EN DE FR ES RO
Legal & Compliance

Privacy Policy

How Oracron collects, uses, and protects your data — in plain language, with full GDPR and CCPA compliance detail.

Last updated: June 10, 2026 Effective: November 19, 2023

1. Introduction & Who We Are

This Privacy Policy describes how Global Link Ventures LLC ("we," "us," or "our"), a Wyoming limited liability company with its principal place of business in Sheridan, Wyoming, collects, uses, discloses, and safeguards personal data in connection with the Oracron platform and its Sentra invoice audit module (collectively, "the Service"). This Policy applies to all users of the Service, including administrators, logistics managers, finance team members, and freight procurement professionals who access the Service on behalf of their employer or client organisation ("Customer").

Global Link Ventures LLC acts as the Data Controller within the meaning of Article 4(7) of EU Regulation 2016/679 (the General Data Protection Regulation, "GDPR") with respect to account and usage data. Where Customers upload invoice documents for processing, Global Link Ventures LLC typically acts as a Data Processor on behalf of the Customer (the Data Controller for that content data), in accordance with the applicable Data Processing Agreement ("DPA").

Legal Entity Details

  • Company name: Global Link Ventures LLC
  • Jurisdiction: Wyoming, United States of America
  • Product name: Oracron / Sentra
  • Privacy contact: privacy@oracron.app

EU Representative (Article 27 GDPR)

Global Link Ventures LLC has appointed the following representative in the European Union pursuant to Article 27 GDPR. Data subjects in the EEA and EU supervisory authorities may address all issues related to the processing of personal data to the representative, in addition to or instead of contacting us directly:

  • EU Representative: Arrow Human Development S.R.L.
  • Registered office: Str. Calugarului 16, 077151 Balteni, jud. Ilfov, Romania
  • Trade register / fiscal code: Reg. no. J2016004961238 · CUI RO36019462
  • Contact: hello@arrow-training.com

You may also continue to direct privacy inquiries to privacy@oracron.app.

This Service is strictly business-to-business (B2B). It is not directed at consumers or natural persons acting in a purely private capacity. All users access the Service on behalf of a company or other legal entity.

2. What Data We Collect

2.1 Account Data

When a Customer registers for Oracron or an individual user is provisioned within a Customer account, we collect:

  • Full name and work email address
  • Company or organisation name
  • Job title or role (where provided during onboarding)
  • Account credentials (password stored as a salted hash; we never store plaintext passwords)
  • Billing contact name and email (for billing communications; we do not collect or store payment card data — subscription invoices are settled by bank transfer)

2.2 Invoice and Document Data

The core function of Oracron is to process freight invoices. When you upload documents to the Service, we process:

  • PDF and CSV invoice files, which may contain: carrier names, invoice numbers, invoice amounts and line items, shipment reference numbers, shipper and consignee names and addresses, service codes and fee descriptions, and contract rate identifiers
  • Extracted structured data derived from those documents by our AI extraction engine (Sentra)
  • Audit results, review queue annotations, and approvals or rejections applied by your team
  • Mapped fee code data and variance results generated during processing

Invoice documents may contain commercial personally identifiable information ("commercial PII") — for example, individual shipper or consignee contact names and addresses appearing on freight documents. We process this data solely to provide the audit functionality you have engaged us to perform; we do not use it for any other purpose.

2.3 Technical and Log Data

We automatically collect certain technical information when you use the Service:

  • IP address and approximate geographic location (country/region level)
  • Browser type, operating system, and device type
  • Pages and features accessed, timestamps of interactions
  • Error logs and crash reports
  • API request metadata (endpoint, response code, latency) where you use our API

This data is used solely for security monitoring, debugging, and service reliability. It is retained for 90 days and then permanently deleted (see Section 6).

2.4 Cookies and Session Data

See Section 10 for a full description of our cookie use. In summary: we use session-only authentication cookies necessary to keep you signed in. We do not use advertising, behavioural tracking, or persistent analytics cookies.

3. How We Use Your Data

We process personal data only where we have a valid lawful basis under GDPR Article 6. The table below sets out each processing purpose, the categories of data involved, and the applicable legal basis.

