octopora Privacy Policy

octopora is currently operated by Achref Gallaoui under the octopora brand. For this policy, "octopora", "we", "us", and "our" refer to octopora / Achref Gallaoui, Tunisia.

Privacy requests can be sent through the official octopora LinkedIn page until a dedicated privacy email address is published: octopora on LinkedIn.

• Account and profile data: name, email address, username, avatar, status, authentication metadata, and account verification state.
• Workspace data: projects, project members, roles, permissions, invitations, tickets, sprints, priorities, states, comments, mentions, markdown content, and activity history.
• Collaboration data: project channel messages, direct messages, replies, reactions, read receipts, desk requests, watchers, and desk comments.
• Calendar data: personal and project events, attendees, RSVP state, meeting links, reminders, event notes, linked resources, Google Calendar identifiers, Google Meet links, sync status, and sync errors.
• Repository and agent data: GitHub or GitLab repository metadata, branches, commits, issues, imported issue references, coding-agent configuration metadata, agent run prompts, logs, status, token usage, branch links, and change request links.
• Files and attachments: issue attachments, file names, file sizes, MIME types, storage paths, previews, and signed access links.
• AI and voice data: Helpi prompts, transcripts, uploaded context files, draft plans, AI-generated event, ticket, issue, and project drafts, usage estimates, and speech-to-text or text-to-speech requests.
• Time tracking data: timers, started and ended times, duration, heartbeat data, stop reasons, hourly rate snapshots, costs, and adjustment audit records.
• Technical data: IP address, device and browser information, cookies or local storage, language preference, session data, logs, analytics events, and security diagnostics.

• To create and secure accounts, verify users, authenticate sessions, and provide login through email or Google.
• To operate project management, boards, tickets, sprints, calendar, messaging, desk, repository, time tracking, notifications, and workspace views.
• To sync user-authorized Google Calendar events and create Google Meet links when a user asks octopora to do so.
• To provide Helpi AI assistance, speech-to-text, text-to-speech, draft planning, backlog refinement, event rewriting, and coding-agent workflows.
• To deliver emails, verification messages, system notifications, support responses, and service updates.
• To protect the service, enforce permissions, investigate abuse, debug errors, maintain availability, and comply with legal obligations.
• To understand product usage and improve the user-facing service using analytics and operational metrics.

When you connect Google, octopora requests only the Google data needed for user-facing features such as sign-in, Calendar sync, event creation, and Google Meet link creation.

octopora does not sell Google user data, does not use Google user data for advertising or retargeting, does not share Google user data with data brokers, and does not use Google user data to train generalized AI or machine learning models. Use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

octopora may use service providers and integrations only where needed to provide or secure the product:

• Supabase for authentication, database, storage, realtime, row-level security, and signed attachment access.
• Vercel for hosting, deployment, analytics, and operational infrastructure.
• Resend for transactional email delivery.
• Google for OAuth, Calendar, and Meet features when connected by the user.
• Deepgram for speech-to-text and text-to-speech voice features.
• NVIDIA NIM or another OpenAI-compatible AI provider configured by octopora for Helpi and drafting features.
• GitHub or GitLab for repository metadata, branches, commits, issue import, issue publishing, and related workflows when connected by a project admin.
• Agent runner infrastructure for coding-agent execution where enabled by a project admin.

We do not sell personal data.

octopora is operated from Tunisia, but some processors and integrations may process data outside Tunisia. Cross-border transfers will be handled with appropriate contractual, organizational, and technical safeguards and, where required under Tunisian Law No. 2004-63, with INPDP authorization or another permitted legal basis.

• HTTPS is used for service access in production.
• Supabase row-level security and permission checks restrict workspace data by project membership and role.
• Service-role-only tables isolate OAuth secrets, repository tokens, and coding-agent API tokens from browser access.
• Issue attachment buckets are private and served through signed URLs where possible.
• Access controls, least-privilege integrations, authentication, and audit-style records are used to protect workspace data.

• Account, profile, workspace, project, ticket, message, calendar, issue, desk, and time tracking data are generally kept while the account or relevant workspace is active.
• Project deletion, account deletion, attachment deletion, or integration disconnect flows may delete or make unavailable related records, subject to backups, audit needs, security logs, and legal obligations.
• Google OAuth tokens are stored separately from browser-readable data and should be deleted or invalidated when the Google connection is disconnected.
• Operational logs, analytics, and security records are retained only as long as reasonably needed for service operation, security, debugging, legal compliance, and product improvement.
• Users may request access, correction, objection, or deletion through the contact route above. Some deletion requests may be limited by workspace ownership, legal obligations, security needs, or another user's rights.

Tunisia recognizes protection of personal data under Organic Law No. 2004-63 of July 27, 2004. Depending on the processing activity, octopora may need to declare processing to the Instance Nationale de Protection des Donnees Personnelles (INPDP) or request authorization, including for certain international transfers or sensitive processing.

Users may contact octopora to request access, rectification, objection, or deletion where applicable. Users may also contact the INPDP: https://www.inpdp.tn/.

Resume en francais: octopora / Achref Gallaoui traite les donnees personnelles pour fournir un espace de travail SaaS de gestion de projets, collaboration, calendrier, temps, integrations et assistance IA. Les donnees ne sont pas vendues. Les droits d'acces, de rectification, d'opposition et de suppression peuvent etre exerces via le contact public indique ci-dessus, sous reserve des obligations legales et des droits des autres utilisateurs.