Privacy Policy

What this Privacy Policy Covers

This Privacy Policy covers how we treat Personal Data that we collect when you access or use our Services. “Personal Data” means information that identifies or relates to an identifiable individual (and includes “personal information” or “personally identifiable information” as those terms are used in applicable laws). This Policy does not cover the practices of companies we don’t own or control or of people we don’t manage.

Personal Data

Categories of Personal Data We Collect

We have collected the following categories of Personal Data in the last 12 months:

Profile or Contact Data

• Examples: first and last name, email, physical address (if provided), account password (hashed/salted), role.
• Shared with: Service Providers; Parties You Authorize, Access or Authenticate.

Payment Data

• Examples: payment card type, last four digits, billing address, phone, email. We do not store full payment card numbers; our payment processor (e.g., Stripe) processes them on our behalf.
• Shared with: Payment Processor (as a Service Provider).

Device/IP Data

• Examples: IP address, device ID, domain server, device/OS/browser type.
• Shared with: Service Providers; Parties You Authorize, Access or Authenticate.

Web Analytics

• Examples: page views and interactions, referring URLs, non-identifiable request IDs, telemetry about site/app performance.
• Shared with: Service Providers (analytics).

Social/Single Sign-On Data (if used)

• Examples: email, name, user handle/ID, avatar, and tokens provided by the identity provider.
• Shared with: Service Providers; Parties You Authorize, Access or Authenticate.

Other Identifying Information You Provide

• Examples: information in emails/support tickets, attachments you upload to the Services.
• Shared with: Service Providers; Business Partners (if you opt into joint offers); Parties You Authorize, Access or Authenticate.

Sensitive Data: We do not intentionally collect or process sensitive personal data (such as race, religion, health information, biometric data, or precise geolocation) unless explicitly required for a Service feature and with your consent.

Categories of Sources of Personal Data

• You — directly (account creation, forms, support tickets, surveys) and automatically (cookies, device telemetry, optional location signals).
• Third Parties — vendors such as analytics, authentication, and payment processors; integrations you authorize (e.g., GitHub, GitLab, Linear, Slack).

Our Commercial or Business Purposes for Collecting Personal Data

• Providing, customizing, and improving the Services (account management, transactions, support, R&D, personalization, security).
• Marketing the Services (product updates, subject to preferences).
• Corresponding with you (updates, security notices, onboarding).
• Meeting legal requirements and enforcing terms.

We will not use Personal Data for materially different purposes without notice (and additional consent where required).

How We Share Your Personal Data

We disclose Personal Data to the categories of recipients below. Depending on your jurisdiction, certain disclosures may be considered a “sale” or “sharing” (for cross-context behavioral advertising). Onset does not sell Personal Data for money and does not share Personal Data for cross-context behavioral advertising, profiling, or targeted advertising.

• Service Providers (hosting, email delivery, support, analytics, security, payment processing).
• Business Partners (only if you opt into joint promotions or integrations).
• Parties You Authorize, Access or Authenticate (integrations, social SSO, or other users per your settings).
• Legal/Compliance (to comply with law, protect rights, or in connection with corporate transactions).

We may use aggregated/de-identified data for lawful business purposes and will not attempt to re-identify it.

Tracking Tools and Opt-Out

We and our Service Providers use cookies, SDKs, and similar technologies (“Cookies”) to operate, secure, and improve the Services, and to understand usage. Most browsers let you control Cookies via settings; disabling Cookies may limit features. To learn more, visit allaboutcookies.org.

Do Not Track / Global Privacy Control: Our Services currently do not respond to browser “Do Not Track” signals. Where legally required, we honor valid Global Privacy Control (GPC) signals for opt-outs that apply to our practices.

Data Security and Retention

We employ administrative, technical, and physical safeguards appropriate to the nature of the Personal Data we process. No method of transmission or storage is 100% secure. If we become aware of a breach of security that affects your Personal Data, we will notify you without undue delay as required by law.

We retain Personal Data for as long as your account is active or as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements, after which we delete or de-identify it consistent with our retention policies.

Personal Data of Children

As stated in our Terms of Service, we do not knowingly collect Personal Data from children under 13. If you believe a child has provided Personal Data to us, contact hello@onset.io and we will delete it.

U.S. State Privacy Rights

You may have rights under state privacy laws (e.g., California CPRA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Virginia VCDPA). These include the right to request access, correction, deletion, portability, and to opt out of certain processing. Onset does not sell or share Personal Data as defined by the CPRA.

Appeals: If we deny your request, you may appeal by replying to our response with “Privacy Appeal.” We will respond within 45 days, or longer if permitted by law, with an explanation. You may use an authorized agent where permitted.

California “Shine the Light”: California residents may ask for a list of third parties to whom we disclosed Personal Data for their direct marketing purposes in the prior calendar year. Submit requests to hello@onset.io.

EU/UK Data Subject Rights

If you are in the EU/UK/EEA, the GDPR/UK GDPR provides rights over your Personal Data, including access, rectification, erasure, restriction, objection, portability, and the right to lodge a complaint with your supervisory authority. When Onset is the controller, contact hello@onset.io to exercise your rights. Where we process Personal Data as a processor for a customer, we will direct you to that controller.

Lawful Bases

• Contractual necessity (to provide the Services you request).
• Legitimate interests (e.g., securing and improving the Services), balanced against your rights.
• Consent (e.g., certain marketing or optional features), which you can withdraw at any time.
• Legal obligation (e.g., recordkeeping, compliance).

International Transfers

Your Personal Data may be transferred to and processed in the United States and other countries that may not offer the same level of data protection. Where required, we use appropriate safeguards (such as Standard Contractual Clauses) to protect such transfers.

EU/UK Representatives: If legally required, Onset will appoint representatives in the EU and UK for data protection matters, whose contact details will be made available upon request.

Changes to this Privacy Policy

We may update this Policy from time to time. We will notify you by posting the updated Policy and, where required, by additional notice (e.g., email or in-product notice). Your continued use of the Services after the effective date signifies acceptance of the updated Policy.

Contact Information

If you have questions about this Privacy Policy or our practices, contact us:

Email: hello@onset.io
Mailing Address: OneClick Lab, LLC (Onset), New York, NY, 10001, USA

For DMCA notices, please see the “DMCA/Copyright Complaints” section in our Terms of Service.