Purpose Data Categories GDPR Lawful Basis Notes
Account creation and authentication Account data (name, email, password hash) Art. 6(1)(b) — Performance of contract Necessary to provide access to the Service as agreed.
Invoice processing and audit Invoice/document data, extracted structured data Art. 6(1)(b) — Performance of contract Core functionality of the Service.
Billing and payments Billing contact name and email Art. 6(1)(b) — Performance of contract Subscription invoices are issued by us and delivered by email; payment is by bank transfer. We do not collect or store payment card data.
Service communications Account data (email) Art. 6(1)(b) — Performance of contract Transactional emails: onboarding, alerts, invoice processing results, security notifications.
Security monitoring and fraud prevention Technical/log data, account data Art. 6(1)(f) — Legitimate interests Our legitimate interest in protecting the integrity of the Service and our Customers' data.
Service improvement and debugging Technical/log data, anonymised usage patterns Art. 6(1)(f) — Legitimate interests Improving reliability, performance, and feature quality. We do not build individual user profiles.
Legal compliance and dispute resolution Account data, log data Art. 6(1)(c) — Legal obligation Complying with applicable law, responding to lawful government requests, enforcing our Terms of Service.
Customer support Account data, support correspondence Art. 6(1)(b) — Performance of contract Resolving technical issues and responding to your queries.
Social media content publishing LinkedIn OAuth credentials (access token, refresh token) stored exclusively as server-side secrets. No customer invoice data or end-user personal data is involved. Art. 6(1)(f) — Legitimate interests Publishing content to the Oracron LinkedIn company page via the LinkedIn API to promote the business. OAuth tokens are stored as Supabase server-side secrets and are never exposed to the browser or any front-end code.

We do not use your data for: advertising, marketing profiling, behavioural tracking, or the training of AI models. Invoice data is submitted to AI services solely for inference — completing the specific extraction or enrichment task requested. Two AI providers are used: Anthropic (Claude API — document extraction, enrichment, and dispute letter generation) and OpenAI (Embeddings API — semantic matching of charge descriptions and shipment references; no generative use involving customer data). Every Claude API call includes: (a) a versioned X-Oracron-Policy HTTP header (policy v1.0.0) identifying the processing purpose and retention expectation; (b) a mandatory system-level data-protection instruction asserting our processing purpose and prohibiting onward third-party disclosure; and (c) a record written to our internal AI audit log capturing function name, model, token volumes, latency, and purpose — supporting your GDPR Art. 30 records-of-processing obligations and accessible via the Settings > Privacy tab. We select AI providers whose API terms contractually prohibit training on inference data by default. Provider-side retention. Under Anthropic's standard API terms, inputs and outputs may be retained on Anthropic's systems for up to 30 days for abuse and trust-and-safety monitoring before deletion. Anthropic does not use this data to train models. We are evaluating a Zero Data Retention (ZDR) agreement with Anthropic that would remove this 30-day window; we will update this Policy and notify customers if and when ZDR is in effect. These protections are subject to, and depend on, the continued terms and compliance of our AI service providers; we will notify you of any material change, sale or rental to third parties, or any purpose incompatible with the purposes listed above.

4. Data Sharing and Sub-processors

We share personal data only with the sub-processors listed below, each of whom provides essential infrastructure to deliver the Service. We do not sell personal data. We do not share personal data with advertising networks, data brokers, or analytics platforms. Each sub-processor relationship is governed by a Data Processing Agreement ("DPA") consistent with GDPR Article 28 requirements.

