1. Scope
This Privacy Policy explains how Ozmosoft ("we", "us") collects, uses, stores, and protects information in connection with the Ozmosoft platform (the "Service"), for both the organisations that subscribe to the Service ("Customers") and the individual users who access it on a Customer’s behalf ("Members").
Where a Customer enters business records (customers, invoices, employees, projects, etc.) into the Service, that Customer is the data controller for that data and Ozmosoft acts as a data processor on the Customer’s instructions, except where stated otherwise.
2. Information we collect
Account information: name, email address, organisation name, role, and authentication details (passwords are stored as salted hashes; we never store plaintext passwords).
Usage information: log data such as IP address, browser/device information, pages and features accessed, and timestamps — used to operate, secure, and improve the Service.
Business records: the data Members enter or import while using the Service — for example invoices, ledger entries, project and job data, inventory records, employee records, and files uploaded to the platform. This data belongs to the Customer (see our Terms of Service).
Payment information: subscription billing is handled by our third-party payment processor; Ozmosoft does not store full card numbers.
3. How we use information
To provide, operate, and maintain the Service, including authenticating access and enforcing each Customer’s configured roles and permissions.
To process subscription billing, send account and billing notices, and provide customer support.
To monitor for security issues, detect and prevent fraud or abuse, and maintain the integrity of the platform (for example, our tenant-isolation and access-control safeguards).
To improve the Service, including aggregated/anonymised analysis of usage patterns that does not identify an individual or Customer.
To comply with legal obligations, such as tax and accounting record-keeping requirements that apply to us as an operator.
4. Storage & security
Each Customer’s business records are logically isolated from every other Customer using PostgreSQL Row-Level Security enforced at the database layer, not application code alone — every request is pinned to a single organisation, and queries without a valid tenant context return no data.
Integration credentials and platform secrets (for example, connected bank feeds, email, or payment integrations) are encrypted at rest using AES-256-GCM and are only decrypted in memory at the point of use.
Sessions use httpOnly, Secure, SameSite cookies, and all traffic to the Service is encrypted in transit via TLS.
We take regular encrypted backups of the database and periodically exercise our restore procedure.
5. Cookies & sessions
We use a small number of essential cookies to keep you signed in and to protect your session (for example, an httpOnly authentication cookie and a CSRF-protection cookie). These are required for the Service to function and are not used for third-party advertising.
We do not use third-party advertising trackers on the application itself.
6. Third-party processors
We use a limited number of third-party service providers to operate the Service, including: a payment processor to handle subscription billing; a transactional email provider to deliver account, invoice, and notification emails; and cloud infrastructure providers to host the application and database.
These providers are contractually restricted to using data only to provide their service to us, and are selected for their own security practices.
7. Data retention & deletion
While your subscription is active, your business records are retained for as long as your organisation exists on the platform.
If a subscription is cancelled, the organisation’s data is retained for a data-retention window configured on your plan (30 days by default) during which access can be restored or data exported.
If an organisation proceeds to account closure, its data enters a pending-deletion window (30 days by default) before permanent ("hard") deletion, giving time to reconsider or complete an export.
Certain records — such as audit logs of security-relevant and financial actions — are retained for a longer minimum period (currently 7 years / 2,555 days) to meet standard financial record-keeping and audit requirements, even where a shorter retention setting is configured elsewhere.
We may retain limited information beyond these windows where required by law (for example, tax records) or to resolve disputes and enforce our agreements.
8. Your rights
Subject to applicable law, you (or the Customer organisation you belong to) may request: access to the personal information we hold about you; export of your organisation’s business records in a portable format; correction of inaccurate account information; and deletion of your account or organisation’s data, subject to the retention periods described above and any legal obligation to retain certain records.
Members should generally direct requests about business records to their organisation’s administrator, since the Customer organisation controls that data. Requests about your own account information can be sent directly to us.
9. Children
The Service is intended for business use by adults and is not directed to children. We do not knowingly collect personal information from children.
10. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated policy with a new "Last updated" date and, for material changes, provide reasonable notice.
11. Contact
Questions about this Privacy Policy, or requests relating to your data, can be sent to support@ozmosoft.com.
Questions about this Privacy Policy, or requests relating to your data? Contact support@ozmosoft.com.