TODO — review before public launch. This is a solid, honest baseline that matches how Ocean Green actually works, but it is not legal advice. Have it reviewed by a professional and confirm the controller details (imprint), your hosting provider, and any analytics or payment processors you add.

This policy explains what personal data we process when you visit this website and when you use the Ocean Green application, why we process it, and the rights you have. The data controller is the provider named in the Imprint.

1. This marketing website

The website is a static site served from our own server. We deliberately keep it lean:

  • No cookies are set by this site, and no third-party trackers, analytics, ad pixels or external fonts/CDNs are loaded. Nothing on the page calls out to Google, Meta or similar.
  • Server logs. Our web server and reverse proxy may briefly process your IP address, the requested URL, timestamp, referrer and user-agent to deliver pages and maintain security and stability. Legal basis: our legitimate interest in operating a secure website (Art. 6 (1)(f) GDPR). These logs are kept only as long as necessary for security and are not combined with other data to identify you.
  • TLS. The site is served over HTTPS; certificates are issued via Let's Encrypt.

2. Contacting us

If you email us (e.g. via the address in the Support page), we process the data you provide — your email address and message content — solely to handle your request. Legal basis: Art. 6 (1)(b) or (f) GDPR. We delete such correspondence once it is no longer needed and no retention obligation applies.

3. The Ocean Green application

The application is an operator tool you run under your own account. When you use it, the following data is processed:

  • Account data — the identifiers and credentials needed to sign in and to assign roles (Owner / Admin / Normal).
  • Content you create — model profiles, shoot plans, generated images and reels, captions, schedules and the associated metadata (prompt, model, seed, cost, timestamp). This content is stored in your instance's database and media storage.
  • Model-provider key. To generate content you supply your own provider (OpenRouter) API key. It is held in the environment/secret store and is never stored in plaintext configuration or exposed in the interface. Prompts you generate are transmitted to that provider under the provider's own terms and privacy policy.
  • Connected platform data. If you connect an Instagram account, we process the tokens and the insights that Instagram's official Graph API returns for your own accounts. We do not scrape third-party content.

4. Third parties & processors

Depending on your configuration, data may be processed by: your model provider (OpenRouter) for generation; Meta/Instagram for publishing and insights via the official Graph API; our hosting/infrastructure provider; and, if enabled, a payment processor. Each acts under its own terms; where they act on our behalf we put appropriate data-processing agreements in place.

TODO: list your concrete sub-processors here (hosting provider and location, payment provider, email provider) with links to their privacy terms.

5. International transfers

Some providers may process data outside the EU/EEA. Where that happens, transfers are safeguarded by appropriate mechanisms such as the EU Standard Contractual Clauses or an adequacy decision.

6. Retention

We keep personal data only as long as necessary for the purposes described above or as required by law. Content you create is retained until you delete it or close your account.

7. Your rights

Under the GDPR you have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20) and objection (Art. 21), as well as the right to withdraw consent at any time. To exercise any of these, contact us via the Imprint. You also have the right to lodge a complaint with a supervisory authority — in Germany, the data-protection authority of your federal state.

8. Data security

We use encryption in transit (HTTPS), keep secrets out of source and configuration, and apply role-based access control with server-side enforcement. No system is perfectly secure, but we take appropriate technical and organisational measures to protect your data.

9. Changes

We may update this policy as the product evolves. The current version is always available at this URL, dated above.

← Back to home