Sub-processor Purpose Location DPA & Transfer Mechanism
Supabase, Inc.
supabase.com
Database hosting, file storage, and authentication services. Application data and invoice files are stored in the customer's selected region — Supabase EU Frankfurt (AWS eu-central-1) or US — chosen once at onboarding. EU (Frankfurt) or US — customer's selected region
US (Supabase Inc. legal entity)
DPA in place. Primary data storage is EU-resident. Legal entity transfer covered by Standard Contractual Clauses (SCCs) per GDPR Art. 46(2)(c).
Anthropic PBC
anthropic.com
AI-powered invoice text extraction and field enrichment via the Claude API. Invoice documents are sent server-side for inference processing only. No browser-side exposure. United States DPA in place. Transfer covered by Standard Contractual Clauses (SCCs) per GDPR Art. 46(2)(c). See Section 5 for detail. Every API call embeds a versioned X-Oracron-Policy header and a mandatory data-protection system prompt (policy v1.0.0). Under Anthropic's standard API terms, training on customer data is contractually prohibited; inputs and outputs may be retained on Anthropic's systems for up to 30 days for abuse and trust-and-safety monitoring before deletion. We are evaluating a Zero Data Retention (ZDR) agreement to remove this 30-day window. All calls are recorded in our AI audit log (ai_audit_log) with function name, model, token counts, latency, and purpose — supporting GDPR Art. 30 records-of-processing. We will notify customers of any material change to AI provider data-handling terms.
OpenAI, L.L.C.
openai.com
Text-embedding generation (semantic matching of invoice charge descriptions and shipment references against our fee-code taxonomy). Short text fragments from invoice lines are sent server-side to the OpenAI Embeddings API. No browser-side exposure; no image, chat, or completion use involving customer data. United States DPA in place. Transfer covered by Standard Contractual Clauses (SCCs) per GDPR Art. 46(2)(c). Under OpenAI's API terms, customer content is not used to train models; inputs and outputs may be retained for up to 30 days for abuse monitoring before deletion.
Resend, Inc.
resend.com
Transactional email delivery: authentication emails, processing notifications, billing invoices, and dispute correspondence sent on your instruction. United States DPA in place. Transfer covered by SCCs per GDPR Art. 46(2)(c). Email delivery logs retained by Resend for up to 30 days.
Cloudflare, Inc.
cloudflare.com
CDN, DNS, DDoS protection, and bot-protection (Turnstile) for our public website and application delivery. Processes IP addresses transiently; no personal data stored at edge nodes. Global edge network DPA in place. Transfers covered by SCCs and Cloudflare's EU Data Privacy Framework certification.
Functional Software, Inc. (Sentry)
sentry.io
Frontend error monitoring inside the application. Captures JavaScript errors with technical session context (browser, OS, IP address) for approximately 10% of sessions. No invoice content is transmitted. United States DPA in place. Transfer covered by SCCs per GDPR Art. 46(2)(c).
Crisp IM SAS
crisp.chat
In-app live chat support, loaded only for authenticated users. Processes the signed-in user's name, email address, and chat transcript. EU (France) DPA in place. EU-based provider; no third-country transfer required.
Lovable Labs Incorporated
lovable.dev
Hosting and delivery of the application frontend (static assets). Web server access logs (IP address, requested URL, timestamp) are processed for delivery and security purposes. No application or invoice data is stored with this provider. United States / global CDN DPA in place. Transfer covered by SCCs per GDPR Art. 46(2)(c).
Google Ireland Ltd. (Google Analytics 4)
analytics.google.com
Aggregate usage statistics for our public marketing pages only — never inside the application. Loaded exclusively after you grant consent via the cookie banner; IP addresses are anonymised. See our Cookie Policy for details. EU / United States Consent-based (Art. 6(1)(a)). Google LLC participates in the EU–US Data Privacy Framework; SCCs apply to residual transfers.
LinkedIn Corporation
(a Microsoft company) linkedin.com
Social media API access for publishing posts to the Oracron company LinkedIn page. OAuth credentials (access token and refresh token) are stored exclusively as server-side secrets in Supabase. No customer invoice data and no personal data of Oracron's end users is transmitted to LinkedIn. United States Governed by LinkedIn's API Terms of Service and Developer Agreement. Standard Contractual Clauses applicable via Microsoft/LinkedIn's Data Processing Agreement (DPA). Transfer covered by SCCs per GDPR Art. 46(2)(c).

Disclosure to Authorities

We may disclose personal data to government authorities, law enforcement agencies, or courts where we are legally required to do so, or where necessary to establish, exercise, or defend legal claims. Where permitted by law, we will notify the affected Customer before complying with such a request.

Business Transfers

In the event of a merger, acquisition, asset sale, or reorganisation involving Global Link Ventures LLC, personal data held by us may be transferred to the successor entity. We will provide notice before personal data is transferred and becomes subject to a materially different privacy policy.

5. International Data Transfers

Global Link Ventures LLC is incorporated in the United States. When you access the Service from the EEA, the UK, or Switzerland, your personal data may be transferred to and processed in the United States. The EU has not adopted an adequacy decision for the United States applicable to our processing at this time.

