GDPR compliance at OKRs Tool.

Section 1
Our approach

In short: GDPR is the floor, not the ceiling. We treat every customer's data the same way — whether they're in the EU, the UK, the US, or anywhere else.

OKRs Tool is built for teams that take how their data is handled seriously. That means privacy by design, data minimization, and clear user rights — all in our default behavior, not buried in an upgrade tier.

This page documents how we comply with the General Data Protection Regulation (GDPR) and what you can expect from us as a data controller or data subject.

Section 2
Who this covers

GDPR applies to any organization that processes personal data of EU or UK residents, regardless of where the organization is based. That includes OKRs Tool.

For the purposes of GDPR:

• Our customer (your company) is the data controller — you decide what personal data to put into OKRs Tool and how it's used.
• OKRs Tool is the data processor — we process that data on your behalf, only for the purposes you've instructed us to.
• Your team members (and our own visitors) are the data subjects whose rights GDPR protects.

This page covers our role as data processor. For data we collect about you directly — like your account email or billing details — we act as data controller, governed by our Privacy Policy.

Section 3
Lawful basis for processing

GDPR requires every processing activity to have a lawful basis. Ours fall into three categories:

• Contract performance. Processing necessary to deliver the OKRs Tool service you've signed up for — account data, OKR content, login activity, billing.
• Legitimate interests. Limited processing for product improvement, fraud prevention, and security monitoring, balanced against your reasonable expectations.
• Consent. For optional marketing emails and non-essential cookies. You can withdraw consent at any time without affecting the lawfulness of prior processing.

Section 4
Data minimization

We collect the minimum personal data needed to run the service, and nothing more.

Typical personal data we process:

• Account data — name, work email, company name, role.
• Authentication data — hashed password or SSO identity.
• Usage data — when you log in, what features you use, how long you stay (aggregated).
• OKR content — whatever your team enters: objectives, key results, check-ins, comments. This is your data; we process it strictly to deliver the service.
• Billing data — handled by our payment processor (Stripe). We don't store full card numbers.

We do not collect special categories of personal data (health, biometrics, political views, etc.). If your team voluntarily puts such data in OKR content, it's processed under the same strict controls — but we'd recommend you don't.

Section 5
Hosting & sub-processors

We carefully vet every third party that touches your data and only work with sub-processors who meet GDPR's security and confidentiality standards.

The current list of sub-processors — including what each one does and where they're hosted — is maintained at okrstool.com/sub-processors. We notify customers via email when the list changes.

Section 6
International data transfers

Some of our sub-processors are based in the United States or other jurisdictions outside the European Economic Area. When personal data is transferred to those jurisdictions, we rely on the following legal mechanisms:

• Standard Contractual Clauses (SCCs) — the European Commission's approved templates for international data transfers, signed with each non-EU sub-processor.
• Adequacy decisions — where the recipient country has been recognized by the European Commission as providing an adequate level of protection (e.g., the UK).
• Supplementary measures — encryption in transit and at rest, access controls, and audit logging that protect data regardless of jurisdiction.

If you have specific data residency requirements, contact us at info@okrstool.com.

Section 7
Your rights as a data subject

Under GDPR (and equivalent laws in other jurisdictions), you have the following rights regarding your personal data:

• Right to access. Get a copy of what we hold about you.
• Right to rectification. Correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"). Have your personal data deleted, subject to legal retention requirements.
• Right to data portability. Receive your data in a machine-readable format and transfer it to another service.
• Right to restrict processing. Pause certain processing while a request is being reviewed.
• Right to object. Object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent. Where consent is the lawful basis, you can withdraw it at any time.
• Right to lodge a complaint. With your local supervisory authority if you believe we've handled your data unlawfully.

Most rights can be exercised directly inside your OKRs Tool account (Settings → Account). For formal requests — particularly erasure, portability, or access requests — email info@okrstool.com. We respond within 30 days as required by GDPR.

Section 8
Data Processing Agreement

We offer a GDPR-compliant Data Processing Agreement (DPA) to all paid customers free of charge.

Our standard DPA covers:

• The subject matter, duration, nature, and purpose of processing
• The types of personal data and categories of data subjects involved
• Sub-processor terms and notification of changes
• Technical and organizational security measures
• Standard Contractual Clauses for international transfers
• Breach notification procedures
• Audit rights

Section 9
Security measures

GDPR requires "appropriate technical and organizational measures" to protect personal data. Ours include:

• Encryption in transit — TLS 1.2+ on all connections.
• Encryption at rest — AES-256 for databases and backups.
• Role-based access controls — workspace-level permissions with audit logging on sensitive actions.
• Secure development practices — code review, dependency scanning, security training for engineers.
• Annual penetration testing on our infrastructure.
• Continuous monitoring — 24/7 infrastructure alerting and anomaly detection.
• SSO, SCIM, and RBAC — available to Expand-plan customers needing centralized identity and access management.

Full details on the Security page.

Section 10
Breach notification

If a personal data breach occurs that is likely to result in a risk to the rights and freedoms of data subjects, we will:

• Notify affected customers within 72 hours of becoming aware of the breach, where the breach is reportable under GDPR.
• Provide details of what happened, what data was affected, the likely consequences, and what we're doing about it.
• Notify relevant supervisory authorities where required.
• Maintain an internal log of all breaches, reportable or not, for our own audit purposes.

We have not had a reportable data breach to date.

Section 11
Contact & questions

For all GDPR-related matters — data subject requests, DPA signing, sub-processor questions, breach inquiries — please use the addresses below.

If you're not satisfied with how we've handled a request, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU authorities is available on the EDPB website.