run GTM operations. OXYGEN does not make solely automated decisions about individuals that produce legal or similarly significant effects as an independent controller.

13. Cookies

We use necessary cookies for core functionality. Optional analytics and marketing cookies on the public website are used only where configured and where you have granted consent through the cookie banner or preferences control.

Where configured, optional analytics is provided by Vercel Web Analytics and Google Analytics 4, and optional marketing measurement by the LinkedIn Insight Tag. These load only after you grant the corresponding consent category, and you can change or withdraw your choice at any time via the Cookie Preferences control in the footer.

14. Changes

We may update this Privacy Policy. Material changes will be announced by email, in-product notice, changelog, or updated effective date. Continued use after the effective date means the updated policy applies.