We rely on the following transfer mechanisms to ensure that such transfers comply with Chapter V of the GDPR:

  • Standard Contractual Clauses (SCCs): For data transferred from EEA-based Customers to Global Link Ventures LLC (acting as their processor), we rely on the SCCs adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914, Module 2 (Controller to Processor), annexed to our Data Processing Agreement. For onward transfers from Global Link Ventures LLC to US-based sub-processors (Anthropic PBC, OpenAI L.L.C., Resend Inc.), we rely on Module 3 (Processor to Processor) SCCs and, where the sub-processor is certified, the EU–US Data Privacy Framework. Copies are available on request.
  • Supabase data region (EU or US): Application data and invoice files are stored in the region your organisation selects at onboarding. For EU-region organisations this is Supabase's EU Frankfurt region (AWS eu-central-1), and storage and retrieval of your data does not involve a transfer outside the EEA for the purposes of GDPR Chapter V. US-region organisations' data is stored in the United States, as selected.
  • Supplementary measures: In addition to contractual safeguards, we implement technical measures including end-to-end TLS 1.3 encryption in transit and AES-256 encryption at rest, access controls limiting sub-processor staff access to personal data, and pseudonymisation where feasible.

If you are an EEA-based Customer and wish to review the applicable SCCs or discuss our transfer impact assessments, please contact privacy@oracron.app.

6. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, to comply with legal obligations, and to resolve any disputes. Specific retention periods are as follows:

Data Category Retention Period Basis
Account data (name, email, company) For the duration of the account, plus 3 years after the account is last active or terminated, whichever is later. Contractual necessity; legal obligation (tax and contractual records).
Invoice and document data (uploaded files, extracted data, audit results) For the duration of your active subscription. Following termination or expiry, data remains available for export for 90 days, after which it is permanently deleted. Backup copies are purged within a further 30 days. Customers may request earlier deletion at any time. Contractual necessity; Customer's audit and compliance requirements.
Technical and log data (access logs, error logs, API logs) 90 days, then permanently deleted. Legitimate interest in security monitoring; proportionality requires short retention.
Security event log (sign-ins and account security events — timestamp, event type, client IP address, browser user-agent) Retained for the duration of the user account and purged when the account is deleted. A portable copy is included in your Art.20 data export alongside every other collection. Legitimate interest in fraud and account-security monitoring (unusual-location detection, session-hijack alerts). No aggregation is performed against other users' logs.
Billing records 7 years from the date of the transaction. Legal obligation under US tax and accounting law.
Support correspondence 2 years from resolution of the support ticket. Legitimate interest in maintaining service quality records and resolving disputes.

At the end of the applicable retention period, data is securely deleted or anonymised so that it can no longer be attributed to an identifiable individual. Anonymised, aggregated data (e.g. aggregate platform usage statistics with no individual attributable data) may be retained indefinitely.

7. Security Measures

We implement technical and organisational measures appropriate to the risk of the processing, consistent with GDPR Article 32. Our current security programme includes:

  • Encryption in transit: All communications between your browser and our Service use TLS 1.3. Older protocol versions (TLS 1.0, TLS 1.1) are disabled.
  • Encryption at rest: All data stored in Supabase (application database, file storage) is encrypted at rest using AES-256.
  • Access controls: Access to production systems and customer data is restricted to authorised personnel on a need-to-know basis, enforced through role-based access control (RBAC) and multi-factor authentication (MFA) requirements.
  • Sub-processor security posture: Supabase, Anthropic, and OpenAI maintain SOC 2 Type II certifications. We review sub-processor security documentation as part of our vendor management process.
  • Authentication: User authentication is managed through Supabase Auth, including support for secure password hashing (bcrypt), email verification flows, and password reset via authenticated email links.
  • Incident response: We maintain an incident response procedure. In the event of a personal data breach, we will notify affected Customers and, where required by GDPR Article 33, the relevant supervisory authority, within 72 hours of becoming aware of the breach.
  • No persistent sensitive data in frontend: The Anthropic API key and Supabase service role key are stored exclusively as server-side secrets. They are never embedded in frontend code or exposed to the browser.

No method of transmission over the internet or method of electronic storage is 100% secure. While we take commercially reasonable steps to protect your data, we cannot guarantee absolute security.

8. Your Rights Under GDPR

If you are located in the EEA, the UK, or Switzerland, you have the following rights under the GDPR (Articles 15–22). We are committed to facilitating the exercise of these rights promptly and without undue burden. All rights can be exercised by contacting privacy@oracron.app. We will respond within 30 days of receipt, as required by GDPR Article 12(3), with the possibility of a single 2-month extension in cases of complexity or high volume (you will be informed of any extension).

