Privacy Policy

Last updated: May 7, 2026

1. Who we are

OG Traffic ("we," "us," "our") is an AI content engine operated from Lithuania, European Union. Our website is ogtraffic.com. We are the data controller for personal data you provide via the service. For privacy questions, contact privacy@ogtraffic.com.

2. What data we collect

• Account data: email address, name (optional), profile image (via Google OAuth if you choose that sign-in method).
• Waitlist data: email, name, company, intended use case.
• Service data: website URL(s) you connect, topics you describe, brand configuration, chat conversations with the assistant, AI-generated drafts and research notes, OAuth tokens for connected services (Google Search Console, Google Analytics) stored encrypted at rest.
• Technical data: IP address, browser type, device information, request timestamps. Collected automatically for security, abuse prevention, and aggregate analytics.

3. How we use your data

• To provide the service — generating content, syncing analytics, publishing to your destinations (lawful basis: performance of contract, GDPR Art. 6(1)(b)).
• To send transactional emails — sign-in links, deletion confirmations, billing receipts (Art. 6(1)(b)).
• To prevent abuse — rate-limiting, anomaly detection, security event logging (Art. 6(1)(f) legitimate interest in protecting the service).
• To comply with law — tax records, regulatory requests (Art. 6(1)(c)).
• To send product updates — only if you opt in. You can unsubscribe at any time via the link in any such email (Art. 6(1)(a) consent).

We do not sell or rent your personal data to third parties. We do not use your content to train foundation models.

4. Third-party sub-processors

We rely on a small set of vendors to operate OG Traffic. The complete list, with each vendor's purpose, location, and DPA status, is published at /legal/sub-processors. We update that page whenever we add, remove, or change a sub-processor.

5. Data retention

• Account profile — kept until you delete your account.
• Chat threads & messages — auto-deleted 90 days after the last message.
• Blog runs, drafts, research artifacts — kept until you delete the organization.
• OAuth tokens (Google) — revoked + deleted on disconnect.
• Usage events / billing logs — 13 months for billing reconciliation; PII-stripped after 6 months. Retained 6 years total per Lithuanian tax law.
• Pipeline checkpoints — purged 30 days after run completion.
• Waitlist data — kept until we process your application or you request deletion.

6. Your rights (GDPR)

As an EU resident, you have the right to:

• Access your personal data — request a JSON export via your settings page or by email.
• Rectify inaccurate data — edit your profile, or email us.
• Eraseyour data — "right to be forgotten." Initiate via your settings page; we will send an email confirmation link, and on confirmation we cascade-delete your account and any organization where you are the sole owner.
• Portyour data — the JSON export under "Access" is structured for portability.
• Object to / restrict processing — email us.
• Withdraw consent for marketing emails — link in every email.
• Lodge a complaint with your data protection authority. The Lithuanian DPA is vdai.lrv.lt.

We respond to verified rights requests within 30 days (Art. 12(3)).

7. International transfers

Some of our sub-processors operate from outside the EEA. Where that is the case, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. See /legal/sub-processors for the per-vendor location and transfer mechanism.

8. Cookies

We use essential cookies (authentication session tokens). For analytics we use Plausible Analytics, which is cookie-less and privacy-respecting. We do not use advertising cookies or cross-site tracking.

9. Security

We use industry-standard measures: TLS 1.2+ in transit, AES-256-GCM encryption for OAuth tokens at rest, role-segregated database access, audit logging on administrative actions, and routine dependency scanning. We disclose security incidents to affected users within 72 hours of confirmation, in line with GDPR Art. 33 and 34 — see docs/incident-response.md in our public repository for our procedure.

10. Children

OG Traffic is intended for users 18 years or older. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact privacy@ogtraffic.com and we will delete it.

11. Changes to this policy

We will post material changes to this page and update the "Last updated" date. For material changes affecting existing users we will also send an email notification at least 30 days before the change takes effect.

12. Contact

For privacy-related inquiries, contact us at privacy@ogtraffic.com.

Jurisdiction: Republic of Lithuania, European Union.