Privacy Policy

Version 1 — effective 2 May 2026

1. Controller

The controller responsible for data processing on this platform is:

None Records Design Multimedia Friedhofstr. 23, 63263 Neu-Isenburg, Germany Email: privacy@oqanda.com Phone: +49 6102 5746679

2. What Data We Collect

2.1 Account Data

When you register, we collect your name, email address, and a password (stored in hashed form). We also assign you a random display nickname to protect your identity during Events.

2.2 Event Participation Data

When you register for and participate in Events, we record your registrations, the questions you submit, and your interaction timestamps.

2.3 Purchase Data

When you make a purchase in the Store, we collect your name, email address, shipping address, and order details. Payment card data is processed directly by Stripe and is never stored on our servers.

2.4 Partner Data

If you apply to become a partner, we collect your company name, contact name, email address, and any information you provide in your application.

2.5 Technical Data

When you visit the Platform, we may collect your IP address, browser type, operating system, and referring URL. This data is used for security monitoring and service improvement.

2.6 Cookies

We use essential cookies for authentication and session management. Non-essential cookies (analytics, marketing) are only set with your explicit consent. See our Cookie Policy for details.

3. Why We Process Your Data

| Purpose | Legal Basis (GDPR) | |---|---| | Providing and maintaining your account | Contract performance (Art. 6(1)(b)) | | Processing your Event registrations | Contract performance (Art. 6(1)(b)) | | Processing your Store purchases | Contract performance (Art. 6(1)(b)) | | Sending transactional emails (order confirmations, password resets, invitations) | Contract performance (Art. 6(1)(b)) | | Security monitoring and fraud prevention | Legitimate interest (Art. 6(1)(f)) | | Platform improvement and analytics | Legitimate interest (Art. 6(1)(f)) or consent (Art. 6(1)(a)) | | Sending marketing communications | Consent (Art. 6(1)(a)) — only with your explicit opt-in |

4. Who We Share Data With

We share personal data only with the following third-party processors, each of which processes data under a Data Processing Agreement (DPA):

| Processor | Purpose | Data Shared | Location | |---|---|---|---| | Google Cloud Platform | Hosting, database, file storage | All application data | EU (europe-west1) | | Stripe | Payment processing | Email, order details | EU/US (Stripe DPA) | | Brevo | Transactional email delivery | Email address, name | EU (Brevo DPA) | | Google Cloud Vertex AI | AI-assisted moderation (quality, deduplication, spam) — advisory only, human decides | User-submitted Event content (questions and answers) | EU (europe-west4) |

We do not sell your personal data to third parties.

5. AI-Assisted Moderation

OQANDA uses Google Cloud Vertex AI (Gemini models, hosted in europe-west4) to assist our human moderators. AI on OQANDA is an assistant. Every consequential decision about your content is made by a human.

5.1 What AI does

  • Rates the quality and relevance of submitted questions
  • Groups duplicate or near-duplicate questions so moderators don't read the same question many times
  • Flags likely spam for moderator review
  • During a live Event, may be activated by an Administrator in Emergency Moderation Mode to pre-sort questions when no human moderator is available — with the safeguards described below

5.2 What AI does not do

  • It does not delete, hide, or publish your content without a human decision.
  • Your data is not used to train Google's AI models. This is enforced by configuration, not just by policy.
  • Emergency Moderation Mode cannot activate by itself. It requires explicit Administrator authorization and is time-capped at 30 minutes per activation, with a hard maximum of 105 minutes.

5.3 Legal basis (GDPR)

Art. 6(1)(f) GDPR — legitimate interest in the quality and safety of the Platform.

5.4 Automated decision-making (Art. 22 GDPR)

AI outputs on OQANDA are advisory. Every consequential decision about your content is reviewed by a human moderator. Emergency Moderation Mode includes a "held-for-human" bucket that routes borderline cases to a human as soon as one returns. No decision with legal or similarly significant effect is made by solely automated processing.

5.5 Retention

AI-generated metadata (quality scores, category labels, duplicate-cluster identifiers) is retained for the same period as the content it describes and is deleted when you delete your account.

5.6 Learn more

A plain-language explanation of how we use AI is at oqanda.com/responsible-ai. An Administrator can disable AI at any time; when disabled, no data is sent to Google Cloud Vertex AI for AI purposes.

6. Data Retention

| Data Type | Retention Period | |---|---| | Account data | Until you delete your account | | Event participation data | Until you delete your account | | Purchase and order data | 10 years (required by German tax law, §147 AO) | | Audit logs (security) | 12 months | | Cookies | As specified in our Cookie Policy |

7. Your Rights

Under the GDPR, you have the following rights:

  • Access: You can request a copy of the personal data we hold about you.
  • Rectification: You can request correction of inaccurate data.
  • Erasure: You can request deletion of your account and associated data ("right to be forgotten").
  • Restriction: You can request that we limit how we process your data.
  • Data Portability: You can request your data in a machine-readable format.
  • Objection: You can object to processing based on legitimate interest.
  • Withdraw Consent: Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, contact us at privacy@oqanda.com. We will respond within 30 days.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including encrypted database connections (SSL/TLS), hashed passwords, access controls, and regular security reviews. Our infrastructure is hosted on Google Cloud Platform in the EU (europe-west1 region).

9. International Transfers

Your data is primarily processed within the European Union. Where data is transferred outside the EU (e.g. through Stripe's US infrastructure), this is covered by appropriate safeguards such as Standard Contractual Clauses or an adequacy decision.

10. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for our location is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit Postfach 3163, 65021 Wiesbaden datenschutz.hessen.de

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email. The current version is always available at oqanda.com/legal/privacy.

12. Contact

For questions or data subject requests: privacy@oqanda.com