There is no fee for exercising your rights unless requests are manifestly unfounded or excessive (e.g. repetitive), in which case we may charge a reasonable administrative fee or decline to act — we will explain our reasoning if so.

Art. 15

Right of Access

You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data together with information about: the purposes of processing, the categories of data concerned, the recipients or categories of recipient, the envisaged retention period, and the existence of any automated decision-making. We will provide this information in a structured, commonly used format. The first copy is free.

Art. 16

Right to Rectification

You have the right to have inaccurate personal data corrected without undue delay. Where personal data is incomplete, you have the right to have it completed. You can correct most account data (name, email, company) directly in the Oracron platform settings. For other data, contact us at privacy@oracron.app.

Art. 17

Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data where: (a) the data is no longer necessary for the purposes for which it was collected; (b) you withdraw consent on which processing was based (where applicable); (c) you object to processing and there are no overriding legitimate grounds; (d) the data has been unlawfully processed; or (e) deletion is required by EU or Member State law. This right is subject to exceptions — for example, we may be required to retain certain data to comply with a legal obligation or for the establishment or defence of legal claims. Where we cannot delete data in full, we will explain why and confirm what has been deleted.

Art. 18

Right to Restriction of Processing

You have the right to request that we restrict processing of your personal data (i.e. store it but not actively use it) in the following circumstances: (a) you contest the accuracy of the data, for the period we need to verify it; (b) the processing is unlawful but you prefer restriction over erasure; (c) we no longer need the data but you require it for legal claims; or (d) you have objected to processing and we are assessing whether our legitimate grounds override yours. When processing is restricted, we will inform you before lifting the restriction.

Art. 20

Right to Data Portability

Where we process your personal data by automated means on the basis of contract performance or consent (Art. 6(1)(a) or (b)), you have the right to receive that data in a structured, commonly used, machine-readable format (e.g. JSON or CSV) and to have it transmitted directly to another controller where technically feasible. This right covers account profile data and extracted invoice data associated with your account. It does not apply to data processed on the basis of legitimate interests.

Art. 21

Right to Object

You have the right to object at any time to processing of your personal data that is based on legitimate interests (Art. 6(1)(f)), including profiling based on those provisions. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims. You may also object at any time to processing for direct marketing purposes (we do not conduct direct marketing profiling, but this right remains available).

Art. 22

Rights Related to Automated Decision-Making and Profiling

You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects or similarly significant effects on you. Oracron does not make any fully automated decisions that produce legal effects concerning users. Our AI engine (Sentra) produces invoice audit flags and confidence scores, but all final decisions (approve, reject, escalate) are made by human reviewers within the Customer's organisation. This right is included for completeness; it is not engaged by our current processing.

How to Exercise Your Rights

Send your request to privacy@oracron.app with the subject line "GDPR Rights Request — [type of right]." Include sufficient information to identify your account (your name, work email address, and company). We may ask for additional verification to confirm your identity before processing the request; this is to protect you against unauthorised requests.

Right to Lodge a Complaint

If you believe we have processed your personal data in violation of the GDPR, you have the right to lodge a complaint with a supervisory authority. You may file a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement. A directory of EU supervisory authorities is available at edpb.europa.eu. We would encourage you to contact us first so we can address any concern directly.

9. Your Rights Under CCPA/CPRA

If you are a California resident, you have the following rights under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA"). Because Oracron is a B2B service, most data we process relates to individuals acting in a business capacity; however, we recognise that California law may apply to employees of our Customer organisations and we honour these rights accordingly.

Right to Know

You have the right to request that we disclose to you: (a) the categories of personal information we have collected about you; (b) the categories of sources from which it was collected; (c) our business or commercial purpose for collecting, selling, or sharing it; (d) the categories of third parties to whom we disclose it; and (e) the specific pieces of personal information we have collected. See Sections 2, 3, and 4 of this Policy for this information. You may submit a verifiable consumer request at privacy@oracron.app.

Right to Delete

You have the right to request deletion of personal information we have collected about you, subject to certain exceptions (e.g. information necessary to complete a transaction, detect security incidents, comply with a legal obligation, or exercise free speech). We will respond to verified deletion requests within 45 days, with the possibility of a 45-day extension where reasonably necessary.

Right to Correct

Under CPRA, you have the right to request that we correct inaccurate personal information we maintain about you, taking into account the nature of the personal information and the purposes of the processing. You can update most account information directly in the platform settings, or contact us at privacy@oracron.app.

Right to Opt Out of Sale or Sharing

We do not sell personal information. We do not share personal information for cross-context behavioural advertising. Accordingly, the right to opt out of sale/sharing is not engaged. We will update this Policy if our practices change.

Right to Limit Use of Sensitive Personal Information

We do not use sensitive personal information (as defined under CPRA) for purposes other than those permitted by CPRA Section 1798.121. We do not use sensitive personal information to infer characteristics about individuals.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive a different price, level of service, or quality of service as a result of exercising these rights.

How to Submit a California Rights Request

Email privacy@oracron.app with subject line "CCPA Rights Request." We will verify your identity before processing the request. You may also designate an authorised agent; the agent must provide written authorisation signed by you, or a power of attorney.

10. Cookies and Tracking

Full details of every cookie and local-storage item we use are maintained in our Cookie Policy, which is the authoritative document for this topic. In summary:

Cookie Name / Type Purpose Duration First or Third Party
Supabase Auth Session
sb-[project]-auth-token
Your authentication session (access and refresh token), stored in browser local storage (not a cookie). Keeps you signed in; cleared on sign-out. Rolling — refreshed automatically; cleared on sign-out First party (oracron.app)
Cloudflare security cookies
__cf_bm, cf_clearance
Bot detection and DDoS protection. Strictly necessary; no consent required. 30 minutes Third party (Cloudflare)
Google Analytics 4
_ga, _ga_*, _gid
Aggregate statistics for our public marketing pages only — never inside the application. Loaded exclusively after you click "Accept analytics" in the cookie banner; IP addresses anonymised. Up to 2 years (consent-based) Third party (Google)
Crisp chat session
crisp-client/session/*
Preserves your support chat history. Loaded only for authenticated users inside the application. 6 months Third party (Crisp)

We do not use advertising cookies, cross-site tracking, Facebook Pixel, Mixpanel, Amplitude, or any data-broker integrations. The only analytics tool is Google Analytics 4 on the marketing site, gated behind explicit opt-in consent. The application itself (the logged-in platform) loads no analytics or advertising scripts of any kind.

Server-side access logs (IP address, page URL, timestamp) are generated automatically by our infrastructure provider and retained for 90 days. These are used only for security monitoring and are not used for behavioural profiling.

On your first visit to the marketing site, a consent banner offers "Accept analytics" or "Essential only". No analytics cookies are set unless you accept, and you can withdraw consent at any time via the "Reset preferences" control in the Cookie Policy.

11. Children's Privacy

The Oracron Service is a professional B2B software platform designed for use by logistics professionals, finance teams, and freight procurement personnel acting on behalf of corporate entities. It is not directed at individuals under the age of 18 and is not designed for or marketed to minors.

We do not knowingly collect personal information from anyone under 18 years of age. If we become aware that we have inadvertently received personal information from a user under 18, we will take steps to delete that information from our records as soon as possible. If you believe we may have collected information from or about a minor, please contact us at privacy@oracron.app.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the introduction of new features, updates to applicable law, or feedback from regulatory authorities. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this Policy
  • Notify active Customers by email to the billing or account contact address on file, at least 14 days before material changes take effect
  • Post a prominent notice in the platform dashboard for active users

Non-material changes (e.g. clarifications of existing language, correction of typographical errors, updates to contact details) may be made without specific notice beyond updating the "Last Updated" date. We encourage you to review this Policy periodically.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy. If you do not agree with the updated Policy, you should discontinue use of the Service and contact us to arrange data deletion.

The current version of this Policy is always available at oracron.app/privacy-policy.html.

13. How to Contact Us / Exercise Rights

For any questions about this Privacy Policy, to exercise your data subject rights under GDPR or CCPA/CPRA, or to report a suspected data protection concern, please contact our privacy team:

Privacy Contact

Global Link Ventures LLC

Oracron Data Protection Team

privacy@oracron.app

Response Times

General inquiries: within 5 business days
GDPR rights requests: within 30 days (Art. 12 GDPR)
CCPA requests: within 45 days
Data breach notifications: within 72 hours (Art. 33 GDPR)

When submitting a rights request, please include your full name, work email address, company name, and a clear description of the right you wish to exercise. We may request additional information to verify your identity and protect against unauthorised requests.

This Privacy Policy was last updated on June 10, 2026 and was first effective as of November 19, 2023. It supersedes all prior versions. © 2025 Global Link Ventures LLC. All rights reserved.